dcrat | f914dd0ae7bfd6e26b2b41ea5fd5e68a3f0bd4f3404811a29a46429b71f8205c

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Size

3.0MB
MD5

97869c1104303d30be81f74ce6fba3b0
SHA1

1a663d0fcaba36ba34007048f9b829ef1306662e
SHA256

f914dd0ae7bfd6e26b2b41ea5fd5e68a3f0bd4f3404811a29a46429b71f8205c
SHA512

058b48d071e67adae13ab783632f3dca73e52f22e9dafaa27a2e073dc55611c3ebb08057798b0586e61b2bcad4bf2b59262ffc7b07410e90bf4140ac89fa814c
SSDEEP

98304:PM0woQggbNhWxU68v4Xi3yAbFwHTE9J/i:N0gOWfackHbFJH

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2636	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2636	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000010000-0x000000000031E000-memory.dmp	dcrat
behavioral1/memory/2248-2-0x000000001B040000-0x000000001B0C0000-memory.dmp	dcrat
behavioral1/files/0x0006000000016c65-35.dat	dcrat
behavioral1/files/0x000a000000019477-138.dat	dcrat
behavioral1/files/0x0007000000016d25-146.dat	dcrat
behavioral1/files/0x00070000000171ee-170.dat	dcrat
behavioral1/files/0x0007000000018b18-185.dat	dcrat
behavioral1/files/0x00050000000197e2-342.dat	dcrat
behavioral1/files/0x00050000000197e2-344.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
856	lsass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\de-DE\RCXE03D.tmp	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\sppsvc.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Program Files\Uninstall Information\smss.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Program Files\Windows Mail\de-DE\sppsvc.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Program Files\Windows Mail\de-DE\0a1fd5f707cd16	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXDB89.tmp	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Program Files\Uninstall Information\smss.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\ehome\spoolsv.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\Prefetch\ReadyBoot\b75386f1303e64	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\RCXD05D.tmp	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXD4A3.tmp	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\Speech\RCXE55D.tmp	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\ja-JP\RCXE2CD.tmp	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\ja-JP\explorer.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\Speech\0a1fd5f707cd16	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\ehome\RCXCB7B.tmp	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\ehome\spoolsv.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\Speech\sppsvc.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\ehome\f3b6ecef712a24	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\c5b4cb5e9653cc	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\Prefetch\ReadyBoot\taskhost.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\ja-JP\explorer.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\ja-JP\7a0fd90576e088	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File created	C:\Windows\Speech\sppsvc.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\taskhost.exe	NEAS.97869c1104303d30be81f74ce6fba3b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2672	schtasks.exe
2868	schtasks.exe
2824	schtasks.exe
1804	schtasks.exe
2080	schtasks.exe
2308	schtasks.exe
1264	schtasks.exe
2256	schtasks.exe
324	schtasks.exe
2392	schtasks.exe
2476	schtasks.exe
2572	schtasks.exe
1284	schtasks.exe
1500	schtasks.exe
2520	schtasks.exe
1828	schtasks.exe
1632	schtasks.exe
1976	schtasks.exe
1996	schtasks.exe
2788	schtasks.exe
2584	schtasks.exe
2692	schtasks.exe
2152	schtasks.exe
1388	schtasks.exe
1664	schtasks.exe
2940	schtasks.exe
1020	schtasks.exe
1964	schtasks.exe
2404	schtasks.exe
588	schtasks.exe
2300	schtasks.exe
852	schtasks.exe
2820	schtasks.exe
2384	schtasks.exe
1064	schtasks.exe
2472	schtasks.exe
1764	schtasks.exe
652	schtasks.exe
1776	schtasks.exe
2928	schtasks.exe
2780	schtasks.exe
952	schtasks.exe
1088	schtasks.exe
2020	schtasks.exe
556	schtasks.exe
1568	schtasks.exe
2420	schtasks.exe
2912	schtasks.exe
2000	schtasks.exe
1472	schtasks.exe
2980	schtasks.exe
1596	schtasks.exe
1372	schtasks.exe
764	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lsass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
856	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	856	lsass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
856	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1884	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	85
PID 2248 wrote to memory of 1884	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	85
PID 2248 wrote to memory of 1884	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	85
PID 2248 wrote to memory of 2304	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	97
PID 2248 wrote to memory of 2304	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	97
PID 2248 wrote to memory of 2304	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	97
PID 2248 wrote to memory of 2872	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	96
PID 2248 wrote to memory of 2872	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	96
PID 2248 wrote to memory of 2872	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	96
PID 2248 wrote to memory of 2932	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	93
PID 2248 wrote to memory of 2932	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	93
PID 2248 wrote to memory of 2932	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	93
PID 2248 wrote to memory of 1800	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	91
PID 2248 wrote to memory of 1800	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	91
PID 2248 wrote to memory of 1800	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	91
PID 2248 wrote to memory of 1528	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	90
PID 2248 wrote to memory of 1528	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	90
PID 2248 wrote to memory of 1528	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	90
PID 2248 wrote to memory of 612	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	89
PID 2248 wrote to memory of 612	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	89
PID 2248 wrote to memory of 612	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	89
PID 2248 wrote to memory of 2436	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	88
PID 2248 wrote to memory of 2436	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	88
PID 2248 wrote to memory of 2436	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	88
PID 2248 wrote to memory of 2984	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	87
PID 2248 wrote to memory of 2984	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	87
PID 2248 wrote to memory of 2984	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	87
PID 2248 wrote to memory of 2176	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	86
PID 2248 wrote to memory of 2176	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	86
PID 2248 wrote to memory of 2176	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	86
PID 2248 wrote to memory of 2096	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	102
PID 2248 wrote to memory of 2096	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	102
PID 2248 wrote to memory of 2096	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	102
PID 2248 wrote to memory of 1704	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	100
PID 2248 wrote to memory of 1704	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	100
PID 2248 wrote to memory of 1704	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	100
PID 2248 wrote to memory of 1780	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	99
PID 2248 wrote to memory of 1780	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	99
PID 2248 wrote to memory of 1780	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	99
PID 2248 wrote to memory of 2136	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	98
PID 2248 wrote to memory of 2136	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	98
PID 2248 wrote to memory of 2136	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	98
PID 2248 wrote to memory of 1572	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	112
PID 2248 wrote to memory of 1572	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	112
PID 2248 wrote to memory of 1572	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	112
PID 2248 wrote to memory of 1648	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	108
PID 2248 wrote to memory of 1648	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	108
PID 2248 wrote to memory of 1648	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	108
PID 2248 wrote to memory of 864	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	103
PID 2248 wrote to memory of 864	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	103
PID 2248 wrote to memory of 864	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	103
PID 2248 wrote to memory of 1264	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	107
PID 2248 wrote to memory of 1264	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	107
PID 2248 wrote to memory of 1264	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	107
PID 2248 wrote to memory of 1580	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	118
PID 2248 wrote to memory of 1580	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	118
PID 2248 wrote to memory of 1580	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	118
PID 2248 wrote to memory of 2028	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	123
PID 2248 wrote to memory of 2028	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	123
PID 2248 wrote to memory of 2028	2248	NEAS.97869c1104303d30be81f74ce6fba3b0.exe	123
PID 2028 wrote to memory of 1280	2028	cmd.exe	125
PID 2028 wrote to memory of 1280	2028	cmd.exe	125
PID 2028 wrote to memory of 1280	2028	cmd.exe	125
PID 2028 wrote to memory of 856	2028	cmd.exe	126

