dcrat | 202edcaf68d27322eff4469dcbc0a48888fe449d28e6a0aad97b4be8b62fd9d2

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
Size

1.1MB
MD5

6d8873c8ba23b5fca6972375bf9209c0
SHA1

9fb4e593cee2cb3aa051f6dfcea2495318c71ee6
SHA256

202edcaf68d27322eff4469dcbc0a48888fe449d28e6a0aad97b4be8b62fd9d2
SHA512

c31cfbd587ed69cec0f5046f94b3ad4e75a4ad767f9d6caf77a81507a500aeb6094788e9b49ef3e082c90aebdb207451b19d2e629222ac0f4f12445c0bc195b1
SSDEEP

12288:0l+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btU:pyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2744	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2376-0-0x0000000001080000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/files/0x00060000000167f7-17.dat	dcrat
behavioral1/files/0x000c000000016fe3-132.dat	dcrat
behavioral1/files/0x0008000000016ca4-143.dat	dcrat
behavioral1/files/0x0008000000016ce0-154.dat	dcrat
behavioral1/files/0x000b000000016d01-227.dat	dcrat
behavioral1/files/0x000a000000017565-259.dat	dcrat
behavioral1/files/0x000700000001605c-369.dat	dcrat
behavioral1/files/0x000700000001605c-368.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2232	dllhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\09a1b9aa9d096e	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX7182.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\MSBuild\RCX7627.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\Uninstall Information\Idle.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\Windows Sidebar\csrss.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\RCX58EC.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\Uninstall Information\6ccacd8608530f	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\MSBuild\spoolsv.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\MSBuild\spoolsv.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX7181.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\MSBuild\f3b6ecef712a24	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\7-Zip\Lang\Idle.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\RCX5F28.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX8230.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6391.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Uninstall Information\Idle.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\5940a34987c991	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\RCX58EB.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6390.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\7-Zip\Lang\6ccacd8608530f	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX81C2.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\Idle.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Program Files\Windows Sidebar\886983d96e3d3e	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\RCX5F68.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\Windows Sidebar\csrss.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Program Files\MSBuild\RCX7626.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\lsass.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File created	C:\Windows\LiveKernelReports\6203df4a6bafc7	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX5B00.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX5B01.tmp	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
File opened for modification	C:\Windows\LiveKernelReports\lsass.exe	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
804	schtasks.exe
2148	schtasks.exe
2504	schtasks.exe
896	schtasks.exe
1524	schtasks.exe
960	schtasks.exe
2584	schtasks.exe
2516	schtasks.exe
592	schtasks.exe
1436	schtasks.exe
532	schtasks.exe
1244	schtasks.exe
2104	schtasks.exe
1496	schtasks.exe
560	schtasks.exe
2700	schtasks.exe
2640	schtasks.exe
2216	schtasks.exe
2336	schtasks.exe
2468	schtasks.exe
548	schtasks.exe
2860	schtasks.exe
632	schtasks.exe
2000	schtasks.exe
2852	schtasks.exe
1056	schtasks.exe
2864	schtasks.exe
1316	schtasks.exe
1480	schtasks.exe
2460	schtasks.exe
2912	schtasks.exe
2368	schtasks.exe
1568	schtasks.exe
2440	schtasks.exe
2172	schtasks.exe
2900	schtasks.exe
1904	schtasks.exe
1792	schtasks.exe
2476	schtasks.exe
3040	schtasks.exe
3020	schtasks.exe
1956	schtasks.exe
1516	schtasks.exe
992	schtasks.exe
2532	schtasks.exe
1292	schtasks.exe
908	schtasks.exe
1120	schtasks.exe
2600	schtasks.exe
812	schtasks.exe
1992	schtasks.exe
2340	schtasks.exe
892	schtasks.exe
2736	schtasks.exe
284	schtasks.exe
864	schtasks.exe
2436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
1264	powershell.exe
2440	powershell.exe
2296	powershell.exe
1528	powershell.exe
2228	powershell.exe
2148	powershell.exe
2716	powershell.exe
2852	powershell.exe
1644	powershell.exe
2788	powershell.exe
2232	dllhost.exe
812	powershell.exe
2312	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2232	dllhost.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2852	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	86
PID 2376 wrote to memory of 2852	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	86
PID 2376 wrote to memory of 2852	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	86
PID 2376 wrote to memory of 2228	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	89
PID 2376 wrote to memory of 2228	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	89
PID 2376 wrote to memory of 2228	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	89
PID 2376 wrote to memory of 1644	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	88
PID 2376 wrote to memory of 1644	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	88
PID 2376 wrote to memory of 1644	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	88
PID 2376 wrote to memory of 2788	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	90
PID 2376 wrote to memory of 2788	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	90
PID 2376 wrote to memory of 2788	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	90
PID 2376 wrote to memory of 2716	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	91
PID 2376 wrote to memory of 2716	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	91
PID 2376 wrote to memory of 2716	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	91
PID 2376 wrote to memory of 812	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	92
PID 2376 wrote to memory of 812	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	92
PID 2376 wrote to memory of 812	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	92
PID 2376 wrote to memory of 2296	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	93
PID 2376 wrote to memory of 2296	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	93
PID 2376 wrote to memory of 2296	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	93
PID 2376 wrote to memory of 2312	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	94
PID 2376 wrote to memory of 2312	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	94
PID 2376 wrote to memory of 2312	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	94
PID 2376 wrote to memory of 2148	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	95
PID 2376 wrote to memory of 2148	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	95
PID 2376 wrote to memory of 2148	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	95
PID 2376 wrote to memory of 1264	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	96
PID 2376 wrote to memory of 1264	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	96
PID 2376 wrote to memory of 1264	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	96
PID 2376 wrote to memory of 1528	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	97
PID 2376 wrote to memory of 1528	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	97
PID 2376 wrote to memory of 1528	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	97
PID 2376 wrote to memory of 2440	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	98
PID 2376 wrote to memory of 2440	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	98
PID 2376 wrote to memory of 2440	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	98
PID 2376 wrote to memory of 2104	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	110
PID 2376 wrote to memory of 2104	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	110
PID 2376 wrote to memory of 2104	2376	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe	110
PID 2104 wrote to memory of 1440	2104	cmd.exe	112
PID 2104 wrote to memory of 1440	2104	cmd.exe	112
PID 2104 wrote to memory of 1440	2104	cmd.exe	112
PID 2104 wrote to memory of 2232	2104	cmd.exe	113
PID 2104 wrote to memory of 2232	2104	cmd.exe	113
PID 2104 wrote to memory of 2232	2104	cmd.exe	113

