dcrat | b8c5e2c8477706f3f54e152443718dcec270889002289aa1730eabc5ba3f312f

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2695e9c3407b633d957cf77bb878f5f2.exe
Size

5.9MB
MD5

2695e9c3407b633d957cf77bb878f5f2
SHA1

ec0caded0b9a4b143a0e6793d21fdf4eccfa8484
SHA256

e4fd314579515e6065e60382d2f266607ba872608bb0c9e29a6fda8b9c702383
SHA512

b3eeb4d3f9744c8a0b8144e1b3253a1ef3644b331bee8900d9cfdb86d019303f3dca08ee3b2e620f6ef6829dd90d1b356a26ac58f016cbec655a35dd6474906f
SSDEEP

98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4l:xyeU11Rvqmu8TWKnF6N/1wg

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3252	schtasks.exe
		3544	schtasks.exe
		4768	schtasks.exe
		3424	schtasks.exe
		5060	schtasks.exe
		4072	schtasks.exe
		4900	schtasks.exe
		5076	schtasks.exe
File created	C:\Program Files (x86)\Windows Mail\cc11b995f2a76d		2695e9c3407b633d957cf77bb878f5f2.exe
		1260	schtasks.exe
		5792	schtasks.exe
		4516	schtasks.exe
		372	schtasks.exe
		1532	schtasks.exe
		4856	schtasks.exe
		4040	schtasks.exe
		5364	schtasks.exe
		536	schtasks.exe
		3784	schtasks.exe
		4036	schtasks.exe
		2272	schtasks.exe
		5044	schtasks.exe
		440	schtasks.exe
		3888	schtasks.exe
		5224	schtasks.exe
		5204	schtasks.exe
		4728	schtasks.exe
		4740	schtasks.exe
		540	schtasks.exe
		392	schtasks.exe
		2756	schtasks.exe
		5080	schtasks.exe
		5588	schtasks.exe
		1440	schtasks.exe
		2520	schtasks.exe
		1816	schtasks.exe
		3868	schtasks.exe
		5008	schtasks.exe
		5208	schtasks.exe
		1992	schtasks.exe
		2176	schtasks.exe
		3624	schtasks.exe
		5272	schtasks.exe
		4816	schtasks.exe
		5856	schtasks.exe
		4044	schtasks.exe
		4784	schtasks.exe
		5580	schtasks.exe
		5024	schtasks.exe
		464	schtasks.exe
		4512	schtasks.exe
		5096	schtasks.exe
		4956	schtasks.exe
		2416	schtasks.exe
		2860	schtasks.exe
		5664	schtasks.exe
		2472	schtasks.exe
		2764	schtasks.exe
		5644	schtasks.exe
		4904	schtasks.exe
		5016	schtasks.exe
		2448	schtasks.exe
		400	schtasks.exe
		4708	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5208	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5588	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5664	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5792	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5272	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4908	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4908	schtasks.exe	87

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
684	powershell.exe
1624	powershell.exe
5264	powershell.exe
6124	powershell.exe
4672	powershell.exe
1284	powershell.exe
4012	powershell.exe
3428	powershell.exe
3140	powershell.exe
5704	powershell.exe
3008	powershell.exe
2068	powershell.exe
2008	powershell.exe
880	powershell.exe
2196	powershell.exe
3800	powershell.exe
2224	powershell.exe
2996	powershell.exe
4236	powershell.exe
3488	powershell.exe
556	powershell.exe
5620	powershell.exe
4616	powershell.exe
4136	powershell.exe
3900	powershell.exe
4476	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2695e9c3407b633d957cf77bb878f5f2.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	2695e9c3407b633d957cf77bb878f5f2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	2695e9c3407b633d957cf77bb878f5f2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 4 IoCs

