dcrat | 71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9b

Analysis

max time kernel
120s
max time network
112s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Size

1.5MB
MD5

342d9786a05ca3ac788611225021e670
SHA1

b0af40b9312f3dfd98bbb8c3b7fe70df606187c3
SHA256

71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9b
SHA512

622b9ae8acad10b431c4637432d4ae9f6647453efc5ea4cab9563bda9b0c3dd804260a21e339fea199d19b0a738cf9325f1f3d0ab323c78c347e0fe20e4f3399
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 18 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2728	schtasks.exe
		1896	schtasks.exe
		2908	schtasks.exe
		2320	schtasks.exe
		2208	schtasks.exe
		792	schtasks.exe
		912	schtasks.exe
		2988	schtasks.exe
		380	schtasks.exe
		2668	schtasks.exe
		2364	schtasks.exe
		2084	schtasks.exe
		1616	schtasks.exe
		2524	schtasks.exe
		2292	schtasks.exe
		2240	schtasks.exe
		1492	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 17 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\", \"C:\\Windows\\System32\\normnfd\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\twain_32\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\", \"C:\\Windows\\System32\\usercpl\\winlogon.exe\", \"C:\\Windows\\PolicyDefinitions\\fr-FR\\sppsvc.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\", \"C:\\Windows\\System32\\normnfd\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\", \"C:\\Windows\\System32\\normnfd\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\twain_32\\audiodg.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\", \"C:\\Windows\\System32\\normnfd\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\twain_32\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\", \"C:\\Windows\\System32\\usercpl\\winlogon.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\", \"C:\\Windows\\System32\\normnfd\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\twain_32\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\", \"C:\\Windows\\System32\\usercpl\\winlogon.exe\", \"C:\\Windows\\PolicyDefinitions\\fr-FR\\sppsvc.exe\", \"C:\\Windows\\System32\\comctl32\\taskhost.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\", \"C:\\Windows\\System32\\normnfd\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\", \"C:\\Windows\\DigitalLocker\\csrss.exe\", \"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\", \"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\", \"C:\\Windows\\System32\\normnfd\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\twain_32\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Windows\\System32\\bthprops\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Documents and Settings\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe

Process spawned unexpected child process 17 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2620	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2604	powershell.exe
2948	powershell.exe
3016	powershell.exe
2348	powershell.exe
2876	powershell.exe
2724	powershell.exe
2760	powershell.exe
2764	powershell.exe
1608	powershell.exe
1060	powershell.exe
1328	powershell.exe
2960	powershell.exe
3048	powershell.exe
1420	powershell.exe
2944	powershell.exe
2752	powershell.exe
2856	powershell.exe
2772	powershell.exe
2616	powershell.exe
2840	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe

Executes dropped EXE 10 IoCs

pid	Process
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1668	smss.exe
2592	smss.exe
2552	smss.exe
2492	smss.exe
1992	smss.exe
1944	smss.exe
2632	smss.exe
2340	smss.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\PolicyDefinitions\\fr-FR\\sppsvc.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\bthprops\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\DigitalLocker\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Documents and Settings\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Documents and Settings\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\normnfd\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\comctl32\\taskhost.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\comctl32\\taskhost.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\bthprops\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\twain_32\\audiodg.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\usercpl\\winlogon.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\PolicyDefinitions\\fr-FR\\sppsvc.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\DigitalLocker\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\VaultSysUi\\csrss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\IEAdvpack\\dwm.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\normnfd\\smss.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\twain_32\\audiodg.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\dvdupgrd\\dllhost.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\usercpl\\winlogon.exe\""	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\Windows\System32\bthprops\886983d96e3d3e	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\IEAdvpack\6cb0b6c459d5d3	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\normnfd\69ddcba757bf72	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\usercpl\winlogon.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\VaultSysUi\csrss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\usercpl\winlogon.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\usercpl\cc11b995f2a76d	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\comctl32\taskhost.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\dvdupgrd\5940a34987c991	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\bthprops\RCX6D55.tmp	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\bthprops\csrss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\IEAdvpack\dwm.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\dvdupgrd\RCX763F.tmp	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\VaultSysUi\csrss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\normnfd\smss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\comctl32\taskhost.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\IEAdvpack\dwm.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\normnfd\smss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\comctl32\b75386f1303e64	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\bthprops\csrss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\dvdupgrd\dllhost.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\System32\dvdupgrd\dllhost.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\System32\VaultSysUi\886983d96e3d3e	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\1610b97d3ab4a7	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\RCX71CA.tmp	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\csrss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\Speech\Common\de-DE\winlogon.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\twain_32\audiodg.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File opened for modification	C:\Windows\DigitalLocker\csrss.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\DigitalLocker\886983d96e3d3e	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\twain_32\audiodg.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\twain_32\42af1c969fbb7b	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\0a1fd5f707cd16	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2084	schtasks.exe
2292	schtasks.exe
912	schtasks.exe
1896	schtasks.exe
380	schtasks.exe
792	schtasks.exe
1492	schtasks.exe
1616	schtasks.exe
2524	schtasks.exe
2668	schtasks.exe
2728	schtasks.exe
2320	schtasks.exe
2988	schtasks.exe
2208	schtasks.exe
2908	schtasks.exe
2240	schtasks.exe
2364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
3016	powershell.exe
2348	powershell.exe
2948	powershell.exe
2944	powershell.exe
2960	powershell.exe
2772	powershell.exe
2876	powershell.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
2856	powershell.exe
2604	powershell.exe
2724	powershell.exe
2760	powershell.exe
2752	powershell.exe
2616	powershell.exe
3048	powershell.exe
2764	powershell.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1668	smss.exe
Token: SeDebugPrivilege	2592	smss.exe
Token: SeDebugPrivilege	2552	smss.exe
Token: SeDebugPrivilege	2492	smss.exe
Token: SeDebugPrivilege	1992	smss.exe
Token: SeDebugPrivilege	1944	smss.exe
Token: SeDebugPrivilege	2632	smss.exe
Token: SeDebugPrivilege	2340	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2772	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	37
PID 2884 wrote to memory of 2772	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	37
PID 2884 wrote to memory of 2772	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	37
PID 2884 wrote to memory of 2944	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	38
PID 2884 wrote to memory of 2944	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	38
PID 2884 wrote to memory of 2944	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	38
PID 2884 wrote to memory of 2948	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	39
PID 2884 wrote to memory of 2948	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	39
PID 2884 wrote to memory of 2948	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	39
PID 2884 wrote to memory of 2960	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	40
PID 2884 wrote to memory of 2960	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	40
PID 2884 wrote to memory of 2960	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	40
PID 2884 wrote to memory of 3016	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	42
PID 2884 wrote to memory of 3016	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	42
PID 2884 wrote to memory of 3016	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	42
PID 2884 wrote to memory of 2876	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	43
PID 2884 wrote to memory of 2876	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	43
PID 2884 wrote to memory of 2876	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	43
PID 2884 wrote to memory of 2348	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	45
PID 2884 wrote to memory of 2348	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	45
PID 2884 wrote to memory of 2348	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	45
PID 2884 wrote to memory of 2032	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	51
PID 2884 wrote to memory of 2032	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	51
PID 2884 wrote to memory of 2032	2884	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	51
PID 2032 wrote to memory of 2724	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	59
PID 2032 wrote to memory of 2724	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	59
PID 2032 wrote to memory of 2724	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	59
PID 2032 wrote to memory of 2760	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	60
PID 2032 wrote to memory of 2760	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	60
PID 2032 wrote to memory of 2760	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	60
PID 2032 wrote to memory of 2752	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	61
PID 2032 wrote to memory of 2752	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	61
PID 2032 wrote to memory of 2752	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	61
PID 2032 wrote to memory of 2764	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	63
PID 2032 wrote to memory of 2764	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	63
PID 2032 wrote to memory of 2764	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	63
PID 2032 wrote to memory of 2856	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	64
PID 2032 wrote to memory of 2856	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	64
PID 2032 wrote to memory of 2856	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	64
PID 2032 wrote to memory of 3048	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	65
PID 2032 wrote to memory of 3048	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	65
PID 2032 wrote to memory of 3048	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	65
PID 2032 wrote to memory of 2616	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	66
PID 2032 wrote to memory of 2616	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	66
PID 2032 wrote to memory of 2616	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	66
PID 2032 wrote to memory of 2604	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	67
PID 2032 wrote to memory of 2604	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	67
PID 2032 wrote to memory of 2604	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	67
PID 2032 wrote to memory of 1496	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	75
PID 2032 wrote to memory of 1496	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	75
PID 2032 wrote to memory of 1496	2032	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	75
PID 1496 wrote to memory of 2172	1496	cmd.exe	77
PID 1496 wrote to memory of 2172	1496	cmd.exe	77
PID 1496 wrote to memory of 2172	1496	cmd.exe	77
PID 1496 wrote to memory of 1388	1496	cmd.exe	78
PID 1496 wrote to memory of 1388	1496	cmd.exe	78
PID 1496 wrote to memory of 1388	1496	cmd.exe	78
PID 1388 wrote to memory of 2840	1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	83
PID 1388 wrote to memory of 2840	1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	83
PID 1388 wrote to memory of 2840	1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	83
PID 1388 wrote to memory of 1608	1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	84
PID 1388 wrote to memory of 1608	1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	84
PID 1388 wrote to memory of 1608	1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	84
PID 1388 wrote to memory of 1060	1388	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe	85

