dcrat | 42ba5e635cfc3183a8f9e7979263adcdadba03c0292889d176a65cca430ecf85

Analysis

max time kernel
158s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Size

1.4MB
MD5

e0a818f8389202cf1db2d2f8668e7650
SHA1

aac605839f5abed08ba71bf6be46cf4589c87409
SHA256

42ba5e635cfc3183a8f9e7979263adcdadba03c0292889d176a65cca430ecf85
SHA512

20dc01ef7697d9336afae44f6ffcc61c77714daf23c7db932625102d77eaf9869bc5230b054f2e09f78794cef097df2ab7dbab77ee777e06ed7e2fbc224752c2
SSDEEP

24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	648	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	648	schtasks.exe	86

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2680-0-0x0000000000DF0000-0x0000000000F5C000-memory.dmp	dcrat
behavioral2/files/0x0007000000022dfe-35.dat	dcrat
behavioral2/files/0x000b00000001e7ba-107.dat	dcrat
behavioral2/files/0x0009000000022dfa-119.dat	dcrat
behavioral2/files/0x0005000000022612-152.dat	dcrat
behavioral2/files/0x0007000000022e2f-213.dat	dcrat
behavioral2/files/0x0007000000022e2f-408.dat	dcrat
behavioral2/files/0x0007000000022e2f-407.dat	dcrat
behavioral2/memory/5220-411-0x00000000007C0000-0x000000000092C000-memory.dmp	dcrat
behavioral2/files/0x0007000000022e2f-510.dat	dcrat
behavioral2/files/0x000e000000022e3e-516.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 2 IoCs

pid	Process
5220	RuntimeBroker.exe
5664	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\services.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\cc11b995f2a76d	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXF540.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCX18AE.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files\Windows Mail\dllhost.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX50A6.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX5385.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCX1B8D.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\winlogon.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\winlogon.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXF520.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files\Windows Mail\RCX2352.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files\Windows Mail\RCX2622.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Program Files\7-Zip\Lang\csrss.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\Time Zone\Registry.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Windows\Globalization\Time Zone\Registry.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Windows\Globalization\Time Zone\ee2ad38f3d4382	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File created	C:\Windows\OCR\en-us\services.exe	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Windows\Globalization\Time Zone\RCX62B.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
File opened for modification	C:\Windows\Globalization\Time Zone\RCXAC0.tmp	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
932	schtasks.exe
540	schtasks.exe
2396	schtasks.exe
368	schtasks.exe
2984	schtasks.exe
3800	schtasks.exe
348	schtasks.exe
4896	schtasks.exe
1340	schtasks.exe
4916	schtasks.exe
2580	schtasks.exe
3272	schtasks.exe
3936	schtasks.exe
1300	schtasks.exe
2392	schtasks.exe
1212	schtasks.exe
4504	schtasks.exe
2284	schtasks.exe
2460	schtasks.exe
3128	schtasks.exe
3180	schtasks.exe
3024	schtasks.exe
4428	schtasks.exe
1788	schtasks.exe
4904	schtasks.exe
3412	schtasks.exe
4436	schtasks.exe
3132	schtasks.exe
2352	schtasks.exe
1164	schtasks.exe
2512	schtasks.exe
3944	schtasks.exe
2700	schtasks.exe
3816	schtasks.exe
4456	schtasks.exe
2676	schtasks.exe
2032	schtasks.exe
3356	schtasks.exe
2636	schtasks.exe
5096	schtasks.exe
4516	schtasks.exe
4044	schtasks.exe
3676	schtasks.exe
2088	schtasks.exe
3832	schtasks.exe
772	schtasks.exe
1116	schtasks.exe
2144	schtasks.exe
4560	schtasks.exe
116	schtasks.exe
4880	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	5220	RuntimeBroker.exe
Token: SeDebugPrivilege	5664	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3268	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	147
PID 2680 wrote to memory of 3268	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	147
PID 2680 wrote to memory of 2756	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	148
PID 2680 wrote to memory of 2756	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	148
PID 2680 wrote to memory of 3744	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	149
PID 2680 wrote to memory of 3744	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	149
PID 2680 wrote to memory of 1620	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	169
PID 2680 wrote to memory of 1620	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	169
PID 2680 wrote to memory of 4288	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	168
PID 2680 wrote to memory of 4288	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	168
PID 2680 wrote to memory of 2284	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	167
PID 2680 wrote to memory of 2284	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	167
PID 2680 wrote to memory of 3472	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	166
PID 2680 wrote to memory of 3472	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	166
PID 2680 wrote to memory of 2316	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	165
PID 2680 wrote to memory of 2316	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	165
PID 2680 wrote to memory of 4484	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	164
PID 2680 wrote to memory of 4484	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	164
PID 2680 wrote to memory of 3944	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	163
PID 2680 wrote to memory of 3944	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	163
PID 2680 wrote to memory of 4872	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	162
PID 2680 wrote to memory of 4872	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	162
PID 2680 wrote to memory of 3020	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	161
PID 2680 wrote to memory of 3020	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	161
PID 2680 wrote to memory of 5220	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	171
PID 2680 wrote to memory of 5220	2680	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe	171
PID 5220 wrote to memory of 4680	5220	RuntimeBroker.exe	174
PID 5220 wrote to memory of 4680	5220	RuntimeBroker.exe	174
PID 5220 wrote to memory of 5248	5220	RuntimeBroker.exe	175
PID 5220 wrote to memory of 5248	5220	RuntimeBroker.exe	175
PID 4680 wrote to memory of 5664	4680	WScript.exe	185
PID 4680 wrote to memory of 5664	4680	WScript.exe	185
PID 5664 wrote to memory of 5604	5664	RuntimeBroker.exe	186
PID 5664 wrote to memory of 5604	5664	RuntimeBroker.exe	186
PID 5664 wrote to memory of 1992	5664	RuntimeBroker.exe	187
PID 5664 wrote to memory of 1992	5664	RuntimeBroker.exe	187

