dcrat | 0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Size

1.5MB
MD5

3b0a6949a267720496eb0e81fc9de90b
SHA1

06ffe0b8f18fa03019a913f641d0b16bef0a0bf8
SHA256

0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305
SHA512

3823fab092e42f949b1653c1bb20a908f2b9f48fdfb8f3b78944d9fd9c9721696bf519546bf4d1f268292733e668a9d211b2fc139eb5e1dfa6ce6c3e9f0690da
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRm:EzhWhCXQFN+0IEuQgyiVK+

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 11 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2652	schtasks.exe
		2704	schtasks.exe
		2876	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
		2640	schtasks.exe
		2632	schtasks.exe
		1532	schtasks.exe
File created	C:\Windows\System32\unregmp2\b75386f1303e64		0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
		2620	schtasks.exe
		2724	schtasks.exe
		2444	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Documents and Settings\\OSPPSVC.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Documents and Settings\\OSPPSVC.exe\", \"C:\\Windows\\System32\\umstartup000\\sppsvc.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\", \"C:\\Documents and Settings\\dllhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\unregmp2\\taskhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\", \"C:\\Documents and Settings\\OSPPSVC.exe\", \"C:\\Windows\\System32\\umstartup000\\sppsvc.exe\", \"C:\\Windows\\System32\\SampleRes\\lsass.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2748	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2144	powershell.exe
1964	powershell.exe
2176	powershell.exe
2084	powershell.exe
2056	powershell.exe
572	powershell.exe
2308	powershell.exe
832	powershell.exe
1156	powershell.exe
1788	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Executes dropped EXE 9 IoCs

pid	Process
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
1832	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2376	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
1596	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
1680	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2120	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
328	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
1744	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
1100	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\wininit.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\umstartup000\\sppsvc.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Documents and Settings\\OSPPSVC.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\SampleRes\\lsass.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\SampleRes\\lsass.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305 = "\"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\taskhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Documents and Settings\\OSPPSVC.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305 = "\"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\umstartup000\\sppsvc.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\unregmp2\\taskhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\unregmp2\\taskhost.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupExe(20240903051854134)\\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe\""	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\umstartup000\sppsvc.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\SampleRes\lsass.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\unregmp2\RCXB462.tmp	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\umstartup000\RCXC49F.tmp	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\umstartup000\sppsvc.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\SampleRes\RCXC710.tmp	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\unregmp2\taskhost.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\unregmp2\taskhost.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\unregmp2\b75386f1303e64	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\umstartup000\0a1fd5f707cd16	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Windows\System32\SampleRes\6203df4a6bafc7	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Windows\System32\SampleRes\lsass.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\ja-JP\8fa0622f2c026c	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCXC02A.tmp	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe
2620	schtasks.exe
2724	schtasks.exe
1532	schtasks.exe
2704	schtasks.exe
2640	schtasks.exe
2652	schtasks.exe
2444	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
1788	powershell.exe
2176	powershell.exe
2084	powershell.exe
2144	powershell.exe
1964	powershell.exe
1156	powershell.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
572	powershell.exe
2308	powershell.exe
2056	powershell.exe
832	powershell.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	1832	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	2376	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	1596	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	1680	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	2120	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	328	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	1744	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Token: SeDebugPrivilege	1100	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1156	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	40
PID 2108 wrote to memory of 1156	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	40
PID 2108 wrote to memory of 1156	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	40
PID 2108 wrote to memory of 1788	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	41
PID 2108 wrote to memory of 1788	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	41
PID 2108 wrote to memory of 1788	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	41
PID 2108 wrote to memory of 2084	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	42
PID 2108 wrote to memory of 2084	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	42
PID 2108 wrote to memory of 2084	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	42
PID 2108 wrote to memory of 2176	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	43
PID 2108 wrote to memory of 2176	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	43
PID 2108 wrote to memory of 2176	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	43
PID 2108 wrote to memory of 2056	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	45
PID 2108 wrote to memory of 2056	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	45
PID 2108 wrote to memory of 2056	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	45
PID 2108 wrote to memory of 572	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	46
PID 2108 wrote to memory of 572	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	46
PID 2108 wrote to memory of 572	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	46
PID 2108 wrote to memory of 2308	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	47
PID 2108 wrote to memory of 2308	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	47
PID 2108 wrote to memory of 2308	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	47
PID 2108 wrote to memory of 2144	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	48
PID 2108 wrote to memory of 2144	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	48
PID 2108 wrote to memory of 2144	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	48
PID 2108 wrote to memory of 1964	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	49
PID 2108 wrote to memory of 1964	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	49
PID 2108 wrote to memory of 1964	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	49
PID 2108 wrote to memory of 832	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	50
PID 2108 wrote to memory of 832	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	50
PID 2108 wrote to memory of 832	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	50
PID 2108 wrote to memory of 888	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	61
PID 2108 wrote to memory of 888	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	61
PID 2108 wrote to memory of 888	2108	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	61
PID 888 wrote to memory of 2624	888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	62
PID 888 wrote to memory of 2624	888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	62
PID 888 wrote to memory of 2624	888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	62
PID 888 wrote to memory of 2652	888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	63
PID 888 wrote to memory of 2652	888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	63
PID 888 wrote to memory of 2652	888	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	63
PID 2624 wrote to memory of 1832	2624	WScript.exe	64
PID 2624 wrote to memory of 1832	2624	WScript.exe	64
PID 2624 wrote to memory of 1832	2624	WScript.exe	64
PID 1832 wrote to memory of 2504	1832	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	65
PID 1832 wrote to memory of 2504	1832	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	65
PID 1832 wrote to memory of 2504	1832	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	65
PID 1832 wrote to memory of 1792	1832	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	66
PID 1832 wrote to memory of 1792	1832	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	66
PID 1832 wrote to memory of 1792	1832	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	66
PID 2504 wrote to memory of 2376	2504	WScript.exe	67
PID 2504 wrote to memory of 2376	2504	WScript.exe	67
PID 2504 wrote to memory of 2376	2504	WScript.exe	67
PID 2376 wrote to memory of 1612	2376	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	68
PID 2376 wrote to memory of 1612	2376	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	68
PID 2376 wrote to memory of 1612	2376	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	68
PID 2376 wrote to memory of 1948	2376	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	69
PID 2376 wrote to memory of 1948	2376	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	69
PID 2376 wrote to memory of 1948	2376	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	69
PID 1612 wrote to memory of 1596	1612	WScript.exe	70
PID 1612 wrote to memory of 1596	1612	WScript.exe	70
PID 1612 wrote to memory of 1596	1612	WScript.exe	70
PID 1596 wrote to memory of 768	1596	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	71
PID 1596 wrote to memory of 768	1596	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	71
PID 1596 wrote to memory of 768	1596	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	71
PID 1596 wrote to memory of 1284	1596	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe	72