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
"C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\bthprops\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dvdupgrd\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
  "C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\VaultSysUi\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\IEAdvpack\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\normnfd\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\audiodg.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjTDQNnF5X.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe
      "C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\usercpl\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\comctl32\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mG9Lse2gDd.bat"
        5⤵
        
        PID:2380
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2612
      - C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\486b6a55-496b-4b5b-ad64-bb2d0695beae.vbs"
        7⤵
        
        PID:3028
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02a1d7d9-7612-4acf-a228-3b477bf8bb2f.vbs"
        9⤵
        
        PID:1108
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c1d611b-028d-415b-a1b9-5c2b495e40b6.vbs"
        11⤵
        
        PID:288
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d4a4f7e-982f-448e-bb12-3f4b9f816f90.vbs"
        13⤵
        
        PID:1444
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37f3a611-5c5a-4727-aa0a-4a85a43c682a.vbs"
        15⤵
        
        PID:592
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fdc72ca-4802-46b9-8397-e95e34209156.vbs"
        17⤵
        
        PID:2188
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ac49341-b55c-4492-ac8e-f5d63e69008b.vbs"
        19⤵
        
        PID:1528
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4be85ab-e0fc-488e-a565-a51b5dc7fcc7.vbs"
        21⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4292d24-411e-40f8-8f98-2ef9213e0fd9.vbs"
        21⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67f6b136-a9dc-4455-888b-984026dd7a0f.vbs"
        19⤵
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85a4532f-3510-40fe-a3ef-7980c8beb766.vbs"
        17⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1fc56e3-eab0-4556-826b-bd37bcdb2b04.vbs"
        15⤵
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77b9f90e-0cba-4065-a22d-efdffaa76c51.vbs"
        13⤵
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a5dfeee-275a-4a39-86cd-4f59d8b97dc8.vbs"
        11⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\895fdae4-67ec-4a69-a73d-707a67910df9.vbs"
        9⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d47b3599-bcd3-4582-accb-388c8abfa3df.vbs"
        7⤵
        
        PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\bthprops\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\dvdupgrd\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\VaultSysUi\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\IEAdvpack\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9bN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\normnfd\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\usercpl\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\comctl32\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\56085415360792

