dcrat | dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Size

1.5MB
MD5

5aeeddc9c33fb19473c2d36a1bf77632
SHA1

78c1f862eb9ba6c6e106f7c289d01358f42f655e
SHA256

dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d
SHA512

3b56c817e7a004d2fdfcbdec57bb1dbbb003bc0ef4c767b26257e9547bcc8894a062351a083648483921216003426a629038008837112d1985e39ff1f8ee20d2
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2476	schtasks.exe
		4220	schtasks.exe
		400	schtasks.exe
		1784	schtasks.exe
		4896	schtasks.exe
		3012	schtasks.exe
		3968	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
		1968	schtasks.exe
		4724	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\", \"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\", \"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\backgroundTaskHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\", \"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\backgroundTaskHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\", \"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\backgroundTaskHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\usocoreps\\dwm.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\", \"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\backgroundTaskHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\usocoreps\\dwm.exe\", \"C:\\Windows\\System32\\wbem\\WMIADAP\\unsecapp.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\", \"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\backgroundTaskHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\usocoreps\\dwm.exe\", \"C:\\Windows\\System32\\wbem\\WMIADAP\\unsecapp.exe\", \"C:\\ProgramData\\Desktop\\spoolsv.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\", \"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\unsecapp.exe\", \"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3660	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3660	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	3660	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3660	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3660	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	3660	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3660	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3660	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3660	schtasks.exe	86

UAC bypass 3 TTPs 63 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
4344	powershell.exe
4740	powershell.exe
3972	powershell.exe
3504	powershell.exe
400	powershell.exe
4828	powershell.exe
5076	powershell.exe
1608	powershell.exe
2104	powershell.exe
2256	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 20 IoCs

