dcrat | bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Size

1.5MB
MD5

9138df6efdf28b8d1a9fe37db04dd4cf
SHA1

4cbee2006349426a7863324e9dce520f61d7d7b6
SHA256

bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd
SHA512

8052feb171625a94a62e886ccf65ad2bb44c03c6f288d1887a187e9fcda4abbba5ece6f94bd659fd27836f7b2768c523c21685fb57d2378dca999a2fd7230963
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRE:EzhWhCXQFN+0IEuQgyiVK8

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2912	schtasks.exe
		2780	schtasks.exe
		2764	schtasks.exe
		1628	schtasks.exe
		344	schtasks.exe
		2868	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
		2736	schtasks.exe
		2296	schtasks.exe
		2124	schtasks.exe
		1588	schtasks.exe
		2300	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\", \"C:\\Windows\\System32\\npmproxy\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_installer\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\thumbcache\\lsm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\", \"C:\\Windows\\System32\\npmproxy\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_installer\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\thumbcache\\lsm.exe\", \"C:\\Windows\\System32\\WMPEncEn\\dllhost.exe\", \"C:\\ProgramData\\Microsoft Help\\services.exe\", \"C:\\PerfLogs\\Admin\\taskhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\", \"C:\\Windows\\System32\\npmproxy\\dllhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\", \"C:\\Windows\\System32\\npmproxy\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_installer\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\", \"C:\\Windows\\System32\\npmproxy\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_installer\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\thumbcache\\lsm.exe\", \"C:\\Windows\\System32\\WMPEncEn\\dllhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\", \"C:\\Windows\\System32\\npmproxy\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_installer\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\thumbcache\\lsm.exe\", \"C:\\Windows\\System32\\WMPEncEn\\dllhost.exe\", \"C:\\ProgramData\\Microsoft Help\\services.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\g711codc\\dwm.exe\", \"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\", \"C:\\Windows\\System32\\npmproxy\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_installer\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\", \"C:\\Windows\\System32\\thumbcache\\lsm.exe\", \"C:\\Windows\\System32\\WMPEncEn\\dllhost.exe\", \"C:\\ProgramData\\Microsoft Help\\services.exe\", \"C:\\PerfLogs\\Admin\\taskhost.exe\", \"C:\\Windows\\System32\\vccorlib120\\taskhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe

Process spawned unexpected child process 11 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2672	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe
704	powershell.exe
2960	powershell.exe
2660	powershell.exe
2856	powershell.exe
2852	powershell.exe
532	powershell.exe
2392	powershell.exe
1856	powershell.exe
2892	powershell.exe
2864	powershell.exe
1144	powershell.exe
780	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe

Executes dropped EXE 10 IoCs

pid	Process
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1572	dllhost.exe
1876	dllhost.exe
1964	dllhost.exe
1976	dllhost.exe
2636	dllhost.exe
1824	dllhost.exe
868	dllhost.exe
1868	dllhost.exe
3060	dllhost.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\g711codc\\dwm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Microsoft Help\\services.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\PerfLogs\\Admin\\taskhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\vccorlib120\\taskhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\WMPEncEn\\dllhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\vccorlib120\\taskhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\g711codc\\dwm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\npmproxy\\dllhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\thumbcache\\lsm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\thumbcache\\lsm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDBENE\\spoolsv.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\npmproxy\\dllhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_installer\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_installer\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\PerfLogs\\Admin\\taskhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052630-0\\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\lsm.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\WMPEncEn\\dllhost.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Microsoft Help\\services.exe\""	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\npmproxy\dllhost.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\thumbcache\101b941d020240	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\vccorlib120\taskhost.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File opened for modification	C:\Windows\System32\WMPEncEn\dllhost.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File opened for modification	C:\Windows\System32\vccorlib120\taskhost.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\g711codc\dwm.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File opened for modification	C:\Windows\System32\g711codc\dwm.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File opened for modification	C:\Windows\System32\KBDBENE\RCXB4A2.tmp	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\WMPEncEn\dllhost.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\KBDBENE\spoolsv.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File opened for modification	C:\Windows\System32\KBDBENE\spoolsv.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File opened for modification	C:\Windows\System32\thumbcache\lsm.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\g711codc\6cb0b6c459d5d3	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\WMPEncEn\5940a34987c991	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\vccorlib120\b75386f1303e64	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File opened for modification	C:\Windows\System32\g711codc\RCXB29F.tmp	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File opened for modification	C:\Windows\System32\npmproxy\RCXB8AA.tmp	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\thumbcache\lsm.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\KBDBENE\f3b6ecef712a24	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\npmproxy\dllhost.exe	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
File created	C:\Windows\System32\npmproxy\5940a34987c991	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2780	schtasks.exe
2764	schtasks.exe
1628	schtasks.exe
2868	schtasks.exe
344	schtasks.exe
2124	schtasks.exe
2300	schtasks.exe
2912	schtasks.exe
2736	schtasks.exe
2296	schtasks.exe
1588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
532	powershell.exe
2392	powershell.exe
1144	powershell.exe
592	powershell.exe
1856	powershell.exe
704	powershell.exe
780	powershell.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
2864	powershell.exe
2856	powershell.exe
2852	powershell.exe
2892	powershell.exe
2660	powershell.exe
2960	powershell.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1572	dllhost.exe
Token: SeDebugPrivilege	1876	dllhost.exe
Token: SeDebugPrivilege	1964	dllhost.exe
Token: SeDebugPrivilege	1976	dllhost.exe
Token: SeDebugPrivilege	2636	dllhost.exe
Token: SeDebugPrivilege	1824	dllhost.exe
Token: SeDebugPrivilege	868	dllhost.exe
Token: SeDebugPrivilege	1868	dllhost.exe
Token: SeDebugPrivilege	3060	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 532	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	37
PID 2356 wrote to memory of 532	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	37
PID 2356 wrote to memory of 532	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	37
PID 2356 wrote to memory of 2392	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	38
PID 2356 wrote to memory of 2392	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	38
PID 2356 wrote to memory of 2392	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	38
PID 2356 wrote to memory of 1856	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	39
PID 2356 wrote to memory of 1856	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	39
PID 2356 wrote to memory of 1856	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	39
PID 2356 wrote to memory of 592	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	42
PID 2356 wrote to memory of 592	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	42
PID 2356 wrote to memory of 592	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	42
PID 2356 wrote to memory of 704	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	43
PID 2356 wrote to memory of 704	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	43
PID 2356 wrote to memory of 704	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	43
PID 2356 wrote to memory of 780	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	44
PID 2356 wrote to memory of 780	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	44
PID 2356 wrote to memory of 780	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	44
PID 2356 wrote to memory of 1144	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	46
PID 2356 wrote to memory of 1144	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	46
PID 2356 wrote to memory of 1144	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	46
PID 2356 wrote to memory of 2820	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	51
PID 2356 wrote to memory of 2820	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	51
PID 2356 wrote to memory of 2820	2356	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	51
PID 2820 wrote to memory of 1008	2820	cmd.exe	53
PID 2820 wrote to memory of 1008	2820	cmd.exe	53
PID 2820 wrote to memory of 1008	2820	cmd.exe	53
PID 2820 wrote to memory of 1064	2820	cmd.exe	55
PID 2820 wrote to memory of 1064	2820	cmd.exe	55
PID 2820 wrote to memory of 1064	2820	cmd.exe	55
PID 1064 wrote to memory of 2960	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	61
PID 1064 wrote to memory of 2960	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	61
PID 1064 wrote to memory of 2960	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	61
PID 1064 wrote to memory of 2660	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	62
PID 1064 wrote to memory of 2660	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	62
PID 1064 wrote to memory of 2660	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	62
PID 1064 wrote to memory of 2856	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	64
PID 1064 wrote to memory of 2856	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	64
PID 1064 wrote to memory of 2856	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	64
PID 1064 wrote to memory of 2852	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	66
PID 1064 wrote to memory of 2852	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	66
PID 1064 wrote to memory of 2852	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	66
PID 1064 wrote to memory of 2864	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	68
PID 1064 wrote to memory of 2864	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	68
PID 1064 wrote to memory of 2864	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	68
PID 1064 wrote to memory of 2892	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	69
PID 1064 wrote to memory of 2892	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	69
PID 1064 wrote to memory of 2892	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	69
PID 1064 wrote to memory of 2740	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	73
PID 1064 wrote to memory of 2740	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	73
PID 1064 wrote to memory of 2740	1064	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe	73
PID 2740 wrote to memory of 2176	2740	cmd.exe	75
PID 2740 wrote to memory of 2176	2740	cmd.exe	75
PID 2740 wrote to memory of 2176	2740	cmd.exe	75
PID 2740 wrote to memory of 1572	2740	cmd.exe	76
PID 2740 wrote to memory of 1572	2740	cmd.exe	76
PID 2740 wrote to memory of 1572	2740	cmd.exe	76
PID 1572 wrote to memory of 3028	1572	dllhost.exe	77
PID 1572 wrote to memory of 3028	1572	dllhost.exe	77
PID 1572 wrote to memory of 3028	1572	dllhost.exe	77
PID 1572 wrote to memory of 1564	1572	dllhost.exe	78
PID 1572 wrote to memory of 1564	1572	dllhost.exe	78
PID 1572 wrote to memory of 1564	1572	dllhost.exe	78
PID 3028 wrote to memory of 1876	3028	WScript.exe	79