Filesize
83B

MD5
d4945dbf69d372c2c7a0e945e83475b7

SHA1
e8d58de59b0cc62bd4d4c931da5581ca85ab6a51

SHA256
ed15c16052103b4381eee5ef4a907872b12f0bcb0b1bb30acbdce551f93eb430

SHA512
5a07879ddcefb469bc6d942f9d4303e547ca42b892770f1bd4616fff4f6d4698afb4fbe3c90d649c0b8b19b911b8f21cc75a78a1b3acde07b9eadd1ba54f1a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\02a1d7d9-7612-4acf-a228-3b477bf8bb2f.vbs

Filesize
732B

MD5
fa9533804ec34d75f8df3cdf4caff9df

SHA1
5fcf1ce807f7c22df388c213b75ac3eb0b5605b9

SHA256
b08ef38f5a0c3770514ba55f21ae8f1a72c2a4935231d13106a7b086bed6b235

SHA512
c847ea845ab6ef77d7caa1526f24e43f23a5fbf50664d0b7f026ab6417947eccb10b10962416fafd99b8af765ea23648a11bc3f9702a750dd3bc764ff2f0720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37f3a611-5c5a-4727-aa0a-4a85a43c682a.vbs

Filesize
732B

MD5
2fd10e0617bc5359810fcbd047be7e1f

SHA1
bfc262c2b8d10ec778eb146ec386b659bebd75f3

SHA256
bc1b7ad04cb7d2ec644295156fbebfced20fc977f6dd3077f04351bf581313f9

SHA512
8d044101ad8e850286f4f766b1b59a928708e85486b7b70d04b5d67f61c150e534121fa4083b627800a04c1ec260ec6a9f53fee683802d4456f40b26ef2d2b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac49341-b55c-4492-ac8e-f5d63e69008b.vbs

Filesize
732B

MD5
c6a6a02bc3ffeca9ad35c7105be9ad21

SHA1
578997443b6b9d49945ea16d0e5813665b6bd051

SHA256
8a2e6f07049604655d855625179749fe6f450430991b02c623fc2345326d0027

SHA512
cadbbe2500778ba48329fff25c6b154cbb8d5efb6870bbc566e76d938707944229dc0ccb98ca5d05a77e3904dc241a2dbfc13e49a2a3f444aa6bb43b5f6d237e

Download Submit
C:\Users\Admin\AppData\Local\Temp\486b6a55-496b-4b5b-ad64-bb2d0695beae.vbs

Filesize
732B

MD5
c6c6f5466929059c84c1ec14053a1c1c

SHA1
2a79e5375c99175923cf74bd4cf3f57758d5f7a7

SHA256
3deffae6b4e63025dd85d7ac6b8cac551a35a816eb7e61afc15f8be901af8b70

SHA512
c76d514f2e072d2d35a948d758767d540cf2a30168c776e786c4dc11c47a3c9b16a968c7615a1f6e1d36ea1237638b34ce32e0dce342842e14a3126ebc896723

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d4a4f7e-982f-448e-bb12-3f4b9f816f90.vbs

Filesize
732B

MD5
c0146a21aeaea162ba72b18924863eb5

SHA1
8284bfc78c4cb799520cb5589ee7693b42acbcbf

SHA256
8eb88214b907ac1becfb63f64f7cfb7f11e5f3191017cbdd940e026d124f40d3

SHA512
350719d929e36bd463c8cbd9b86ec7418620ddc3ab5bdc55d16b47449d5ec4142e4018b938c28370b43a432c46ccbab38e9bd0938cbb3ddb65f65b681bba016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fdc72ca-4802-46b9-8397-e95e34209156.vbs

Filesize
732B

MD5
517d1ebe5009c4bb033610b08770586f

SHA1
a9ac581f8e6177ff6a917cf20b45168055324be9

SHA256
9ef5f15890c1e85bc62d99b03858bc66b185dcccffb76a061fd3fe10a743abc8

SHA512
ed8ad55b5cdc552dede48e742283f671f5ec6486597afa02d02cb0b60fcc9d91fa039ef7ee8ea52ddc65a21d69077b79d2836a2c1ff018b64086f184d935be28