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
"C:\Users\Admin\AppData\Local\Temp\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\unregmp2\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\umstartup000\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SampleRes\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
  "C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:888
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a041ca0f-216e-4c2a-9bb4-ea5122a4f226.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
      C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1832
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ba1743d-bfe2-46a5-9fb2-5e2c4af44e11.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33a93f52-7a25-41a0-8e97-c9f6243f7b09.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87bee14f-ec3c-4017-aec6-908c3542a770.vbs"
        9⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92976e41-d29b-4207-823e-821f0e90c0c4.vbs"
        11⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ebe3908-a3fe-423f-a3fa-13c14d44d0eb.vbs"
        13⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f73d4bb8-c9c3-4165-86c3-cb77697f37ad.vbs"
        15⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b194c80-da67-4f67-ae1a-e0989580548b.vbs"
        17⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        
        C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\147f239b-0bcd-4f3d-9bdd-8f54e6a518f2.vbs"
        19⤵
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dbf2148-6f41-4cea-95d6-7ac81c0a45a1.vbs"
        19⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\180a2cf7-d7ef-42e3-89fe-5a73c65014cf.vbs"
        17⤵
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93f678ea-667e-47ca-94f9-bdb68613eedd.vbs"
        15⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b67fb67e-0b04-448f-8fb0-a2a14c678ab9.vbs"
        13⤵
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a8d7605-fe25-4c92-b67b-c33d2d46e3a0.vbs"
        11⤵
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\018ae9fb-8b3f-4bc1-961d-f6698e6b5588.vbs"
        9⤵
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82b38e99-7227-436e-a736-a871788d8ddd.vbs"
        7⤵
        
        PID:1948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72b7df4c-8165-453e-a426-79d67a998bed.vbs"
        5⤵
        
        PID:1792
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98e60d00-bab6-4c7a-af40-f71a6ed88cdc.vbs"
    3⤵
    PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\unregmp2\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Documents and Settings\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\umstartup000\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\SampleRes\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe

Filesize
1.5MB

MD5
3b0a6949a267720496eb0e81fc9de90b

SHA1
06ffe0b8f18fa03019a913f641d0b16bef0a0bf8

SHA256
0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305

SHA512
3823fab092e42f949b1653c1bb20a908f2b9f48fdfb8f3b78944d9fd9c9721696bf519546bf4d1f268292733e668a9d211b2fc139eb5e1dfa6ce6c3e9f0690da

Download Submit
C:\Users\Admin\AppData\Local\Temp\147f239b-0bcd-4f3d-9bdd-8f54e6a518f2.vbs