pid	Process
3372	2695e9c3407b633d957cf77bb878f5f2.exe
2580	services.exe
5812	services.exe
6080	services.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3372	2695e9c3407b633d957cf77bb878f5f2.exe
3372	2695e9c3407b633d957cf77bb878f5f2.exe
2580	services.exe
2580	services.exe
5812	services.exe
5812	services.exe
6080	services.exe
6080	services.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\edge_BITS_4740_606131490\winlogon.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\edge_BITS_4636_1843666867\886983d96e3d3e	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\c5b4cb5e9653cc	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX7FA9.tmp	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Windows Portable Devices\55b276f4edf653	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files\edge_BITS_4648_179994554\RuntimeBroker.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Windows Mail\winlogon.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\services.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX844F.tmp	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX84CD.tmp	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\edge_BITS_4648_179994554\RuntimeBroker.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\edge_BITS_4648_179994554\9e8d7a4ca61bd9	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\Java\jdk-1.8\lib\e1ef82546f0b02	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Windows Mail\cc11b995f2a76d	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files\edge_BITS_4740_606131490\winlogon.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files\edge_BITS_4636_1843666867\csrss.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\edge_BITS_4740_606131490\cc11b995f2a76d	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\edge_BITS_4636_1843666867\csrss.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\e1ef82546f0b02	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\services.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX7F2B.tmp	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\winlogon.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\9e8d7a4ca61bd9	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe	2695e9c3407b633d957cf77bb878f5f2.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\de-DE\RCX86F2.tmp	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Windows\de-DE\TextInputHost.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\de-DE\TextInputHost.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\de-DE\22eafd247d37c3	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Windows\de-DE\RCX86E1.tmp	2695e9c3407b633d957cf77bb878f5f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2695e9c3407b633d957cf77bb878f5f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2695e9c3407b633d957cf77bb878f5f2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4900	schtasks.exe
4708	schtasks.exe
4036	schtasks.exe
2176	schtasks.exe
4516	schtasks.exe
536	schtasks.exe
2764	schtasks.exe
5364	schtasks.exe
5048	schtasks.exe
5024	schtasks.exe
3424	schtasks.exe
1004	schtasks.exe
4784	schtasks.exe
1260	schtasks.exe
5108	schtasks.exe
4768	schtasks.exe
3624	schtasks.exe
5008	schtasks.exe