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c1d611b-028d-415b-a1b9-5c2b495e40b6.vbs

Filesize
732B

MD5
aa09cbfd243857a522e539792d16a768

SHA1
2755486bd64b3f0be6be80672727929f9d95a1e9

SHA256
7b80524366cff73fd99b89694ede6f0c789d77f2a83b1565670e53c0930640d6

SHA512
ee8fafde3ae6c1b1fea1fa23f62a3f1f483a5b1800fc07f10f87b5716f16dc3e7b1cd0bef0839a3f0e76c2dbafa00958ae38c0071a341d7b0fcb650c4761a0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjTDQNnF5X.bat

Filesize
267B

MD5
755b24913629f4072dcf1dd6b1fc373f

SHA1
bd8dd0cc936479957136c7018c646d224a35c848

SHA256
fbacd720ea21e96626d9069de5025659293d8fddb0a4786292560fb3e17edf22

SHA512
a760a362b3f278a76eca42e79818f6037109d0d7ae9d2e26501035010ccc4759474169d5d18caeec2fef48ec241b2fbee7215b9e8d1a486ed600998554f32b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4be85ab-e0fc-488e-a565-a51b5dc7fcc7.vbs

Filesize
732B

MD5
93b0a443f5ea8ca0f4fc7ff8edf53471

SHA1
01de8fd87a4c23e0a8df48c739029f1bc4eadbdf

SHA256
98b88653f7e0dbb60687bae68adb148b5b8c7fc8f255ece24747b5404f1086aa

SHA512
24e21f66e210acbbd4bb4430d769dabe56d9a481ddb784853dfd72a7ceae32f9adafe006af51873bc9054a3eaa7a9b981cb72d106e2a4dd30880e89cf16557cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d47b3599-bcd3-4582-accb-388c8abfa3df.vbs

Filesize
508B

MD5
e84651780f159ac658c8185f4ca4e386

SHA1
37531476f4fd2e5de977586ed0ee397a9ead1159

SHA256
0d5ff5f385e10e35cd942c78be9b3566fe4fbbc03fd1ac0d1fa16f84529cdf42

SHA512
cea41fee08a0db935e96595b90bb59739322a3c88edad15e83b367ad91462dbfb2023e4faafe06486fd02a8459325a05acb2bd97e6894d66166afde39e104d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
688B

MD5
5458f7ac318f6f8e4fa80af4effbbd6a

SHA1
84763610654a1afbc74cea444d161ba83a7df24b

SHA256
b6f7a9f9573f5bfc39dc5745a2d5183965e1fab92af5796ccb52120fc186e37a

SHA512
27c3d466f70cb9ff018f203652f703d1b1571168cd614e00d6eb33c25304b92b013e549337dadf0d7a0da1d0f2189941f1a14ad5568dc251e577db222b419fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
432B

MD5
26627cb6222a52434cf38ad1cf8e585b

SHA1
38ba7181d0fbd87ebbb14221afc345a9645f4a72

SHA256
fb70115da53bd484a7332a926263ac9df4d66a0aa2667796bdecbb855c2c38e6

SHA512
a73933393cefa42b286724827bfd1df4b976f61ab6abcc7fac12e69de19cb11381c81d9a8eae73022f8c35cac902e1931a13ddec3b3477e64c12510b332f0bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mG9Lse2gDd.bat

Filesize
220B

MD5
fcaf7ca406ffe65f3cc7c32f50beea8b

SHA1
e1959715bd1f029f47084258c842e28c6e569fbf

SHA256
c76ce8e2ecc43e3a7a368c36e59390f98b2739575ed1092ec62fd2d5965de85b

SHA512
d977a5f37006d82e53f586f8bd833a8f44cc0e699d33e413c23a35c35a95f754c9f2c87f2e790479f163ae9da59889c53a69f5ccff9b74a5464adb7377740ab7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16de42cd910896891127733ca13672c4