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.e0a818f8389202cf1db2d2f8668e7650.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e0a818f8389202cf1db2d2f8668e7650.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Recovery\WindowsRE\RuntimeBroker.exe
  "C:\Recovery\WindowsRE\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\230f40c3-379d-42fb-9fa9-597b412911c2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Recovery\WindowsRE\RuntimeBroker.exe
      C:\Recovery\WindowsRE\RuntimeBroker.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5664
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84f420b2-065a-4def-8ce3-68c854eeecb9.vbs"
        5⤵
        
        PID:5604
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7076df1-dc6e-46d9-ae80-2139db6518bf.vbs"
        5⤵
        
        PID:1992
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60e9e5c6-052c-43eb-bcb7-be3f6c137486.vbs"
    3⤵
    PID:5248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Time Zone\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\Time Zone\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\winlogon.exe

Filesize
1.4MB

MD5
e0a818f8389202cf1db2d2f8668e7650

SHA1
aac605839f5abed08ba71bf6be46cf4589c87409

SHA256
42ba5e635cfc3183a8f9e7979263adcdadba03c0292889d176a65cca430ecf85

SHA512
20dc01ef7697d9336afae44f6ffcc61c77714daf23c7db932625102d77eaf9869bc5230b054f2e09f78794cef097df2ab7dbab77ee777e06ed7e2fbc224752c2

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.4MB

MD5
f1dcc7576db3155dd7bf6700ebd90161

SHA1
1f2cfb72ee2f15718a7c8e490c97803fd344cf4b

SHA256
eabd260ba0ed0a46578b67deea8384e29cd13a31158bf0c4976e434c9ee2ef06

SHA512
cf1682a3e8d6bb5864f331cbf15aeb3e704b3e26fc203b0ad561a73c2ed84ce616cdb3e0496ec370b29210e45adce9a3dd8d46d6f0655890be27e9fbffef38e4