5080	schtasks.exe
5272	schtasks.exe
372	schtasks.exe
4904	schtasks.exe
2416	schtasks.exe
4856	schtasks.exe
440	schtasks.exe
4628	schtasks.exe
4040	schtasks.exe
5204	schtasks.exe
2520	schtasks.exe
2472	schtasks.exe
2860	schtasks.exe
3888	schtasks.exe
464	schtasks.exe
4044	schtasks.exe
3868	schtasks.exe
1220	schtasks.exe
5792	schtasks.exe
4816	schtasks.exe
4580	schtasks.exe
1404	schtasks.exe
5076	schtasks.exe
5580	schtasks.exe
5856	schtasks.exe
1532	schtasks.exe
4792	schtasks.exe
5016	schtasks.exe
5664	schtasks.exe
5224	schtasks.exe
5240	schtasks.exe
1992	schtasks.exe
5588	schtasks.exe
4932	schtasks.exe
4072	schtasks.exe
2756	schtasks.exe
4956	schtasks.exe
4380	schtasks.exe
4880	schtasks.exe
5060	schtasks.exe
5644	schtasks.exe
392	schtasks.exe
4512	schtasks.exe
5028	schtasks.exe
788	schtasks.exe
4728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3760	2695e9c3407b633d957cf77bb878f5f2.exe
3428	powershell.exe
3428	powershell.exe
4012	powershell.exe
4012	powershell.exe
2196	powershell.exe
2196	powershell.exe
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	2695e9c3407b633d957cf77bb878f5f2.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	3372	2695e9c3407b633d957cf77bb878f5f2.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	5620	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	6124	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	5704	powershell.exe
Token: SeDebugPrivilege	2580	services.exe
Token: SeDebugPrivilege	5812	services.exe
Token: SeDebugPrivilege	6080	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 4672	3760	2695e9c3407b633d957cf77bb878f5f2.exe	118
PID 3760 wrote to memory of 4672	3760	2695e9c3407b633d957cf77bb878f5f2.exe	118
PID 3760 wrote to memory of 3140	3760	2695e9c3407b633d957cf77bb878f5f2.exe	119
PID 3760 wrote to memory of 3140	3760	2695e9c3407b633d957cf77bb878f5f2.exe	119
PID 3760 wrote to memory of 2224	3760	2695e9c3407b633d957cf77bb878f5f2.exe	120
PID 3760 wrote to memory of 2224	3760	2695e9c3407b633d957cf77bb878f5f2.exe	120
PID 3760 wrote to memory of 2008	3760	2695e9c3407b633d957cf77bb878f5f2.exe	122
PID 3760 wrote to memory of 2008	3760	2695e9c3407b633d957cf77bb878f5f2.exe	122
PID 3760 wrote to memory of 3428	3760	2695e9c3407b633d957cf77bb878f5f2.exe	123
PID 3760 wrote to memory of 3428	3760	2695e9c3407b633d957cf77bb878f5f2.exe	123
PID 3760 wrote to memory of 4012	3760	2695e9c3407b633d957cf77bb878f5f2.exe	124
PID 3760 wrote to memory of 4012	3760	2695e9c3407b633d957cf77bb878f5f2.exe	124
PID 3760 wrote to memory of 556	3760	2695e9c3407b633d957cf77bb878f5f2.exe	126
PID 3760 wrote to memory of 556	3760	2695e9c3407b633d957cf77bb878f5f2.exe	126
PID 3760 wrote to memory of 3800	3760	2695e9c3407b633d957cf77bb878f5f2.exe	127
PID 3760 wrote to memory of 3800	3760	2695e9c3407b633d957cf77bb878f5f2.exe	127
PID 3760 wrote to memory of 2196	3760	2695e9c3407b633d957cf77bb878f5f2.exe	128
PID 3760 wrote to memory of 2196	3760	2695e9c3407b633d957cf77bb878f5f2.exe	128
PID 3760 wrote to memory of 1624	3760	2695e9c3407b633d957cf77bb878f5f2.exe	129
PID 3760 wrote to memory of 1624	3760	2695e9c3407b633d957cf77bb878f5f2.exe	129
PID 3760 wrote to memory of 1284	3760	2695e9c3407b633d957cf77bb878f5f2.exe	131