SHA1
06c8fd54096a0fabdeddded5b7f59209cf0c333d

SHA256
dc4d49fa41f8ec2fcdd78f918f8346905130739b417a98895b1a1aa694b02fd5

SHA512
67524c4535a13f32b82ccd054f223cb6dba1945ab6e550fb372ce29a69c5a18bad1679e23877bb08117d53186deb7d4d5d3ffc80a27888b28fecb6491a28159c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f60448df02051b9d443ab3fc938793cb

SHA1
2aa8d61218969c5c4a883038063d23de8cb5eece

SHA256
63b490a4e90b258fc065fe16f706174ffe32e25441a5977d41de2a064373619f

SHA512
454d1683798ebfbd03efd3571ff9b7ef69d247ce72383d81d4dc3a6c667a60c361aac67a31c97ecac8e89cf64ee199aa5f1334788ac98d965821501e5da3d366

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3cd769c9506b638e29a45a0993458426

SHA1
5f63d6daad98eb8907ede1da2a12bba57e9bc32c

SHA256
204d1dda267a624c826187c7010d9b33fc36e00f3e8f0308906bde5024ccf784

SHA512
f1582f04ca574878d3059f46aee35d83d06a330a9ee3cd7aaa110356872d6d8478e7c288241ede388bd4475d0d9bf3b40d13212231931f31d03223b3d3de0acb

Download Submit
C:\Users\smss.exe

Filesize
1.5MB

MD5
342d9786a05ca3ac788611225021e670

SHA1
b0af40b9312f3dfd98bbb8c3b7fe70df606187c3

SHA256
71c18dc31e53da4c75e40e6aeac6437058eb63527abe2eade9d7dc58c34b4f9b

SHA512
622b9ae8acad10b431c4637432d4ae9f6647453efc5ea4cab9563bda9b0c3dd804260a21e339fea199d19b0a738cf9325f1f3d0ab323c78c347e0fe20e4f3399

Download Submit
memory/1388-199-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1388-198-0x00000000009A0000-0x0000000000B1E000-memory.dmp

Filesize
1.5MB

Download
memory/1668-251-0x0000000000240000-0x00000000003BE000-memory.dmp

Filesize
1.5MB

Download
memory/1944-308-0x0000000001200000-0x000000000137E000-memory.dmp

Filesize
1.5MB

Download
memory/2340-332-0x0000000000DC0000-0x0000000000F3E000-memory.dmp

Filesize
1.5MB

Download
memory/2348-94-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2552-274-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2592-262-0x0000000000D40000-0x0000000000EBE000-memory.dmp

Filesize
1.5MB

Download
memory/2604-174-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2632-320-0x0000000000280000-0x00000000003FE000-memory.dmp

Filesize
1.5MB

Download
memory/2856-179-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2884-13-0x0000000002090000-0x000000000209A000-memory.dmp

Filesize
40KB

Download
memory/2884-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2884-1-0x00000000000B0000-0x000000000022E000-memory.dmp

Filesize
1.5MB

Download
memory/2884-24-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-21-0x000000001AD40000-0x000000001AD48000-memory.dmp

Filesize
32KB

Download
memory/2884-20-0x00000000023E0000-0x00000000023EC000-memory.dmp

Filesize
48KB

Download
memory/2884-18-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/2884-17-0x00000000023C0000-0x00000000023CC000-memory.dmp

Filesize
48KB

Download
memory/2884-16-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/2884-15-0x00000000023A0000-0x00000000023AA000-memory.dmp

Filesize
40KB

Download
memory/2884-14-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/2884-111-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-12-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2884-11-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2884-10-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2884-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2884-8-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2884-7-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2884-6-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2884-5-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2884-4-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2884-3-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2884-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-101-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download