pid	Process
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
5032	unsecapp.exe
1972	unsecapp.exe
832	unsecapp.exe
1016	unsecapp.exe
3968	unsecapp.exe
2320	unsecapp.exe
1928	unsecapp.exe
4304	unsecapp.exe
4456	unsecapp.exe
3468	unsecapp.exe
3380	unsecapp.exe
3100	unsecapp.exe
3352	unsecapp.exe
4304	unsecapp.exe
2236	unsecapp.exe
2940	unsecapp.exe
3984	unsecapp.exe
2068	unsecapp.exe
3000	unsecapp.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\dotnet\\host\\fxr\\backgroundTaskHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\usocoreps\\dwm.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ProgramData\\Desktop\\spoolsv.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Documents and Settings\\backgroundTaskHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Documents and Settings\\backgroundTaskHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\usocoreps\\dwm.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\WMIADAP\\unsecapp.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\ProgramData\\Start Menu\\unsecapp.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\SensorDataService\\RuntimeBroker.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\dotnet\\host\\fxr\\backgroundTaskHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ProgramData\\Desktop\\spoolsv.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\ProgramData\\Start Menu\\unsecapp.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\Services\\csrss.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\WMIADAP\\unsecapp.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Checks whether UAC is enabled 1 TTPs 42 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService\RuntimeBroker.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\usocoreps\dwm.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\usocoreps\6cb0b6c459d5d3	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\wbem\WMIADAP\unsecapp.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\wbem\WMIADAP\unsecapp.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\SensorDataService\RuntimeBroker.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\SensorDataService\9e8d7a4ca61bd9	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\SensorDataService\RCX7179.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\usocoreps\dwm.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\wbem\WMIADAP\29c1c3cc0f7685	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX740A.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\csrss.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\RCX7881.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\backgroundTaskHost.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files (x86)\Common Files\Services\csrss.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files (x86)\Common Files\Services\886983d96e3d3e	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files\dotnet\host\fxr\backgroundTaskHost.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files\dotnet\host\fxr\eddb19405b7ce1	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\55b276f4edf653	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\RCX7A85.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4220	schtasks.exe
1968	schtasks.exe
3968	schtasks.exe
400	schtasks.exe
3012	schtasks.exe
4724	schtasks.exe
1784	schtasks.exe
2476	schtasks.exe
4896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
4344	powershell.exe
4344	powershell.exe
4740	powershell.exe
4740	powershell.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
3972	powershell.exe
3972	powershell.exe
5076	powershell.exe
5076	powershell.exe
1608	powershell.exe
1608	powershell.exe
2104	powershell.exe
2104	powershell.exe
3972	powershell.exe
4828	powershell.exe
4828	powershell.exe
4740	powershell.exe
4344	powershell.exe
1608	powershell.exe
2104	powershell.exe
5076	powershell.exe
4828	powershell.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
400	powershell.exe
400	powershell.exe
2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	5032	unsecapp.exe
Token: SeDebugPrivilege	1972	unsecapp.exe
Token: SeDebugPrivilege	832	unsecapp.exe
Token: SeDebugPrivilege	1016	unsecapp.exe
Token: SeDebugPrivilege	3968	unsecapp.exe
Token: SeDebugPrivilege	2320	unsecapp.exe
Token: SeDebugPrivilege	1928	unsecapp.exe
Token: SeDebugPrivilege	4304	unsecapp.exe
Token: SeDebugPrivilege	4456	unsecapp.exe
Token: SeDebugPrivilege	3468	unsecapp.exe
Token: SeDebugPrivilege	3380	unsecapp.exe
Token: SeDebugPrivilege	3100	unsecapp.exe
Token: SeDebugPrivilege	3352	unsecapp.exe
Token: SeDebugPrivilege	4304	unsecapp.exe
Token: SeDebugPrivilege	2236	unsecapp.exe
Token: SeDebugPrivilege	2940	unsecapp.exe
Token: SeDebugPrivilege	3984	unsecapp.exe
Token: SeDebugPrivilege	2068	unsecapp.exe
Token: SeDebugPrivilege	3000	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 4344	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	97
PID 2624 wrote to memory of 4344	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	97
PID 2624 wrote to memory of 4828	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	98
PID 2624 wrote to memory of 4828	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	98
PID 2624 wrote to memory of 4740	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	99
PID 2624 wrote to memory of 4740	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	99
PID 2624 wrote to memory of 5076	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	100
PID 2624 wrote to memory of 5076	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	100
PID 2624 wrote to memory of 3972	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	101
PID 2624 wrote to memory of 3972	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	101
PID 2624 wrote to memory of 1608	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	102
PID 2624 wrote to memory of 1608	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	102
PID 2624 wrote to memory of 2104	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	103
PID 2624 wrote to memory of 2104	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	103
PID 2624 wrote to memory of 2980	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	111
PID 2624 wrote to memory of 2980	2624	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	111
PID 2980 wrote to memory of 2256	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	117
PID 2980 wrote to memory of 2256	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	117
PID 2980 wrote to memory of 3504	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	118
PID 2980 wrote to memory of 3504	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	118
PID 2980 wrote to memory of 400	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	119
PID 2980 wrote to memory of 400	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	119
PID 2980 wrote to memory of 2660	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	120
PID 2980 wrote to memory of 2660	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	120
PID 2980 wrote to memory of 5032	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	125
PID 2980 wrote to memory of 5032	2980	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	125
PID 5032 wrote to memory of 2220	5032	unsecapp.exe	127
PID 5032 wrote to memory of 2220	5032	unsecapp.exe	127
PID 5032 wrote to memory of 4064	5032	unsecapp.exe	128
PID 5032 wrote to memory of 4064	5032	unsecapp.exe	128
PID 2220 wrote to memory of 1972	2220	WScript.exe	130
PID 2220 wrote to memory of 1972	2220	WScript.exe	130
PID 1972 wrote to memory of 892	1972	unsecapp.exe	131
PID 1972 wrote to memory of 892	1972	unsecapp.exe	131
PID 1972 wrote to memory of 1140	1972	unsecapp.exe	132
PID 1972 wrote to memory of 1140	1972	unsecapp.exe	132
PID 892 wrote to memory of 832	892	WScript.exe	133
PID 892 wrote to memory of 832	892	WScript.exe	133
PID 832 wrote to memory of 1088	832	unsecapp.exe	134
PID 832 wrote to memory of 1088	832	unsecapp.exe	134
PID 832 wrote to memory of 4288	832	unsecapp.exe	135
PID 832 wrote to memory of 4288	832	unsecapp.exe	135
PID 1088 wrote to memory of 1016	1088	WScript.exe	138
PID 1088 wrote to memory of 1016	1088	WScript.exe	138
PID 1016 wrote to memory of 2152	1016	unsecapp.exe	139
PID 1016 wrote to memory of 2152	1016	unsecapp.exe	139
PID 1016 wrote to memory of 3068	1016	unsecapp.exe	140
PID 1016 wrote to memory of 3068	1016	unsecapp.exe	140
PID 2152 wrote to memory of 3968	2152	WScript.exe	142
PID 2152 wrote to memory of 3968	2152	WScript.exe	142
PID 3968 wrote to memory of 2600	3968	unsecapp.exe	143
PID 3968 wrote to memory of 2600	3968	unsecapp.exe	143
PID 3968 wrote to memory of 3016	3968	unsecapp.exe	144
PID 3968 wrote to memory of 3016	3968	unsecapp.exe	144
PID 2600 wrote to memory of 2320	2600	WScript.exe	145
PID 2600 wrote to memory of 2320	2600	WScript.exe	145
PID 2320 wrote to memory of 940	2320	unsecapp.exe	146
PID 2320 wrote to memory of 940	2320	unsecapp.exe	146
PID 2320 wrote to memory of 3168	2320	unsecapp.exe	147
PID 2320 wrote to memory of 3168	2320	unsecapp.exe	147
PID 940 wrote to memory of 1928	940	WScript.exe	148
PID 940 wrote to memory of 1928	940	WScript.exe	148
PID 1928 wrote to memory of 2124	1928	unsecapp.exe	149
PID 1928 wrote to memory of 2124	1928	unsecapp.exe	149