PID 3760 wrote to memory of 1284	3760	2695e9c3407b633d957cf77bb878f5f2.exe	131
PID 3760 wrote to memory of 684	3760	2695e9c3407b633d957cf77bb878f5f2.exe	132
PID 3760 wrote to memory of 684	3760	2695e9c3407b633d957cf77bb878f5f2.exe	132
PID 3760 wrote to memory of 880	3760	2695e9c3407b633d957cf77bb878f5f2.exe	133
PID 3760 wrote to memory of 880	3760	2695e9c3407b633d957cf77bb878f5f2.exe	133
PID 3760 wrote to memory of 3372	3760	2695e9c3407b633d957cf77bb878f5f2.exe	144
PID 3760 wrote to memory of 3372	3760	2695e9c3407b633d957cf77bb878f5f2.exe	144
PID 3372 wrote to memory of 2996	3372	2695e9c3407b633d957cf77bb878f5f2.exe	201
PID 3372 wrote to memory of 2996	3372	2695e9c3407b633d957cf77bb878f5f2.exe	201
PID 3372 wrote to memory of 5620	3372	2695e9c3407b633d957cf77bb878f5f2.exe	202
PID 3372 wrote to memory of 5620	3372	2695e9c3407b633d957cf77bb878f5f2.exe	202
PID 3372 wrote to memory of 4616	3372	2695e9c3407b633d957cf77bb878f5f2.exe	203
PID 3372 wrote to memory of 4616	3372	2695e9c3407b633d957cf77bb878f5f2.exe	203
PID 3372 wrote to memory of 4476	3372	2695e9c3407b633d957cf77bb878f5f2.exe	204
PID 3372 wrote to memory of 4476	3372	2695e9c3407b633d957cf77bb878f5f2.exe	204
PID 3372 wrote to memory of 6124	3372	2695e9c3407b633d957cf77bb878f5f2.exe	205
PID 3372 wrote to memory of 6124	3372	2695e9c3407b633d957cf77bb878f5f2.exe	205
PID 3372 wrote to memory of 2068	3372	2695e9c3407b633d957cf77bb878f5f2.exe	206
PID 3372 wrote to memory of 2068	3372	2695e9c3407b633d957cf77bb878f5f2.exe	206
PID 3372 wrote to memory of 3900	3372	2695e9c3407b633d957cf77bb878f5f2.exe	207
PID 3372 wrote to memory of 3900	3372	2695e9c3407b633d957cf77bb878f5f2.exe	207
PID 3372 wrote to memory of 3488	3372	2695e9c3407b633d957cf77bb878f5f2.exe	209
PID 3372 wrote to memory of 3488	3372	2695e9c3407b633d957cf77bb878f5f2.exe	209
PID 3372 wrote to memory of 4136	3372	2695e9c3407b633d957cf77bb878f5f2.exe	210
PID 3372 wrote to memory of 4136	3372	2695e9c3407b633d957cf77bb878f5f2.exe	210
PID 3372 wrote to memory of 4236	3372	2695e9c3407b633d957cf77bb878f5f2.exe	212
PID 3372 wrote to memory of 4236	3372	2695e9c3407b633d957cf77bb878f5f2.exe	212
PID 3372 wrote to memory of 3008	3372	2695e9c3407b633d957cf77bb878f5f2.exe	214
PID 3372 wrote to memory of 3008	3372	2695e9c3407b633d957cf77bb878f5f2.exe	214
PID 3372 wrote to memory of 5704	3372	2695e9c3407b633d957cf77bb878f5f2.exe	215
PID 3372 wrote to memory of 5704	3372	2695e9c3407b633d957cf77bb878f5f2.exe	215
PID 3372 wrote to memory of 5264	3372	2695e9c3407b633d957cf77bb878f5f2.exe	217
PID 3372 wrote to memory of 5264	3372	2695e9c3407b633d957cf77bb878f5f2.exe	217
PID 3372 wrote to memory of 2580	3372	2695e9c3407b633d957cf77bb878f5f2.exe	227
PID 3372 wrote to memory of 2580	3372	2695e9c3407b633d957cf77bb878f5f2.exe	227
PID 2580 wrote to memory of 1344	2580	services.exe	230
PID 2580 wrote to memory of 1344	2580	services.exe	230
PID 2580 wrote to memory of 1144	2580	services.exe	231
PID 2580 wrote to memory of 1144	2580	services.exe	231
PID 1344 wrote to memory of 5812	1344	WScript.exe	235
PID 1344 wrote to memory of 5812	1344	WScript.exe	235
PID 5812 wrote to memory of 3604	5812	services.exe	237
PID 5812 wrote to memory of 3604	5812	services.exe	237