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.4MB

MD5
f1dcc7576db3155dd7bf6700ebd90161

SHA1
1f2cfb72ee2f15718a7c8e490c97803fd344cf4b

SHA256
eabd260ba0ed0a46578b67deea8384e29cd13a31158bf0c4976e434c9ee2ef06

SHA512
cf1682a3e8d6bb5864f331cbf15aeb3e704b3e26fc203b0ad561a73c2ed84ce616cdb3e0496ec370b29210e45adce9a3dd8d46d6f0655890be27e9fbffef38e4

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.4MB

MD5
f1dcc7576db3155dd7bf6700ebd90161

SHA1
1f2cfb72ee2f15718a7c8e490c97803fd344cf4b

SHA256
eabd260ba0ed0a46578b67deea8384e29cd13a31158bf0c4976e434c9ee2ef06

SHA512
cf1682a3e8d6bb5864f331cbf15aeb3e704b3e26fc203b0ad561a73c2ed84ce616cdb3e0496ec370b29210e45adce9a3dd8d46d6f0655890be27e9fbffef38e4

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.4MB

MD5
f1dcc7576db3155dd7bf6700ebd90161

SHA1
1f2cfb72ee2f15718a7c8e490c97803fd344cf4b

SHA256
eabd260ba0ed0a46578b67deea8384e29cd13a31158bf0c4976e434c9ee2ef06

SHA512
cf1682a3e8d6bb5864f331cbf15aeb3e704b3e26fc203b0ad561a73c2ed84ce616cdb3e0496ec370b29210e45adce9a3dd8d46d6f0655890be27e9fbffef38e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
9b0256da3bf9a5303141361b3da59823

SHA1
d73f34951777136c444eb2c98394f62912ebcdac

SHA256
96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

SHA512
9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
332d0c3ffdd78f8f4f5d09f208c46be1

SHA1
3853d006b0e29c23df4dc09d6b03c6e96f152fab

SHA256
e8073036a4ddaee92c5b14fbcfaaaa14d0163692d2f53b8fc6549911c1b6d763

SHA512
4518b2cafeb5f63775b708de508f7d330b436088256645642be5ce713c6099fa2e9684e42656aac41366d98fc3a9fb08a587f4dff4c51259111789c504b4a59b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1b6092a05634abdfce9c7d9f7923327

SHA1
c44dbf1f15b196e236181572d7305b17d05972c6

SHA256
a0917ce76bde1dc92950380eb01692aacc0f3dfc2982eaf2bdd31c317a7bcad1

SHA512
a24c71158124ca030fd8e4e96f44fc97614d588f3684fd62b786d993028bbfa73d142ef223aeca41b6ba9854fc481d09fbb493d9ed3af8bec91929cbde888bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1b6092a05634abdfce9c7d9f7923327

SHA1
c44dbf1f15b196e236181572d7305b17d05972c6

SHA256
a0917ce76bde1dc92950380eb01692aacc0f3dfc2982eaf2bdd31c317a7bcad1

SHA512
a24c71158124ca030fd8e4e96f44fc97614d588f3684fd62b786d993028bbfa73d142ef223aeca41b6ba9854fc481d09fbb493d9ed3af8bec91929cbde888bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1b6092a05634abdfce9c7d9f7923327

SHA1
c44dbf1f15b196e236181572d7305b17d05972c6

SHA256
a0917ce76bde1dc92950380eb01692aacc0f3dfc2982eaf2bdd31c317a7bcad1

SHA512
a24c71158124ca030fd8e4e96f44fc97614d588f3684fd62b786d993028bbfa73d142ef223aeca41b6ba9854fc481d09fbb493d9ed3af8bec91929cbde888bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1b6092a05634abdfce9c7d9f7923327