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lY2uCtHdrf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1440
- - C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe
    "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0N" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0N" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\LocalLow\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Temp\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0N" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0" /sc ONLOGON /tr "'C:\Users\Admin\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0N" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0N" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0" /sc ONLOGON /tr "'C:\MSOCache\All Users\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.6d8873c8ba23b5fca6972375bf9209c0N" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\NEAS.6d8873c8ba23b5fca6972375bf9209c0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe

Filesize
1.1MB

MD5
c40122006d7e0193697bce28ccd590aa

SHA1
ccb590c7798d9cc278bfa78e77b83058d99eb219

SHA256
30c70c9471ef055be4ec9b1f962b2da328a23377ef068f5fe8e7b89d86f52d51

SHA512
46989a79a6ffebb2a5839e2485bd4fc285a45335c68608ba5aa541d20e6b181b6c3d44f64abc7cbff23768a0b3db68177d5177338de81c830c9dd81c4a245820

Download Submit
C:\Program Files\7-Zip\Lang\Idle.exe

Filesize
1.1MB

MD5
65a9c52924b41d1c1546c553ea6ff723

SHA1
59b5bb7fd058f49faa42736b8bdde03e5acf8ca0

SHA256
bc796ac899c6a429d03cb4f679f5f26fc7a5730bdd62bbc2b3f7a2ffe7833f45

SHA512
cdbad009fa2b1b19f428cb7b1e1d63f2c7e134594d44bc388fe0e3c445361d71ba1f5edfc9b75a023db16092f206729272dc3826d7953a1e5c8392bdae38ab77

Download Submit
C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe

Filesize
1.1MB

MD5
6d8873c8ba23b5fca6972375bf9209c0

SHA1
9fb4e593cee2cb3aa051f6dfcea2495318c71ee6

SHA256
202edcaf68d27322eff4469dcbc0a48888fe449d28e6a0aad97b4be8b62fd9d2

SHA512
c31cfbd587ed69cec0f5046f94b3ad4e75a4ad767f9d6caf77a81507a500aeb6094788e9b49ef3e082c90aebdb207451b19d2e629222ac0f4f12445c0bc195b1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\dllhost.exe

Filesize
1.1MB

MD5
6d8873c8ba23b5fca6972375bf9209c0

SHA1
9fb4e593cee2cb3aa051f6dfcea2495318c71ee6

SHA256
202edcaf68d27322eff4469dcbc0a48888fe449d28e6a0aad97b4be8b62fd9d2

SHA512
c31cfbd587ed69cec0f5046f94b3ad4e75a4ad767f9d6caf77a81507a500aeb6094788e9b49ef3e082c90aebdb207451b19d2e629222ac0f4f12445c0bc195b1