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2695e9c3407b633d957cf77bb878f5f2.exe
"C:\Users\Admin\AppData\Local\Temp\2695e9c3407b633d957cf77bb878f5f2.exe"
1⤵
- DcRat
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7330c8a20692d0b35002ea5a/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/f170d29a37c9c9775251/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Users\Admin\AppData\Local\Temp\2695e9c3407b633d957cf77bb878f5f2.exe
  "C:\Users\Admin\AppData\Local\Temp\2695e9c3407b633d957cf77bb878f5f2.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7330c8a20692d0b35002ea5a/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/f170d29a37c9c9775251/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:6124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5264
- - C:\f170d29a37c9c9775251\services.exe
    "C:\f170d29a37c9c9775251\services.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2580
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a798b60-0ea8-4852-9686-ab113ee3a0ea.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\f170d29a37c9c9775251\services.exe
        
        C:\f170d29a37c9c9775251\services.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5812
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\baf5cd74-4111-46dd-a952-ce0c654a4692.vbs"
        6⤵
        
        PID:3604
        
        C:\f170d29a37c9c9775251\services.exe
        
        C:\f170d29a37c9c9775251\services.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255c8545-ef06-40d3-889a-ae63edfa3c72.vbs"
        8⤵
        
        PID:4624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddcf451c-3d4f-40c1-92d0-d18f18cafe39.vbs"
        8⤵
        
        PID:5516
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3407bc04-bb04-4783-bd9f-8777ec79763a.vbs"
        6⤵
        
        PID:1952
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\577a4668-11a7-4ef7-a3a1-f8d31ca06466.vbs"
      4⤵
      PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\de-DE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4740_606131490\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4740_606131490\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4740_606131490\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4648_179994554\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4648_179994554\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4648_179994554\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4636_1843666867\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4636_1843666867\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4636_1843666867\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\services.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\f170d29a37c9c9775251\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\SIGNUP\services.exe

Filesize
5.9MB

MD5
497434b28d5bde840fe3498bbbb6ae1a

SHA1
5fad8545624e15304ccffba90dd65a703075e836

SHA256
211aa692338c609af6e251667b61637f4c2001f07306fa11d609dbe4cabbdb80

SHA512
8bdf5092fdd79911a0f138274c1497738d30be68d289af0325c7236497a153fbd5625d94fa1b87d7a0ef26e8962a9f13857539339d302aac13238ca96d789cf2

Download Submit
C:\Program Files (x86)\Windows Mail\winlogon.exe

Filesize
5.9MB

MD5
721611d48415a4294c73f94568f06893

SHA1
82fbed1ca7d72ff6f649b23ca336ad4d83bb8ad6

SHA256
7e8a0086f083f799bac2e6e15a7c5cf9eeb6e7db69099e736a73c6967f4d93c7

SHA512
b48ab34b597a573ad4765811d5f1e232628ff6dbb02517ebfbef2439b597d8915c41965aec2036b27d2050c0668b0946bb45e0468340aac760ca600b1877646c

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
5.9MB

MD5
309c09f82c43d7740b3ad65f251955b4

SHA1
0c804862688247d792067fb8e65c53eb4c690623

SHA256
c6a9f47034352b9218ecab4a1e9ff0fc40a8468edaed32b81a31db807e7c6da7

SHA512
36602f10614edf8bc2266c183f3205d3523ce3e251dbec0008c6bb5030d6968a141b360b6a44d263dce4c380316a7166ee5b470f2e1d9d23c3f1951f592861ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2695e9c3407b633d957cf77bb878f5f2.exe.log

Filesize
1KB

MD5
612072f28dae34eb75a144057666a2ba

SHA1
3b965a3b1b492b77c9cdbc86e04898bdd4eb948c

SHA256
ee0e6893ee76e6e771eea4116de524ce047ccdd04c7d6267a52b4a8e8198db26

SHA512
b0e397c2dac42d19f0864c223d6f2f74149de7d1d6f1e67d5da99695ac9ad1f6019d0ac392852d4c285182f97fec708dc01d0a6e5a8646d06e0da3ab863cd07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94256212310a547ba240e2aa86468177

SHA1
f52a751219868220e86405aba60f0504332444be

SHA256
4ff13717087ef748699f1fd75630e1ff8d92694f4d2079826c7229608639c50a

SHA512
22efada6acfff168e1d60d5fbd9ae9b504a7eb52ae30e4a5b571880e9c8a4ff4dff7fbf453d5c7281e13b5d7ab9b4269f040dc1d58e523edf6de9496b4a0dd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e754ed98102cd85556fd2ac3584d85ed

SHA1
7a6da5015fbcf9a3efcf3fbd90bb8a82e2f75a80

SHA256
dc32f4d41da3f45a99dc55ebb8c4ec13c440e319e810baf77bceb8003305bb0b

SHA512
7ace37b0e28259af85507827a377fb5c5c2299a067b8fa6a2c42f8446a5efdf56a5d5cdf05a004317e619ae0d0fa6eeefe91241c580326ba672eaccc6be7df3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
20a742986dabea9462985bda9fd02c43

SHA1
402ef5f2f87e8812023ff74023d6d855cb7c995d

SHA256
f427552a7f765af4d8957dbe8e54fe32cb4f0be3393233eb539c9da9df310803

SHA512
b18ccca02ec0b1ecc8dfcacd346b72799548f67b919cb57d009ee0f21c60a1f1741c63bfb13e9396a3058c59083e5459c00a3481a4e7d9529c4f3ad6b99c2032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f532a56ff7168bf1c954233a1f87b6c