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.97869c1104303d30be81f74ce6fba3b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.97869c1104303d30be81f74ce6fba3b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.97869c1104303d30be81f74ce6fba3b0.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NEAS.97869c1104303d30be81f74ce6fba3b0.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\NEAS.97869c1104303d30be81f74ce6fba3b0.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsass.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\taskhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\sppsvc.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\sppsvc.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\5332d042-48a9-11ee-846d-85769f0858e8\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w1O57cI28R.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1280
- - C:\Users\All Users\lsass.exe
    "C:\Users\All Users\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies system certificate store
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:856
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae23e5c4-3d96-457f-a451-096851e675c9.vbs"
      4⤵
      PID:2736
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96057f0f-83a2-4743-b8e4-0fd74ee3e9cf.vbs"
      4⤵
      PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ehome\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.97869c1104303d30be81f74ce6fba3b0N" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\NEAS.97869c1104303d30be81f74ce6fba3b0.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.97869c1104303d30be81f74ce6fba3b0" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\NEAS.97869c1104303d30be81f74ce6fba3b0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.97869c1104303d30be81f74ce6fba3b0N" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\NEAS.97869c1104303d30be81f74ce6fba3b0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Speech\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\5332d042-48a9-11ee-846d-85769f0858e8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\5332d042-48a9-11ee-846d-85769f0858e8\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\5332d042-48a9-11ee-846d-85769f0858e8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe

Filesize
3.0MB

MD5
97869c1104303d30be81f74ce6fba3b0

SHA1
1a663d0fcaba36ba34007048f9b829ef1306662e

SHA256
f914dd0ae7bfd6e26b2b41ea5fd5e68a3f0bd4f3404811a29a46429b71f8205c

SHA512
058b48d071e67adae13ab783632f3dca73e52f22e9dafaa27a2e073dc55611c3ebb08057798b0586e61b2bcad4bf2b59262ffc7b07410e90bf4140ac89fa814c