System policy modification 1 TTPs 63 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
"C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Start Menu\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SensorDataService\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\host\fxr\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
  "C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\usocoreps\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\WMIADAP\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Desktop\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
    "C:\Windows\System32\wbem\WMIADAP\unsecapp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0e77d5d-95cc-4a70-98bb-33255a545344.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1972
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06068555-fe1e-4283-994d-013a0ba0d5a4.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96b4a11b-a7c8-477d-b0be-3ffef9a1562d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e70f758-49e6-45ae-8e8f-07bf2dc2a766.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc75137-8114-41c0-a01b-bd28b338f304.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13bac3fa-f10e-4f2f-b524-b9d4e1bf3b16.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57c18988-d3b7-4771-9abb-5a74ceceba0b.vbs"
        16⤵
        
        PID:2124
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d623d7c-f080-4d87-aaa0-a1127da257b5.vbs"
        18⤵
        
        PID:32
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74249084-216c-4178-b0b8-98847b5684be.vbs"
        20⤵
        
        PID:4728
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a343dbb-99b9-462a-8e57-c06ebf02d6b3.vbs"
        22⤵
        
        PID:1128
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5955b4c-967e-4069-a86f-acdd40389f44.vbs"
        24⤵
        
        PID:3120
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\721bff4b-6b03-472c-ab4b-9f0c86fa9b15.vbs"
        26⤵
        
        PID:1636
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a0ef69b-ffb6-402c-9536-d13348baba39.vbs"
        28⤵
        
        PID:3616
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7a2fe6a-9864-4dc0-984b-189decdf5adb.vbs"
        30⤵
        
        PID:3744
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8daf9d-02b7-4393-842e-26c5d6bf54db.vbs"
        32⤵
        
        PID:3820
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86328733-3a39-4e9c-a701-718f3ce103db.vbs"
        34⤵
        
        PID:4668
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        35⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0722fb5a-f9ba-4d47-8249-2e7aa0f286a5.vbs"
        36⤵
        
        PID:1012
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        37⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8570f4a9-f337-49bb-b35c-2f9da0689961.vbs"
        38⤵
        