Filesize
806B

MD5
572c38f2e75e233f692d5bc79eb600ef

SHA1
9c9a8c6e9a549ffdbc4f239ee48322cebefc38b1

SHA256
3f29cb9dd20fc95a14c3c916b982db7dff9be2afc8f6b7ce92540a8da0d82550

SHA512
32714d11e77ed0621fa161414a70f4958e4f6b40b811ddf31c1e05f60d3b210203c6f1c4a89d56e925d1c3d99a76fbb15d7193ceca0962daceb0d0921ca0bd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ba1743d-bfe2-46a5-9fb2-5e2c4af44e11.vbs

Filesize
806B

MD5
48271a7951ff662385a6b988f860a433

SHA1
be3966352027968daadd14adbe02045b7076b219

SHA256
be897d337260457250153c47bfae692b0c489028e6d41f8c6c4c379b9036ed1d

SHA512
7cf7f988083e495aca8c3f9f5726903b07e75ad7cf1c10346f31ea6127216b65c68c382d402e59e8c8598ddb947eebb7f3e36404e2fb16506ce0ce889ae1170b

Download Submit
C:\Users\Admin\AppData\Local\Temp\33a93f52-7a25-41a0-8e97-c9f6243f7b09.vbs

Filesize
806B

MD5
a728b9bf6480b47605f50e071a1de110

SHA1
ec80ca2c70dbcbb575f93b3e1f30a88ef343b7e4

SHA256
ebc4e0ccd84e6017a83838a8c265aa5659da138f38570dc2bd4bab073f1be9a2

SHA512
5e109164a9766b3dead94763ce525a3148fbace46f34f4fd9bf339f8ef89b26a2bac166d6b4f4b5ba7200f4ad76d3202774c5285bce50be0475da2ded33778f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b194c80-da67-4f67-ae1a-e0989580548b.vbs

Filesize
806B

MD5
2db6d4b250d0825013698e0a1bb1853d

SHA1
e4e29c7ee3f21ffb4f7d8f39d9993e411da7f2f3

SHA256
b65c102b828675743c103b2496da1e161fc405842807a3fe21df5fd688167583

SHA512
023e51993a4051dbfba58ac4425b7dd1557e3d21419ad6391518631ac92d5ad8560c8e940a909da463636cd0d71b0814b37a94479616eaebbcd5548639f40c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\87bee14f-ec3c-4017-aec6-908c3542a770.vbs

Filesize
806B

MD5
dff45d465d62048800551e4bd3935bcf

SHA1
a5acf9e472dc0d8cb06147d621f160e09b61a604

SHA256
a24d872b45f848ef024963b0d5f5b02bff8734d52221b8c9acb61159fa125e7c

SHA512
81c13a00510c881892b54fee1640f79b697de4038e0882b99abae7fcc94f4610c1eda1f332770a5140b9b2e64c45adf0d0b46f508e38dc175f1554e9a19e725d

Download Submit
C:\Users\Admin\AppData\Local\Temp\92976e41-d29b-4207-823e-821f0e90c0c4.vbs

Filesize
806B

MD5
58d6e95c0435d2b3f2c9145c0f38fec1

SHA1
df00b65ade08197244eea8c895579f68b0f6de1b

SHA256
6e7759529afdab6ec15bdfe28e00bf6cd60ed53338cd5f050efd7b4b18cd4125

SHA512
d072691f6d70dcf5ccbe41da074fa32de99c0cec247cec8f7d4971d01e4f20611af2010c1deacd62ae754efd64a9397dcfe97ca307e2dcafe416002d813dfe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\98e60d00-bab6-4c7a-af40-f71a6ed88cdc.vbs

Filesize
582B

MD5
8722e24b6afad669521735131d610c84

SHA1
ba013edcd972f95c6fcdadbb17a65f8460dbb2d2

SHA256
c164325072308d3f04dcbdb9edc0689ab1504cb4659a563b46e69d0dba9ded57

SHA512
58a65ee925438ffd1b42a06ff7c8a4671e9ca4db3a4ba3c7f996dd25cdcc5b0c13bec5599ad74456b2a4563d312a33316804d8ccf33f7aeec61d4806837bf1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ebe3908-a3fe-423f-a3fa-13c14d44d0eb.vbs

Filesize
806B

MD5
dca2d8730a1e449cf095ad1f61c35824

SHA1
f113dd0850576d5ed308e3ba87e8ad12523a08f2

SHA256
fcae3d4f4de5358ee2fed91cb298f2d693a8f86dab39e639ecf136ea4f924da3

SHA512
1656193836f52d0d4d60494a84f6de4875df66ec9ca7ba9d4c67c2f055b0c2da46fbea59625d5583fced62374d75be5fa0b94b65bf865d89f91ae449c25c81b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134)\0b951b2ba61766a9c82dbabbe954a1ea70b667f3acbbd9a1f4ffadc32541f305.exe