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RCXEA2F.tmp

Filesize
3.0MB

MD5
f1e39626b763f64e951495aeaac921d7

SHA1
9f71e000f59524d4b0296c51e50b63009282c90b

SHA256
a8eb512e38b0f463c2cca0e98372436f32d45e95692af324e3a5d6d215ac379e

SHA512
b56cf3b5faaea2e3a096afe2d72032d3f3542dfc84119013e2c64edd1b9b7d12cdbf4adafb2e826276a09037481375b5f2ce7628fcdcfc7c085fb90e7c3eacb8

Download Submit
C:\Program Files\Uninstall Information\smss.exe

Filesize
3.0MB

MD5
a51fe9ed5e63d743c262370c25d0fae1

SHA1
6a0d27533a4fdcb5640ca465e085232dac40b58d

SHA256
4ef92459fdd94d97a4def5a9a94c2349f505192dc103754ebd3c62b116db87c7

SHA512
bb6a12b283037e94c7bb3e22e70e300184a4b42a74a28176b25c3738dbe45e51fe035bb29fefca487784644483413015852795c018e5c888af654817cf606d9f

Download Submit
C:\ProgramData\lsass.exe

Filesize
3.0MB

MD5
6a1f2982af6d615e8ec90f377c8ae1a9

SHA1
bd861cbf29660514f86c7b57be0d3357fc9a6ec8

SHA256
420f0a1865a7918fd597eb2a7d9e65342d3482de9a98b0f510cdc2e4ecf17c1d

SHA512
fe0229a9821f552b1e9bbc6be5ec817d6008248f0e51d45cf83cda09141719fb747ef842fb2f3052541182441fdd87aecde60341b9bc70b54aa303feb019caab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a6919ea960cc5e86071ed52d6f4460bd

SHA1
6132ac17be407a773ffb467d469a77ca0adb476b

SHA256
519e6105de85236b9eef473e48616cc575151cd79f4081f89f0aa84f263eff3d

SHA512
327b64372eef832f31cbd01e059bebe2650bdbbcad5920af8b9ada092931fff5aaf96687000ba4a24383853fca540b501b04d5f3c4df1bdb790642a1d19508d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\96057f0f-83a2-4743-b8e4-0fd74ee3e9cf.vbs

Filesize
480B

MD5
f85073d16fca77778dba0de573abe308

SHA1
186799535f260960ca36775776911913db045a4b

SHA256
dadd46e0ae57381225ce0d5a8c964453f18b995cb69f39368f9f7e91f46f2d61

SHA512
d40c1c9a8904e6aa848b972571f6d3f7c69cd99a75b0ffdcb9f4a0f38928755098dd28fda8a29da333de4af0f9ecc112327f20a4be8f3490d01f83cd593eaec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6885.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6924.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae23e5c4-3d96-457f-a451-096851e675c9.vbs

Filesize
703B

MD5
b68b15a736096ef0574a7c1c3a73f068

SHA1
9be53905d9b6165ec78f003a49d1c4e4075adf94

SHA256
075088a46da4f4f610ce3052e3578c89459397d1b49a3932cbfa425244491926

SHA512
8fadf7c78403a67faf54e5a359c5f51f9f56ca2cbf27a3f7b2d35e5b6043d4b3d8592fa3a3b455dcc42fd2b526bb1c703335a8548f2e4b7476a9a5901ddd7ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1O57cI28R.bat

Filesize
193B

MD5
fcdd8a810199d7f2bb147c4f6da4a211

SHA1
48a4d8f00564397306b23e6d5516c213130d967f

SHA256
acf287ded3ccd4896ead0959e283a9556641c99cb47739f0f03b1bb6b7b73fd9

SHA512
b9ab3030a2c16432b172d8fd09a1bd5defb553a6fe1e6bc39b5b9e378d94b44e4d6f398874cfc2ac5fb7b547664a1c8e14e5c9183091201078a429df9247a2a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZX6R58WOAC15PL6NE8S.temp

Filesize
7KB

MD5
14b6a5269af0e269b85cd2975314a2e4

SHA1
0c356b07c7a0aa0429f21be0f0a2e1288066aa5c

SHA256
169932036f31259bead978fdfe35c5fd74421f5e3f10553ed010b51752f64ba7

SHA512
2e73150ad5585fc1378b27b38ad4212bb6fffe74036c05f48895fe2fece55708ab33a32493af2a1d135846d0a2ae0a050c21eed98ea288715b638b8cb5a9be66