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
"C:\Users\Admin\AppData\Local\Temp\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052630-0\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\g711codc\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDBENE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\npmproxy\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_installer\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pf49rczEcU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe
    "C:\Users\Admin\AppData\Local\Temp\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\thumbcache\lsm.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WMPEncEn\dllhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft Help\services.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\taskhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vccorlib120\taskhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SUoFbHmupk.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2176
    - - C:\Windows\System32\WMPEncEn\dllhost.exe
        
        "C:\Windows\System32\WMPEncEn\dllhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1572
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39781170-bcc1-47c1-b1af-fdeef3045a9a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee3df90b-b81d-4afa-9ca4-7bc87c10be0f.vbs"
        8⤵
        
        PID:704
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94819e25-e1af-4b55-b44c-49ffd91a40e5.vbs"
        10⤵
        
        PID:2372
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77fb00a1-f720-41a8-8de5-2e3c06d7c376.vbs"
        12⤵
        
        PID:1640
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c97f25a-0cad-4049-8b6e-531242a4178b.vbs"
        14⤵
        
        PID:3032
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6cf0609-efe8-476a-8946-906b85e880f5.vbs"
        16⤵
        
        PID:1836
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e620ba9-b27e-41a5-b091-19293188749c.vbs"
        18⤵
        
        PID:2808
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1371b845-07a9-4cb7-a0cb-e6b53ef19538.vbs"
        20⤵
        
        PID:2764
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        
        C:\Windows\System32\WMPEncEn\dllhost.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a25d8703-ff6b-4fe7-aa85-f95c18ac5ac6.vbs"
        22⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c580d9d-b0a6-459e-8c30-5235778b61ee.vbs"
        22⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5e2c4c6-40f7-4a03-a84b-b2c35c21123f.vbs"
        20⤵
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0281a32f-eb4c-48d3-9ee6-4e9ac52b4814.vbs"
        18⤵
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22943fb7-2d93-4559-84f4-8395b333692e.vbs"
        16⤵
        
        PID:1812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\479226a5-8d50-4985-92a6-02431be18aab.vbs"
        14⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7140bb6-7922-4f5b-a0d4-4a31b43b6487.vbs"
        12⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0ef7938-5896-4272-9f83-09d762f0c569.vbs"
        10⤵
        
        PID:1428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4e05575-4a81-48c3-a250-f6effe0deecc.vbs"
        8⤵
        
        PID:1720
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5feb1a7-b2bd-4e59-a4e1-fc4da478ad0e.vbs"
        6⤵
        
        PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052630-0\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\g711codc\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDBENE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\npmproxy\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_installer\bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\thumbcache\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\WMPEncEn\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\vccorlib120\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c97f25a-0cad-4049-8b6e-531242a4178b.vbs

Filesize
716B

MD5
1762d67738589dedcbd36bb62f411062

SHA1
7c04ab5fafd4009bdcf1b992fe8173c867759310

SHA256
85b2e22efe84e905779ad86365c1bfe99e2208e542dcdd546ee99f764c78866e

SHA512
78bf13f93a81a84ad0e7c078abe162c26a7eb4665520d73031378190ce8ed2c9254656d7bfd3a1601d1db87c5c67309a15d3d166d09afa3d5db6e105129aac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\1371b845-07a9-4cb7-a0cb-e6b53ef19538.vbs

Filesize
716B

MD5
1fee949feac6fb53e42a4e4bd103210d

SHA1
59a8ff0a8abe943024774adcd2a85e31ee2285a4

SHA256
1cf6b9bb008790b526faa903247fe25b9607c61cc48d12caa227c540440415ff

SHA512
d772a0c4a7e2eeb88884ebcadfa5bf9a5817cd59e62174c78a97bd3b7e6ce23009a0c45cb3ede4e800f2fdf27cff24fafa9fa4d537fe9e05c83b48989995a2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\39781170-bcc1-47c1-b1af-fdeef3045a9a.vbs

Filesize
716B

MD5
10e784aea9f51052fe699d2cde96b395

SHA1
1ba263ea131ac3f5b8ac1deb7395e35a542dfeb2

SHA256
e4ac5584619dc66bc6b89c009bcd2539d97094ca4a7049d27ae3a95bb3e75863

SHA512
3fffa4b610eb8f91170a42ff61b3901cbd7d657bbe5f7007c50218108c50e042b5a97d4670b5fe72409bded3c62389209c67ff533d9df854aa6e8c86c3c987de