SHA1
c44dbf1f15b196e236181572d7305b17d05972c6

SHA256
a0917ce76bde1dc92950380eb01692aacc0f3dfc2982eaf2bdd31c317a7bcad1

SHA512
a24c71158124ca030fd8e4e96f44fc97614d588f3684fd62b786d993028bbfa73d142ef223aeca41b6ba9854fc481d09fbb493d9ed3af8bec91929cbde888bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1b6092a05634abdfce9c7d9f7923327

SHA1
c44dbf1f15b196e236181572d7305b17d05972c6

SHA256
a0917ce76bde1dc92950380eb01692aacc0f3dfc2982eaf2bdd31c317a7bcad1

SHA512
a24c71158124ca030fd8e4e96f44fc97614d588f3684fd62b786d993028bbfa73d142ef223aeca41b6ba9854fc481d09fbb493d9ed3af8bec91929cbde888bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\230f40c3-379d-42fb-9fa9-597b412911c2.vbs

Filesize
715B

MD5
86f877733f2db102053da6807897ada9

SHA1
1f407c9cdddfa86384709f483607ea78a5015411

SHA256
11bf2891481d8d48259a5c140c02675765089ee5814ffd71347148089b4ae03d

SHA512
fb9b330b48e1225cb3737e29963101867b9999e7da16566861e8a734e0d16eefd3c3a373ed5e956ddc7be5387029b27a08f2d10a88f60d186a6453d6c6827164

Download Submit
C:\Users\Admin\AppData\Local\Temp\60e9e5c6-052c-43eb-bcb7-be3f6c137486.vbs

Filesize
491B

MD5
e6817218a17fe7752fe4194e778ad045

SHA1
038e25d1801f04b37e2ca3bbd3741f5aff286f4d

SHA256
96e2a85bd6f9cd70f976e2be22eb35f7671821ef7487940d2869f7cf42c6bc91

SHA512
68f844a139e530be29c55f49d292045be98a27377411b1d3eeca823968ac50461701622141cf5c2823f854ab987154004dbd879fa4be44c193d3c9b65ffa2890

Download Submit
C:\Users\Admin\AppData\Local\Temp\84f420b2-065a-4def-8ce3-68c854eeecb9.vbs

Filesize
715B

MD5
869c5edf15398661fcb5608f351512a2

SHA1
e6b66ac46164aca64adebd3b997c299178e4d25b

SHA256
5ccfd02df2822ae07026e0429a17215ef13ba56da1d0fbb07543dad173b32fe8

SHA512
eeb1ba2947e3b26f2e8735957d71b32d14bff6c7fc4f2b1878aa2e13973195a253d374f8e732f078f401d8daf903fe35ebf0308cdfbf027259d738236f0bc7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sd2hghtc.0kq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c88b212018e3d354cfac96b9cde4cd80ce2bf2dc.exe

Filesize
1.4MB

MD5
f1dcc7576db3155dd7bf6700ebd90161

SHA1
1f2cfb72ee2f15718a7c8e490c97803fd344cf4b

SHA256
eabd260ba0ed0a46578b67deea8384e29cd13a31158bf0c4976e434c9ee2ef06

SHA512
cf1682a3e8d6bb5864f331cbf15aeb3e704b3e26fc203b0ad561a73c2ed84ce616cdb3e0496ec370b29210e45adce9a3dd8d46d6f0655890be27e9fbffef38e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7076df1-dc6e-46d9-ae80-2139db6518bf.vbs

Filesize
491B

MD5
e6817218a17fe7752fe4194e778ad045

SHA1
038e25d1801f04b37e2ca3bbd3741f5aff286f4d

SHA256
96e2a85bd6f9cd70f976e2be22eb35f7671821ef7487940d2869f7cf42c6bc91

SHA512
68f844a139e530be29c55f49d292045be98a27377411b1d3eeca823968ac50461701622141cf5c2823f854ab987154004dbd879fa4be44c193d3c9b65ffa2890