SHA1
379d43d676d92b455f62b4677389e488905a55c6

SHA256
0a23108d89a76df1d5c3b869dc77157c66ea2873346d7d7427fab9c49ec53f07

SHA512
3c07fd3e20ac3b58ca06f1db83a5e0120f6eee5acf69d2456f035975636d3777feaa00289cd84b9397c515def9db0add9c1f2c6b9e168568ccee009f7dc06769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
625c689ea160aa0287791e224e6dddf0

SHA1
daa4f06fbce11392bd6b7d137b938763683c8d55

SHA256
ff05cb1ccb64347598efa189167c7bfd407def795d0124e444f0d31e3ef98e27

SHA512
fe2df4b8a8ad16653f2ec87e9229fc27bfb596c50e490e1d0f71da7f8b535aad08ccb709d691f4f0e8f8e4759e322728ccf8fa179300fb5d74995e0d0ac6a6a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5405317cb25911355558de3d1a3cd64a

SHA1
f4992925f55c096f605e7898fcdc715a3aba3a6f

SHA256
92c6f5c160c6f65f2eb5bac15d46c68f6cb52965ede6468c0b967c7953c3626f

SHA512
a0de4cc464a0067eb94224aae7ef8e9132957a7266584ce09454178c4687280fc4dea4851abdd064a7976afed36a65f6e949251b1ccbd942531416e95c8c938d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
06a899ea1521d6750d791e50003c9e48

SHA1
ecb078418749bb2b9d0214fea0a4b08efeff5588

SHA256
37989f090ce48f07fbd46cf29be066e2d42b6d44450542edd4c227789789c63f

SHA512
8fa19f2858ffcf587da615bbea3606b6bf2902e294eff65142272c8519edc3bbf0d28c91be2407cc86a0d95f08209e8e058087795cd1dcd10938d159441390d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fdf15f7d08f3f7538ae67e5b3e5d23f4

SHA1
953ff0529053ce3a1930b4f5abba2364a8befbfc

SHA256
9f4964b9cf2c6d4915a8f2b9746dc5ff73d6f327c81370f92e0e7a611b28a707

SHA512
4fee933635376d1467e0be63d12fa897f83cbbf9cdd1ac79cce30dfaa2621d47e137e991b701f1ed9910767904dbfb6b89db2a02ce32edc410c83351f351d7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5772860e80a4ad209b363a064b3303d7

SHA1
18da8f9946606bb785740c6f9e24daff3e137d68

SHA256
5e889679e1805fcfacb6971b12ea331d38a58a703f2374fe1eef19f2917d8022

SHA512
207bc482178667f072617c35a84593c0d7e7cbaceed9e93e3365039f043e5f9548f65bf90e51b2dc3735ad0572a90a4271465c653a69498bbb62e472a8d85bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd90cd85444c74cb63b8f3c37e87404c

SHA1
eafdc635289d2dd66007672331b3f16da3ff46a1

SHA256
ceeb9641acebf239d52ec1c2c3add44d208f27cd5f6f73c6c2624d9c39b3ba89

SHA512
d204031c9e31287c4136fb83df2583210a9246f2429229511f4e613d6b9ce5730418cb83442168f9be9e95cfc3142e13cccf6296284036b353e5fabf0dbd3f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8609c12c59293ee67562f5096525f6f

SHA1
7b89311e1e00dec0658daa7749b6560af217435c

SHA256
9e7a84df1f437f21ceba6e519fbbd333f0bd7721e8e4b0bb963652fb9a1163fa

SHA512
ce6838f441c0954739ec5e03af0726d20b892c4415df3c3ee2010bc6c8f6191ac6717d0e3499ce04a03441b1ad43fc7a2df0de34a1ebd67fbd62cfdf48007b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\255c8545-ef06-40d3-889a-ae63edfa3c72.vbs