Download Submit
C:\Users\Admin\AppData\Local\Temp\77fb00a1-f720-41a8-8de5-2e3c06d7c376.vbs

Filesize
716B

MD5
43fb9bac1e28c244ecb6dd2d802c5d39

SHA1
6ec8b0fe50f351b0106ca9288cec84e0bb5ce71b

SHA256
6c1b021f84d1f63bd4585c65c483a970dc1548732ff5b810004dbc76838d6518

SHA512
482e0387a5bbb56912e5e6320f6b35afadcd38b8c6cbcab27e6ba12e293c8d9a789537da9471e74e2c7ed568add516d95ba0913e0ac6bf8dffe1eb0e184fe3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\94819e25-e1af-4b55-b44c-49ffd91a40e5.vbs

Filesize
716B

MD5
adf567f46998cfd7ffc324fe63f22d1a

SHA1
bc7d054f13058ad29d7ecf8e4d0036e48a2dd248

SHA256
1f4ce3c425aeceb725881d3c029dfbedcf2de9f4451c53abd51c9863a75d7453

SHA512
55d7e62278905ccc9895b0a490aac782fcd42ddd9ae67ae9c5e6730e180595558e371491e0046275a3a73efea9a03c7fe4360e9b00fa6cb74217076db1dae124

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e620ba9-b27e-41a5-b091-19293188749c.vbs

Filesize
715B

MD5
cddbc526d445851e1e4a2c32475416bd

SHA1
cba6b20da97d2570d5dc4d4471860566ff5d463c

SHA256
979f3ffdc6889de339ef6f3ae1cafda98350688fcccc94a0f0184cbda24e73d2

SHA512
6ecf3a45c9dbf217cdfaaffbef0c6cd1a09420b78244415904bc12b14718cd033942ba2c6d20fc70ba4e36e41f2eb43939c7be23d9e224591cc649b876e4f752

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pf49rczEcU.bat

Filesize
266B

MD5
10a47e13a4ce3cfe3e4188edc369379e

SHA1
29f67e0dcc653258a92a0b2099786393f3848b77

SHA256
d1e14e4e1edc9697f902b88b935eb69e950e51c357084c4c4c4c71cba6272f56

SHA512
c1992ce5f043be7f9f0ffe4b58121b21d8d949c23985be6f770cff7f5775e214b2af4a38922c21f867a8a2a57982a164e8a217e241144e9aac722d8c54598b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUoFbHmupk.bat

Filesize
204B

MD5
4ebdf05f69daac191f7ad54c4e7aca50

SHA1
2fdedf979364e5e97f37878aa6641f2a543290af

SHA256
6e32fe7cb013a48232ee12b42fcc0d065eea58fab17c39e494204040d06d9ea8

SHA512
83877c517b2bd1bad3abaf801e5b299f5d0d1737f4127d8221337d7bee4890dcdda1fb99ea1fd62b69eb26ce07ca888b30081fdbc4b1f9703565be654d5713e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a25d8703-ff6b-4fe7-aa85-f95c18ac5ac6.vbs

Filesize
716B

MD5
8169b7b756b2b3284c46a1341a7634c0

SHA1
ac2a6748b292ebf9f5c5311c031e87a673a44764

SHA256
41bcc3ecacafe6cfff91ffaf404c93a319ff27506e1bb7796f0d9171ed12fff6

SHA512
0763361a23d8d09323b5355ced110707af8f104013c9c3bb2012e749b7c624ce2010700e705d09ede5b1d38c0dd940d8ad7f9d2fe45990269d9230091cc406a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee3df90b-b81d-4afa-9ca4-7bc87c10be0f.vbs

Filesize
716B

MD5
12110dbcf0bf47e09c9af8ddaf5d614b

SHA1
2c2edb65e9a20d2865d1d52be1275f589bfbf6ed

SHA256
305f44315270fa09dc7e4df429554ac78d257a3d7c6f7208d9d35d71ceff97bc

SHA512
b924897420b7b6ff7b8fc7a0439eb3ab4169225c00ff917a8e938f652ddc715ac8ab434ae44227bba98bcb75183dec59f33ea61a0568ebb4407c96534facd4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
452B