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7076df1-dc6e-46d9-ae80-2139db6518bf.vbs

Filesize
491B

MD5
e6817218a17fe7752fe4194e778ad045

SHA1
038e25d1801f04b37e2ca3bbd3741f5aff286f4d

SHA256
96e2a85bd6f9cd70f976e2be22eb35f7671821ef7487940d2869f7cf42c6bc91

SHA512
68f844a139e530be29c55f49d292045be98a27377411b1d3eeca823968ac50461701622141cf5c2823f854ab987154004dbd879fa4be44c193d3c9b65ffa2890

Download Submit
C:\Users\Admin\Favorites\Links\fontdrvhost.exe

Filesize
1.4MB

MD5
14e967bfea2fc92bf8fd0985591fc44b

SHA1
b6275e17056f20f9acdc9aa6028483cb72ac2310

SHA256
e9ba5099828d4697b81fc04ed25d709b192cc478ed294167eaadf388b3e59f1a

SHA512
f2979ddfd0169d8edaad052dbb61474cbeef7fda281035366d817e2775da9de8e7fb6cef56f1c0877ecd828bff8df827de35b49dff304b4676f1585e9ba50aad

Download Submit
C:\Users\Default\smss.exe

Filesize
1.4MB

MD5
42893ec97f03b81a51f307c92d8acfb3

SHA1
499e4cc298c03bbe22785ae63f2f4db4ada25b99

SHA256
bfe8d5da17190d09df173f60985a4b7cd1b0baa4a61a2336b3db05019fa7779d

SHA512
db411ed0c0eb82db5bbbb7431d25045495857f0b575be87bc08399545d66133cb46f03e5046fd6f3f05e734e3c6a4fefe52f57a98b171a51dbf9c93cc3a1988d

Download Submit
C:\Windows\Globalization\Time Zone\Registry.exe

Filesize
1.4MB

MD5
07817d6ecfea3274af587cede9641438

SHA1
797444f666885f64a8ebc40b73c2395e37b74ba2

SHA256
9cc363cd9454283203bfdcc23534ac13b1857d200824fdedb2d9adcd556eab53

SHA512
dab7b2095261f5759b8e675103a12cb28dfe5e50954c6a032ef077efe622f440f019d9cff0832c206a211253caa9535f6094e1f9d26852f870754306ac9dd66a

Download Submit
memory/1620-304-0x0000021B66CA0000-0x0000021B66CC2000-memory.dmp

Filesize
136KB

Download
memory/1620-381-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/1620-410-0x0000021B7EEB0000-0x0000021B7EEC0000-memory.dmp

Filesize
64KB

Download
memory/2284-430-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/2284-432-0x0000017FEB710000-0x0000017FEB720000-memory.dmp

Filesize
64KB

Download
memory/2284-431-0x0000017FEB710000-0x0000017FEB720000-memory.dmp

Filesize
64KB

Download
memory/2316-428-0x000002A266FE0000-0x000002A266FF0000-memory.dmp

Filesize
64KB

Download
memory/2316-427-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/2680-18-0x000000001C2F0000-0x000000001C2FE000-memory.dmp

Filesize
56KB

Download
memory/2680-19-0x000000001C300000-0x000000001C308000-memory.dmp

Filesize
32KB

Download
memory/2680-105-0x000000001CF10000-0x000000001D010000-memory.dmp

Filesize
1024KB

Download
memory/2680-100-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-175-0x000000001CF10000-0x000000001D010000-memory.dmp

Filesize
1024KB

Download
memory/2680-188-0x000000001CF10000-0x000000001D010000-memory.dmp

Filesize
1024KB

Download
memory/2680-87-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-79-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-71-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-64-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-62-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-61-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/2680-28-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-25-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/2680-24-0x000000001C280000-0x000000001C28A000-memory.dmp