Filesize
712B

MD5
49c7cb116103c24c9781f1283bbfb266

SHA1
999f312bb1142b1ec09e64138c3e8573c4ef4b78

SHA256
cbb38017dd2c9a8a51a2998849916c35b707de5927bb004f67287a8bbc37d784

SHA512
59a0f0cf53b021effef101b4605888b638f70a8cabc8a389ffb02dade80354a0098307c5990f42e0c349cc532373f6e2c1803af0feebdd3fba3f56f9b55f8725

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a798b60-0ea8-4852-9686-ab113ee3a0ea.vbs

Filesize
712B

MD5
8d74131b2d1e04606857f9e37ec84c32

SHA1
56e464abb2070e431443a939ec89745f433914ee

SHA256
ec2c771ac862fa225c066ce32638a6b701a8877ca52ebe7d53c4fe52ace9cefb

SHA512
ad006071023e708f99d9aa0c041b8a4437f02727cc79148ad8359a350d44fc950b782626a248a92f4885cfde0b1f6a987568239d7aa3156e027412b06cdcba1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\577a4668-11a7-4ef7-a3a1-f8d31ca06466.vbs

Filesize
488B

MD5
a53cd69083e222ae37eb01cc728d56c0

SHA1
ff40e9b1d0b5779e38878b9aa95ae7ca855d90a3

SHA256
026767038bce1dbbb118d5b36e783535da787eca033b11d9415dc4de9dad8c11

SHA512
e840f81efc40ceb74cb709c11bcbdcd74a19416af5204a50985036372ca7606eec81a7a2baf49bab8a43ec92c4ce3fed650c3aeaba28d97ce02e3f01334151cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zc5rrgua.vt4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\baf5cd74-4111-46dd-a952-ce0c654a4692.vbs

Filesize
712B

MD5
f44a7e6ed2cf312155edae4170ab6f8e

SHA1
93cd1a088de634c3d15121af55545fdae5c366c7

SHA256
b5f4aeb7888215707627542fb4760a57ddfac48712b4c39aba3888cf5b0aa20a

SHA512
2b7f6a78dd501ff04ba9ddeb3356fd864627dc8a3867da1b826c36ef98a1302ca3601b03839a691708f5b7a9456002221e00536491c01823499e024faaa2618d

Download Submit
C:\Users\Default\upfc.exe

Filesize
5.9MB

MD5
2695e9c3407b633d957cf77bb878f5f2

SHA1
ec0caded0b9a4b143a0e6793d21fdf4eccfa8484

SHA256
e4fd314579515e6065e60382d2f266607ba872608bb0c9e29a6fda8b9c702383

SHA512
b3eeb4d3f9744c8a0b8144e1b3253a1ef3644b331bee8900d9cfdb86d019303f3dca08ee3b2e620f6ef6829dd90d1b356a26ac58f016cbec655a35dd6474906f

Download Submit
C:\Users\Default\upfc.exe

Filesize
5.9MB

MD5
2dca56f09c0249eb4308f4c78b154e3c

SHA1
56cf2caac4fcc32bee27e899d20af7ff7935ad7a

SHA256
8e936e64f7ced85fdff6d1e35b4763c63afc00d408ed82391b2dbaaac593e0e7

SHA512
0227e9fc45ddd14bc15531ea4ac0726a736c12d9437657940c2323f5e386792bdf5cfc505a878d83d00ace479efa253e0dbda12f88cc8254511e904a8c18b421