        PID:2976
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        
        C:\Windows\System32\wbem\WMIADAP\unsecapp.exe
        39⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e7273b6-e082-43dc-a3a9-69a8adc6ecc1.vbs"
        40⤵
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2765e7e-e51f-4eb1-b4a6-631461c83251.vbs"
        40⤵
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\817ada7d-206e-4d4c-9f37-37812e0496bd.vbs"
        38⤵
        
        PID:3728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fc9c258-54db-4f8f-b4f1-f518774f73ce.vbs"
        36⤵
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c8754de-5210-48de-842d-c973324c92f3.vbs"
        34⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f828bc1a-ceb7-4f2f-9071-8b0c3d443793.vbs"
        32⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a17ff8e-55e7-4064-80f6-404fd615e606.vbs"
        30⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d792b71e-d057-4387-a5db-80a2de06fce3.vbs"
        28⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b865a374-9416-4da5-ba25-4091e718c6bc.vbs"
        26⤵
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c6e1694-63f2-4729-9352-836bd06f3efb.vbs"
        24⤵
        
        PID:4336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bda8cbf-6a0f-4398-b345-8287b290d18a.vbs"
        22⤵
        
        PID:228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6e601a6-c808-40c2-ab34-7f0959bc603b.vbs"
        20⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da54f09a-c0a1-4816-a0fb-2d1281b4421a.vbs"
        18⤵
        
        PID:3892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d26bcb4-5744-4e79-821e-761ad921e643.vbs"
        16⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ecd7c35-84d7-4fde-a47d-8b5051b86b15.vbs"
        14⤵
        
        PID:3168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e129a913-73dd-463b-87fe-27f8dc9da325.vbs"
        12⤵
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f843c6c2-0aa5-4768-a4d6-85d4c0a3321f.vbs"
        10⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e6d4c99-fc76-4684-bc6a-e1bcd1939726.vbs"
        8⤵
        
        PID:4288
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cee58d4a-af4f-4bea-b1a6-a98733cd8dad.vbs"
        6⤵
        
        PID:1140
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0215f96b-7570-495a-b506-1c4288727422.vbs"
      4⤵
      PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\SensorDataService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Documents and Settings\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\usocoreps\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMIADAP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\host\fxr\backgroundTaskHost.exe

Filesize
1.5MB

MD5
5aeeddc9c33fb19473c2d36a1bf77632

SHA1
78c1f862eb9ba6c6e106f7c289d01358f42f655e

SHA256
dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d

SHA512
3b56c817e7a004d2fdfcbdec57bb1dbbb003bc0ef4c767b26257e9547bcc8894a062351a083648483921216003426a629038008837112d1985e39ff1f8ee20d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\0215f96b-7570-495a-b506-1c4288727422.vbs

Filesize
497B

MD5
f7f10c05aeab2eb48f4f4f24d0cb963f

SHA1
bd7bdeb59bfaa3034fd00aa5554f14db707d6b56

SHA256
8bf8a2c6e0c07d1db00819972791cf6b1d9e6c7d3362b8af8cf693d3618ad0b1

SHA512
4d1d375539aada17f260fe337ccc14bdaa90c37419358562bf630fb67caee9a54b0d52f9d2f2d1ee244e40146db9179e6a11a79b764ba35f13eb0d7fa5aa184a

Download Submit
C:\Users\Admin\AppData\Local\Temp\06068555-fe1e-4283-994d-013a0ba0d5a4.vbs

Filesize
721B

MD5
da1e1adb61c51b78388a2a7535b71368

SHA1
6e92373a0977a94398466f81c691fe1cdefe8cb2

SHA256
c326c49b424c124cf1e0b219487996f30671d340b8df0ee67a4eac805f26a184

SHA512
6a60e12e1a16752433a6a8c69fa2131f7082f89b5d70f00faebf00ae7471f0dc08fad6852ff7a9ff3cba5098853c0caffd508cb87167caed65844259bc903128

Download Submit
C:\Users\Admin\AppData\Local\Temp\13bac3fa-f10e-4f2f-b524-b9d4e1bf3b16.vbs