Filesize
1.5MB

MD5
6219f78571f3152c67452222ba62e23e

SHA1
28bca50b1d6b53dd8f13aef634b1de6f48f3e064

SHA256
21964c01ce3f35361b844c10f63b7f79460e440b932583e25aa6e2b72e08aa83

SHA512
6b8c58483bb7c44ab0652906f6b0cb3207776a0325cdab2804a503ff7b49282aa7d29e1f04f6339ccfb63311d063a887dc82cc147b465bef32f8572feb3df94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a041ca0f-216e-4c2a-9bb4-ea5122a4f226.vbs

Filesize
805B

MD5
d4398a978879ab63016d1977e396fe39

SHA1
391e3bcfe452799d39527daaacac6394dceb89cb

SHA256
d6ff214ebfc61ccaf474c59b973c5ad1702740ba8d55e4710ee62d21c3d242ba

SHA512
c40cb55252bdc4c121483d0a1db6718443edb601c926f0e99a0ff81cd13b6ebbdc8cb18252431ceaaba150346f4bc2ab7d416defd621e18a6bf6dde190745174

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1553656ce62ae4a147cbae87d92c096ce384105.exe

Filesize
1.5MB

MD5
75b1b7322a016f3bb67b47483749d53e

SHA1
15b85ccc52723881ccbab541be6424e76e2888d0

SHA256
579781c108b2e880325d2fa85247787a5e9bc59a04aed832f5412268173e8b99

SHA512
63245c125ea19f36d7f8b6dc79004d0aaf82d7602a5ffa9bb0c08c8ca485f867fc2d3ff6f1ef13e25942e1545e8be8395b4d1c435945051656002392da5725b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f73d4bb8-c9c3-4165-86c3-cb77697f37ad.vbs

Filesize
805B

MD5
f40d6811e7398b7fee2c57a6f83eeae5

SHA1
d2323a5b406b2add4e3e4aed6f81e1ba5f5d1fcc

SHA256
58459e1906d3cad938752e2821dfb290c16c0ec754113faf4238221444d99d3d

SHA512
0d21dbc34162c75105577fece4d41268cff77ae9079a4d636a0dbd79ba2cc91c245cd038e68dfcde74d2eb8ff1756ef4bb1909536a49711b02110e97896a7f8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e10f484be34238c0f13bb3536760ef30

SHA1
f97d238459982e76bb073cdadd9479862f3e56e0

SHA256
b26d62d41a1278672b190554bd59f41409f94ea3ad21f85fcb05b675330c7f38

SHA512
23691a27df3a7d0ef5b8bdc3609cc55bcd85dd1715941d2a6981a236151b17939c03e4304c190b93dc3a93c79aa7f8db6a23dbf03cb6ddc7b46ba7cd15e2f228

Download Submit
C:\Users\OSPPSVC.exe

Filesize
1.5MB

MD5
2ca0073b43969db97d0786888f75ad65

SHA1
eb299f052a1c15b90f7986cfce3e6defe30d5073

SHA256
31100ea97656521818b181284a4e4cc87b3c53d8e87e62e771492c99ea935d8d

SHA512
ef1328f4c638a86eccc72926cf302bd7576060348cc28e8e88162670f63d8beb02809f5dedcb63c8f4909d07977e4ea7e52329efd0b127f910661be783895b96

Download Submit
memory/328-227-0x0000000000370000-0x00000000004EE000-memory.dmp

Filesize
1.5MB

Download
memory/888-157-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/888-151-0x0000000000110000-0x000000000028E000-memory.dmp

Filesize
1.5MB

Download
memory/1100-251-0x00000000000E0000-0x000000000025E000-memory.dmp

Filesize
1.5MB

Download
memory/1596-191-0x00000000012D0000-0x000000000144E000-memory.dmp

Filesize
1.5MB

Download
memory/1596-192-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1680-204-0x0000000001350000-0x00000000014CE000-memory.dmp

Filesize
1.5MB

Download
memory/1744-239-0x0000000001330000-0x00000000014AE000-memory.dmp

Filesize
1.5MB

Download
memory/1788-113-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1832-168-0x00000000010D0000-0x000000000124E000-memory.dmp

Filesize
1.5MB

Download
memory/2108-11-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2108-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

Filesize
4KB

Download
memory/2108-16-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2108-15-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2108-152-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-14-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2108-13-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2108-12-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2108-17-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2108-21-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2108-10-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2108-1-0x0000000000FD0000-0x000000000114E000-memory.dmp

Filesize
1.5MB

Download
memory/2108-18-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/2108-9-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/2108-20-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2108-8-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2108-7-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/2108-6-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2108-5-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2108-24-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-4-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2108-3-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/2108-2-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2176-115-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download