MD5
4eca6aa025d2a8f5938da62aabb160a5

SHA1
e814e7d0e290c813b5b0487d4a0e2fdca88c842d

SHA256
c95d7189591058083c97a225ac4dd1d580ad5c1cb09082984e2a117817bb2e69

SHA512
6c5addd34d99cbd91ddeccb0d71c8ee0d606125564ced63774e0ca4ad987be9eb27bac7d5a1011899324d59749cf8519db5e807b425da8b2b43993621d61c9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5feb1a7-b2bd-4e59-a4e1-fc4da478ad0e.vbs

Filesize
492B

MD5
f682af4c4432aba0c1f4648844fd6414

SHA1
40c3b27224f67c8f39de80e078c8119351c9c695

SHA256
3f3fbd7db5c021252efced1a44a798be2d95cae86d7018ad862ae5d09ab8fd32

SHA512
9c50df40501a36c948e9ba299534a67240868018fd6dbb1370b0a363459f2bb8d76e5fb2d587748df3c9e7d9583da2cb0bfbeb5d042eb9c65d186f4e775d3c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6cf0609-efe8-476a-8946-906b85e880f5.vbs

Filesize
716B

MD5
e3fc124fc0136bc809936c13d12d5658

SHA1
ada8766bdcb2f1032d1a866a9a4ecd37e4bc5504

SHA256
202ec260e55f12f955c0119a1b19f562843d0834f10480b7864b03bd5a500626

SHA512
aedecc6db3e0c0ad2202ced752a445177bcb49e37f1d84520870ccdb7e76e1f58be69b4f8c2f7865abd9dc2fd101adde9689cf5497ffb67612cf720f4aea6eee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
070279db0febfa82d0e59af54054b67d

SHA1
3740da9cf17f5c2c22803025b092f17cb5e9c743

SHA256
8320b583ab8096fe19737d9d9f67ac66cc68a48b585cee71f2346e754e1146b4

SHA512
b2da0bc01e61be4b98c247a9b77e2e6155da73b9446143bf13e09d46a291f06ffb39fcca58ae4385a9690ebb5a11824f512bde786db35b7e6996aacb7a21557f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
73455bbf182105f95cbdc89104eb4c4a

SHA1
5c69b46fa3f02b2fde50bc756440a62b12b6867a

SHA256
e0366d98c442f82b06ac870df5ed31b6aad501151ec04b3245e40cc1dc303bbf

SHA512
c70b60451b2eb203b2bd99a6519f8869cc6715bf4bf75c86f7af25c7cc36d8aeff7ed8b0560cf3f98290f0bab74858774d57e187be558d0baf8533ed3b60fc4f

Download Submit
C:\Windows\System32\npmproxy\dllhost.exe

Filesize
1.5MB

MD5
9138df6efdf28b8d1a9fe37db04dd4cf

SHA1
4cbee2006349426a7863324e9dce520f61d7d7b6

SHA256
bc2fdfd427b0c5e3590e59ca343200b44cc81206eda89ee24d9d32c13c0a0bdd

SHA512
8052feb171625a94a62e886ccf65ad2bb44c03c6f288d1887a187e9fcda4abbba5ece6f94bd659fd27836f7b2768c523c21685fb57d2378dca999a2fd7230963

Download Submit
memory/532-89-0x000000001B880000-0x000000001BB62000-memory.dmp

Filesize
2.9MB

Download
memory/532-110-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1572-185-0x0000000000CB0000-0x0000000000E2E000-memory.dmp

Filesize
1.5MB

Download
memory/1824-244-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1868-267-0x0000000000110000-0x000000000028E000-memory.dmp

Filesize
1.5MB

Download
memory/1876-196-0x0000000000330000-0x00000000004AE000-memory.dmp

Filesize
1.5MB

Download
memory/1964-208-0x00000000002F0000-0x000000000046E000-memory.dmp

Filesize
1.5MB

Download
memory/1964-209-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1976-221-0x0000000001050000-0x00000000011CE000-memory.dmp

Filesize
1.5MB

Download
memory/2356-6-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2356-1-0x0000000000BC0000-0x0000000000D3E000-memory.dmp

Filesize
1.5MB

Download
memory/2356-10-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2356-0-0x000007FEF5463000-0x000007FEF5464000-memory.dmp

Filesize
4KB

Download
memory/2356-17-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/2356-2-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-16-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2356-15-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2356-14-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2356-13-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2356-12-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2356-11-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2356-18-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2356-94-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-4-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2356-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2356-21-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2356-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2356-7-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2356-24-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-5-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2356-20-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2356-3-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2856-174-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2864-165-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/3060-279-0x0000000000C80000-0x0000000000DFE000-memory.dmp

Filesize
1.5MB

Download
memory/3060-280-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download