Filesize
721B

MD5
750bac41a3eb431d77e49dc86decc429

SHA1
1f732178c590682a50603f7373d712b4345b9e75

SHA256
fc99fccbeb8c892d704a3f24d767d26f93db2308023564c99fac00dee9423a0d

SHA512
a626d60fbf18b542283353bc251f73e42f76021a03309e95423d20f82e9768000697fb6ac183517f85605b5611a3517485a037b58343b3b4a2d4cef94333a5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e70f758-49e6-45ae-8e8f-07bf2dc2a766.vbs

Filesize
721B

MD5
708fca89f1babff12dea81925d06fd9c

SHA1
e75b066e8a0378e142023f9eb6e606e106f25536

SHA256
527bbd4a8edacc0c5b0034987eeca731ae2b283b2c817313a22ed787f84761e0

SHA512
b8b541373e8dbe0c1a6da8874f38330bbc84d6075c4ddffeee03330b54d8d246d027521a288e53fa0da0334b5bd37956f55616281f8fd36bfcb9595b01820ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\57c18988-d3b7-4771-9abb-5a74ceceba0b.vbs

Filesize
721B

MD5
bc38f0133bac4c3a3d6fb7f656a706a9

SHA1
26ca24221cb35581410f9f1ed5aafed3559a2edb

SHA256
9e7f3117b8dadfbebca4ab78923bd0e91c1b55109889aba97ed07f1b6662ed70

SHA512
80589b7683caa5ab53d93743a00ca2ad5d6f155236070de4d9e72ed75bb6e54cc3051595c55d36afc288c2e8b94c31252fdaac74b66a0267fe63cd12c49d78e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a343dbb-99b9-462a-8e57-c06ebf02d6b3.vbs

Filesize
721B

MD5
c12f2a26cc3ffd5c82a0b4bf1ec26eaf

SHA1
1c8ab32d9e8d971d200c1350aaad0171300cc652

SHA256
d493460b97467056985f96ee184b5eef3aa04cd2acd22f4464cf8cf1a1e776d4

SHA512
fe69043ae39c41dc5e94004c9f492f327f7910b30151e5c80bbe6ddc869a066fcad3c47b17b82282790ab3449618dafd4b078b827a94df0fe7612331a4fb6139

Download Submit
C:\Users\Admin\AppData\Local\Temp\721bff4b-6b03-472c-ab4b-9f0c86fa9b15.vbs

Filesize
721B

MD5
13f5a3bc1cb39ea04c733d793376edf9

SHA1
bcd3ca4f72914f1dec3963a07f464cde956b9ce7

SHA256
a2b14a2b397c9d20b937f617b734dff857545d2f716171dbb501e5a8202b9c26

SHA512
d8e2f9bc762967cd797ec783d0c1d5937e9ef03c67f6fc04095c725f5564ecf30f0df51411d84aba89a00361e22d47b4ae859a11b799db4cb69a2e2168b084f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\74249084-216c-4178-b0b8-98847b5684be.vbs

Filesize
721B

MD5
b7b4a9d2c1cca3d39ccb22b24823cbbc

SHA1
ada4aa3f033501064e304c9d698df27877c85eb3

SHA256
83f9ec339c2b8ff068b08d6b84797dcb384a064e69626e7b4db5fea3698e3df1

SHA512
41be761d9f4ecace1fdef65fad7fecc1225104813e633fa1a01f190b7f6041a17a58db5eb14bddadf6d9a8fa1aa702e1e471ec440a93729417a412f2b498ea90

Download Submit
C:\Users\Admin\AppData\Local\Temp\96b4a11b-a7c8-477d-b0be-3ffef9a1562d.vbs

Filesize
720B

MD5
67e9636aaa4a76a0fbf35d10c56d5142

SHA1
bb34e34cb975a52a92b68d7740b32e9bee4e5a30

SHA256
4368ad9f1f5aeaf51169c92c6d17d082477d234ed24bf8c2e4068799fa266443

SHA512
3d06d84292fe69abe2fce99e08536f46b53a9ad50b5a634c1a10e8842d2377415118eff196cd6b77eb04a7656709157dc5d40ef5a3f6ffae59e692d457fc458d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d623d7c-f080-4d87-aaa0-a1127da257b5.vbs