Download Submit
C:\Users\All Users\lsass.exe

Filesize
3.0MB

MD5
6a1f2982af6d615e8ec90f377c8ae1a9

SHA1
bd861cbf29660514f86c7b57be0d3357fc9a6ec8

SHA256
420f0a1865a7918fd597eb2a7d9e65342d3482de9a98b0f510cdc2e4ecf17c1d

SHA512
fe0229a9821f552b1e9bbc6be5ec817d6008248f0e51d45cf83cda09141719fb747ef842fb2f3052541182441fdd87aecde60341b9bc70b54aa303feb019caab

Download Submit
C:\Users\Public\Pictures\Sample Pictures\RCXDE0A.tmp

Filesize
3.0MB

MD5
3429170c79793c46fe1b413a8d8c5392

SHA1
36f3e4e0de8a085d43444dc8bd4a05715eb2f5d4

SHA256
e3505a7e2f3de8a1cf7d7f05927b79fc99156565cecf3b0754151b4021e37504

SHA512
84ee8a939e0ccda0036548ead1d55d1ab95a323b9cdcdb2140d21c47db3c483105725dd739bacdf11faec463d7cbfd26ef4ba0938c3354851de10be31d5a841c

Download Submit
C:\Windows\Speech\RCXE55D.tmp

Filesize
3.0MB

MD5
8d1c0236a168b350dc193377a15885ff

SHA1
edc1fdd5128e2dead9e8b902c99da827f7c277d5

SHA256
ceb30392abe8e72ffdca10905b122640071db9bd580c42edd759abd2c89c205b

SHA512
8d9069ef1efeca08ba67c6682d5c3768930f677392d72bd203b4d3a465cba1af4d3f8eea40f0ecab957c83d95ee0ba513b0ac6ee7d94a3334b93d08909b3e556

Download Submit
memory/1884-316-0x000007FEEC1F0000-0x000007FEECB8D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-23-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-24-0x000000001B000000-0x000000001B008000-memory.dmp

Filesize
32KB

Download
memory/2248-62-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-68-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-69-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-70-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-71-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-75-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-87-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-109-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-110-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-124-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-125-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-55-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-139-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-140-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-54-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-154-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-155-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-156-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-157-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-164-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-46-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-178-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-179-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-30-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-187-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-208-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-209-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-218-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-25-0x000000001B010000-0x000000001B01C000-memory.dmp

Filesize
48KB

Download
memory/2248-63-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-0-0x0000000000010000-0x000000000031E000-memory.dmp

Filesize
3.1MB

Download
memory/2248-22-0x000000001AFF0000-0x000000001AFFE000-memory.dmp

Filesize
56KB

Download
memory/2248-21-0x000000001AFD0000-0x000000001AFDE000-memory.dmp

Filesize
56KB

Download
memory/2248-20-0x000000001AFC0000-0x000000001AFCA000-memory.dmp

Filesize
40KB

Download
memory/2248-19-0x000000001AFE0000-0x000000001AFE8000-memory.dmp

Filesize
32KB

Download
memory/2248-18-0x000000001AFB0000-0x000000001AFBC000-memory.dmp

Filesize
48KB

Download
memory/2248-17-0x000000001AA60000-0x000000001AA6C000-memory.dmp

Filesize
48KB

Download
memory/2248-16-0x000000001AA50000-0x000000001AA62000-memory.dmp

Filesize
72KB

Download
memory/2248-15-0x000000001AA30000-0x000000001AA3C000-memory.dmp

Filesize
48KB

Download
memory/2248-14-0x000000001AA10000-0x000000001AA18000-memory.dmp

Filesize
32KB

Download
memory/2248-13-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

Filesize
48KB

Download
memory/2248-12-0x000000001AE40000-0x000000001AE96000-memory.dmp

Filesize
344KB

Download
memory/2248-11-0x000000001AA20000-0x000000001AA2A000-memory.dmp

Filesize
40KB

Download
memory/2248-10-0x000000001AA00000-0x000000001AA10000-memory.dmp

Filesize
64KB

Download
memory/2248-1-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-2-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2248-9-0x000000001AA40000-0x000000001AA52000-memory.dmp

Filesize
72KB

Download
memory/2248-310-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-3-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/2248-4-0x0000000002490000-0x00000000024AC000-memory.dmp

Filesize
112KB

Download
memory/2248-5-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2248-6-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2248-7-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2248-8-0x000000001A9E0000-0x000000001A9E8000-memory.dmp

Filesize
32KB

Download
memory/2932-315-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/2932-314-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/2932-313-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/2932-312-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/2932-311-0x000007FEEC1F0000-0x000007FEECB8D000-memory.dmp

Filesize
9.6MB

Download
memory/2932-308-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2932-307-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download