Download Submit
memory/3428-189-0x000001E229200000-0x000001E229222000-memory.dmp

Filesize
136KB

Download
memory/3760-17-0x000000001BB70000-0x000000001BB7A000-memory.dmp

Filesize
40KB

Download
memory/3760-302-0x00007FF9656D0000-0x00007FF966191000-memory.dmp

Filesize
10.8MB

Download
memory/3760-28-0x000000001D510000-0x000000001D518000-memory.dmp

Filesize
32KB

Download
memory/3760-30-0x000000001D530000-0x000000001D53C000-memory.dmp

Filesize
48KB

Download
memory/3760-31-0x000000001D540000-0x000000001D548000-memory.dmp

Filesize
32KB

Download
memory/3760-32-0x000000001D550000-0x000000001D55C000-memory.dmp

Filesize
48KB

Download
memory/3760-36-0x000000001D590000-0x000000001D59E000-memory.dmp

Filesize
56KB

Download
memory/3760-35-0x000000001D580000-0x000000001D588000-memory.dmp

Filesize
32KB

Download
memory/3760-34-0x000000001D570000-0x000000001D57E000-memory.dmp

Filesize
56KB

Download
memory/3760-33-0x000000001D560000-0x000000001D56A000-memory.dmp

Filesize
40KB

Download
memory/3760-37-0x000000001D5A0000-0x000000001D5A8000-memory.dmp

Filesize
32KB

Download
memory/3760-38-0x000000001D7C0000-0x000000001D7CC000-memory.dmp

Filesize
48KB

Download
memory/3760-39-0x000000001D7D0000-0x000000001D7D8000-memory.dmp

Filesize
32KB

Download
memory/3760-40-0x000000001D8E0000-0x000000001D8EA000-memory.dmp

Filesize
40KB

Download
memory/3760-41-0x000000001D7E0000-0x000000001D7EC000-memory.dmp

Filesize
48KB

Download
memory/3760-27-0x000000001D500000-0x000000001D50C000-memory.dmp

Filesize
48KB

Download
memory/3760-26-0x000000001D4F0000-0x000000001D4FC000-memory.dmp

Filesize
48KB

Download
memory/3760-25-0x000000001DAF0000-0x000000001E018000-memory.dmp

Filesize
5.2MB

Download
memory/3760-24-0x000000001D4C0000-0x000000001D4D2000-memory.dmp

Filesize
72KB

Download
memory/3760-171-0x00007FF9656D3000-0x00007FF9656D5000-memory.dmp

Filesize
8KB

Download
memory/3760-22-0x000000001D4B0000-0x000000001D4B8000-memory.dmp

Filesize
32KB

Download
memory/3760-20-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/3760-21-0x000000001D5B0000-0x000000001D5BC000-memory.dmp

Filesize
48KB

Download
memory/3760-29-0x000000001D520000-0x000000001D52C000-memory.dmp

Filesize
48KB

Download
memory/3760-305-0x00007FF9656D0000-0x00007FF966191000-memory.dmp

Filesize
10.8MB

Download
memory/3760-19-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

Filesize
48KB

Download
memory/3760-18-0x000000001BB80000-0x000000001BBD6000-memory.dmp

Filesize
344KB

Download
memory/3760-0-0x00007FF9656D3000-0x00007FF9656D5000-memory.dmp

Filesize
8KB

Download
memory/3760-15-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/3760-16-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/3760-14-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/3760-13-0x000000001BAD0000-0x000000001BAE2000-memory.dmp

Filesize
72KB

Download
memory/3760-12-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/3760-11-0x000000001BAA0000-0x000000001BAB6000-memory.dmp

Filesize
88KB

Download
memory/3760-8-0x000000001BB00000-0x000000001BB50000-memory.dmp

Filesize
320KB

Download
memory/3760-9-0x000000001BA80000-0x000000001BA88000-memory.dmp

Filesize
32KB

Download
memory/3760-10-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3760-6-0x000000001BA50000-0x000000001BA58000-memory.dmp

Filesize
32KB

Download
memory/3760-7-0x000000001BA60000-0x000000001BA7C000-memory.dmp

Filesize
112KB

Download
memory/3760-5-0x000000001BA40000-0x000000001BA4E000-memory.dmp

Filesize
56KB

Download
memory/3760-4-0x0000000001660000-0x000000000166E000-memory.dmp

Filesize
56KB

Download
memory/3760-3-0x00007FF9656D0000-0x00007FF966191000-memory.dmp

Filesize
10.8MB

Download
memory/3760-2-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/3760-1-0x0000000000540000-0x0000000000E38000-memory.dmp

Filesize
9.0MB

Download
memory/6080-630-0x000000001DF00000-0x000000001DF12000-memory.dmp

Filesize
72KB

Download