Filesize
721B

MD5
e87496821a9b74ba7ee28e99587de554

SHA1
f1e85785af6a53679aedbef398df6b4497426dfe

SHA256
eb9c528e63f81fd1e4eb0be1351ca8ffde5e150eaee032ac56d2ec7a9c8a44a9

SHA512
2730479df32fa24098b1ea73d5daeebb58edd235e06184d120b8f448a52d1b1f3107659f5048c080f9de83f5b586f7299c61c5e363373ed7cd54c48b883a6910

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qid41r1l.12w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfc75137-8114-41c0-a01b-bd28b338f304.vbs

Filesize
721B

MD5
7711cdf6bfd2b8ad0364975185b1c051

SHA1
13e1dc5fe846edb3964802cd4f90138bc175501e

SHA256
2da314ade69c93575bee9e7e8a47e6cf5eea15d41ebf878d97568c6dfc8cb739

SHA512
6e8521c633e85c56255aaa51d785d0498ee71a560a50f68780f9a9767da0d50e92ecea917d1a730cc782d8951390c5f9e0fe8fd3152ef18464f7f242c411eba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0e77d5d-95cc-4a70-98bb-33255a545344.vbs

Filesize
721B

MD5
bb9673fe08f2dc51cc34ecd46d261b62

SHA1
a7f775f50971e062c8c64bcbb3de861ff67b5bee

SHA256
b4c3c091a9363955b0beff81b2d2151101a52a81628a4b466478ef6829a83381

SHA512
6f6aa69052579c645181674b07a8dcde5aa7526f9caed8ae0297c755b2a0d4a0b2f3eff78927608e7508347bd04bb997d1d858051bc52b1f30fd09346381ad66

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
332B

MD5
8a4c98be8fd7efbc25452256a0022752

SHA1
974725eec85f6723a83715123ab9a7e018415e97

SHA256
1a337884d3d6f050e05541521ff88965bfadec023d61a998a6665404f82f3ed5

SHA512
24ecb1c6252a1a8398ec2dab68e39d7fbece90d009eb9dcf59c7c292fac9e39953c3a90eb0c14a6ce3a1c0c3025688b5a4bd95a96d7112e57e4334c23df72eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5955b4c-967e-4069-a86f-acdd40389f44.vbs

Filesize
721B

MD5
ba08e74f6416c9eda83e3980faf29fe2

SHA1
c4342d52cd07cb8bccc3f0aefb8c993d9124bb33

SHA256
5dd9f388c2f0922a56d87c605d69a1d56b22f1ee068737c6551ef9a34d247da1

SHA512
0145f79844ed052b02f265a69896bb4177531e3018002f2e546ae6d32675838ea212c55cec3107ff7e44b839c2e1fd212e792a739c561679602bc25ef7af0210

Download Submit
memory/400-274-0x000002BE7F5D0000-0x000002BE7F7EC000-memory.dmp

Filesize
2.1MB

Download
memory/832-319-0x000000001C0B0000-0x000000001C1B2000-memory.dmp

Filesize
1.0MB

Download
memory/1016-331-0x000000001B830000-0x000000001B932000-memory.dmp

Filesize
1.0MB

Download
memory/1928-358-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/1928-369-0x000000001BD50000-0x000000001BE52000-memory.dmp

Filesize
1.0MB

Download
memory/1972-307-0x000000001C4C0000-0x000000001C5C2000-memory.dmp

Filesize
1.0MB

Download
memory/2236-448-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

Filesize
72KB

Download
memory/2256-282-0x000001F56D8E0000-0x000001F56DAFC000-memory.dmp

Filesize
2.1MB

Download
memory/2320-356-0x000000001C560000-0x000000001C662000-memory.dmp

Filesize
1.0MB

Download
memory/2624-13-0x000000001BA10000-0x000000001BA1A000-memory.dmp

Filesize
40KB

Download
memory/2624-21-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/2624-3-0x0000000002E80000-0x0000000002E88000-memory.dmp