Filesize
40KB

Download
memory/2680-23-0x00000000031C0000-0x00000000031C8000-memory.dmp

Filesize
32KB

Download
memory/2680-22-0x00000000031B0000-0x00000000031BC000-memory.dmp

Filesize
48KB

Download
memory/2680-21-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-20-0x000000001C310000-0x000000001C31E000-memory.dmp

Filesize
56KB

Download
memory/2680-113-0x000000001CF10000-0x000000001D010000-memory.dmp

Filesize
1024KB

Download
memory/2680-412-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/2680-17-0x000000001C2E0000-0x000000001C2EA000-memory.dmp

Filesize
40KB

Download
memory/2680-16-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/2680-15-0x00000000031A0000-0x00000000031AC000-memory.dmp

Filesize
48KB

Download
memory/2680-14-0x0000000003190000-0x0000000003198000-memory.dmp

Filesize
32KB

Download
memory/2680-13-0x000000001C170000-0x000000001C17C000-memory.dmp

Filesize
48KB

Download
memory/2680-12-0x000000001C160000-0x000000001C16C000-memory.dmp

Filesize
48KB

Download
memory/2680-11-0x000000001C150000-0x000000001C15A000-memory.dmp

Filesize
40KB

Download
memory/2680-10-0x000000001C0F0000-0x000000001C100000-memory.dmp

Filesize
64KB

Download
memory/2680-9-0x000000001C0D0000-0x000000001C0E6000-memory.dmp

Filesize
88KB

Download
memory/2680-6-0x000000001C100000-0x000000001C150000-memory.dmp

Filesize
320KB

Download
memory/2680-8-0x000000001C0C0000-0x000000001C0D0000-memory.dmp

Filesize
64KB

Download
memory/2680-7-0x000000001C0B0000-0x000000001C0B8000-memory.dmp

Filesize
32KB

Download
memory/2680-5-0x0000000003150000-0x000000000316C000-memory.dmp

Filesize
112KB

Download
memory/2680-0-0x0000000000DF0000-0x0000000000F5C000-memory.dmp

Filesize
1.4MB

Download
memory/2680-4-0x0000000003140000-0x0000000003148000-memory.dmp

Filesize
32KB

Download
memory/2680-3-0x0000000001730000-0x000000000173E000-memory.dmp

Filesize
56KB

Download
memory/2680-2-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2680-1-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/2756-437-0x0000013D5E4B0000-0x0000013D5E4C0000-memory.dmp

Filesize
64KB

Download
memory/2756-436-0x0000013D5E4B0000-0x0000013D5E4C0000-memory.dmp

Filesize
64KB

Download
memory/2756-434-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/3020-295-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/3020-297-0x000002454FB00000-0x000002454FB10000-memory.dmp

Filesize
64KB

Download
memory/3472-438-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/3744-406-0x000001C1DC190000-0x000001C1DC1A0000-memory.dmp

Filesize
64KB

Download
memory/3744-324-0x000001C1DC190000-0x000001C1DC1A0000-memory.dmp

Filesize
64KB

Download
memory/3744-314-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/4288-298-0x000001D46E660000-0x000001D46E670000-memory.dmp

Filesize
64KB

Download
memory/4288-294-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/4288-296-0x000001D46E660000-0x000001D46E670000-memory.dmp

Filesize
64KB

Download
memory/4484-417-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/4484-429-0x00000258EF250000-0x00000258EF260000-memory.dmp

Filesize
64KB

Download
memory/4872-433-0x00007FFD414B0000-0x00007FFD41F71000-memory.dmp

Filesize
10.8MB

Download
memory/4872-435-0x0000022E4A7A0000-0x0000022E4A7B0000-memory.dmp

Filesize
64KB

Download
memory/5220-411-0x00000000007C0000-0x000000000092C000-memory.dmp

Filesize
1.4MB

Download