Filesize
32KB

Download
memory/2624-12-0x000000001BA00000-0x000000001BA08000-memory.dmp

Filesize
32KB

Download
memory/2624-5-0x0000000002EC0000-0x0000000002ECC000-memory.dmp

Filesize
48KB

Download
memory/2624-0-0x00007FF81BFF3000-0x00007FF81BFF5000-memory.dmp

Filesize
8KB

Download
memory/2624-24-0x00007FF81BFF0000-0x00007FF81CAB1000-memory.dmp

Filesize
10.8MB

Download
memory/2624-1-0x0000000000C10000-0x0000000000D8E000-memory.dmp

Filesize
1.5MB

Download
memory/2624-2-0x00007FF81BFF0000-0x00007FF81CAB1000-memory.dmp

Filesize
10.8MB

Download
memory/2624-20-0x000000001BB80000-0x000000001BB8C000-memory.dmp

Filesize
48KB

Download
memory/2624-18-0x000000001BB70000-0x000000001BB78000-memory.dmp

Filesize
32KB

Download
memory/2624-17-0x000000001BB60000-0x000000001BB6C000-memory.dmp

Filesize
48KB

Download
memory/2624-16-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/2624-11-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/2624-14-0x000000001BA20000-0x000000001BA2C000-memory.dmp

Filesize
48KB

Download
memory/2624-4-0x0000000002EA0000-0x0000000002EB2000-memory.dmp

Filesize
72KB

Download
memory/2624-25-0x00007FF81BFF0000-0x00007FF81CAB1000-memory.dmp

Filesize
10.8MB

Download
memory/2624-7-0x000000001B9B0000-0x000000001B9BC000-memory.dmp

Filesize
48KB

Download
memory/2624-15-0x000000001BB40000-0x000000001BB4A000-memory.dmp

Filesize
40KB

Download
memory/2624-6-0x0000000002EB0000-0x0000000002EBA000-memory.dmp

Filesize
40KB

Download
memory/2624-10-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/2624-146-0x00007FF81BFF0000-0x00007FF81CAB1000-memory.dmp

Filesize
10.8MB

Download
memory/2624-8-0x000000001B9C0000-0x000000001B9C8000-memory.dmp

Filesize
32KB

Download
memory/2624-9-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

Filesize
48KB

Download
memory/2660-281-0x000001C1B5FD0000-0x000001C1B61EC000-memory.dmp

Filesize
2.1MB

Download
memory/2940-456-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/2980-160-0x0000000002C80000-0x0000000002C92000-memory.dmp

Filesize
72KB

Download
memory/3000-479-0x0000000002C00000-0x0000000002C12000-memory.dmp

Filesize
72KB

Download
memory/3100-420-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

Filesize
72KB

Download
memory/3352-439-0x000000001BBD0000-0x000000001BCD2000-memory.dmp

Filesize
1.0MB

Download
memory/3380-408-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download
memory/3468-406-0x000000001CE90000-0x000000001CF92000-memory.dmp

Filesize
1.0MB

Download
memory/3504-283-0x0000022EECCC0000-0x0000022EECEDC000-memory.dmp

Filesize
2.1MB

Download
memory/3968-344-0x000000001CDB0000-0x000000001CEB2000-memory.dmp

Filesize
1.0MB

Download
memory/3968-333-0x00000000016A0000-0x00000000016B2000-memory.dmp

Filesize
72KB

Download
memory/3984-464-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/4304-381-0x000000001BC90000-0x000000001BD92000-memory.dmp

Filesize
1.0MB

Download
memory/4304-447-0x000000001C770000-0x000000001C872000-memory.dmp

Filesize
1.0MB

Download
memory/4344-89-0x00000247EA1C0000-0x00000247EA1E2000-memory.dmp

Filesize
136KB

Download
memory/4456-394-0x000000001CBD0000-0x000000001CCD2000-memory.dmp

Filesize
1.0MB

Download
memory/4456-383-0x0000000001450000-0x0000000001462000-memory.dmp

Filesize
72KB

Download
memory/5032-294-0x000000001BFE0000-0x000000001C0E2000-memory.dmp

Filesize
1.0MB

Download