Download Submit
C:\ProgramData\Idle.exe

Filesize
1.1MB

MD5
c6e51431b44448d1e586ce6374dbfd20

SHA1
e927cd9e40a0f0cd216bbfb36f42ecdf3fe6c78d

SHA256
13b05ea6acc40a071b01565c8e21e0f9a6776287f8f764e85488aebea902e640

SHA512
df9d0432b22307e2a4989ea3e22ea969d4bea5a3cdd9c87795b4c5becdbecaf5709cd680da34bc5b1acc1db7ee51dcf3c533131b85d7eddc5062c0204468c270

Download Submit
C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\spoolsv.exe

Filesize
1.1MB

MD5
dc5c45c99340aa06afead11a48d62553

SHA1
d6a961e7ea5c65f476a4165f786a7e8e62ea81ff

SHA256
18eae67e4988194045cfe14fc0093ffd65407e6e3d136044487fd649689f1e6c

SHA512
42300b7056ef88fb4a35f519078ce2ca68881c3b118933e2c191a7b0b9511be89862d0e923c4fe5c3c28e0dcc5305ed159870975047866c163e28fcd873a99e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Idle.exe

Filesize
1.1MB

MD5
6d8873c8ba23b5fca6972375bf9209c0

SHA1
9fb4e593cee2cb3aa051f6dfcea2495318c71ee6

SHA256
202edcaf68d27322eff4469dcbc0a48888fe449d28e6a0aad97b4be8b62fd9d2

SHA512
c31cfbd587ed69cec0f5046f94b3ad4e75a4ad767f9d6caf77a81507a500aeb6094788e9b49ef3e082c90aebdb207451b19d2e629222ac0f4f12445c0bc195b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lY2uCtHdrf.bat

Filesize
231B

MD5
c2b7dfd69139cf334dfa03ab3b78e61c

SHA1
25aed888bac45c5d5d0e564237c96c2e2c49778a

SHA256
5b9de42e407c2abbcaaf2bdd8c5563f0bc01898d9c89c077de600c8ec5cdb904

SHA512
b344f59a621f9dc42da53d77e69857b97772550739d3c76cb2768097632f19109a29fc8a39ee5453d6737731c8ffbc1ca3f0b9038968beccd4d4fc69e5157892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P9RG16H7KH0F2KJ8MCI4.temp

Filesize
7KB

MD5
07d85225e485a4519add740ee831df46

SHA1
429ad73b441460bf043eae9050fcd5b40f887b90

SHA256
3fe4dcbf49a07e116bc897e9d4510066c28966dc41c3f09b8a9330bac754bd11

SHA512
09f6737c780920ef94bfdd7a3a29f00660c5629881a48185542dcad3376c845bfb12074d5af325f360722f383e4367099086aad8a1c4b8654d2332e4bfa846ff

Download Submit
C:\Windows\Temp\dwm.exe

Filesize
1.1MB

MD5
a14f6d66e414958df7a7b38cef5e8c9a

SHA1
bb3c8db6193c390a2dc19f01fd032b51f5f87aab

SHA256
f72272b5a6dca4a57e8d7cf1e3fa965c4e9310c03d3be7e405f833edb0ca3b12

SHA512
588337f2724fffe476eea7811f51f20d19fc58023df05fd440fe77fd7b94e1978a9494f5e38f8aecdb5362df0b429d4f6d354420278e4ae90279ee9291d61215

Download Submit
memory/1264-341-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1264-333-0x000000000269B000-0x0000000002702000-memory.dmp

Filesize
412KB

Download
memory/1264-343-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/1264-284-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/1264-337-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/1528-348-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/1528-372-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/1528-345-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/1528-346-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/1528-347-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/1528-349-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/1644-377-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1644-381-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1644-374-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1644-376-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/1644-378-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1644-370-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2148-355-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2148-356-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2148-358-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2148-357-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-351-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2228-350-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-382-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-354-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2228-353-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2228-352-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-332-0x0000000002A6B000-0x0000000002AD2000-memory.dmp

Filesize
412KB

Download
memory/2296-339-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2296-283-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/2296-342-0x0000000002A64000-0x0000000002A67000-memory.dmp

Filesize
12KB

Download
memory/2296-338-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2376-6-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2376-1-0x000007FEF62A0000-0x000007FEF6C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-2-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2376-5-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2376-3-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2376-7-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2376-8-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2376-0-0x0000000001080000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2376-300-0x000007FEF62A0000-0x000007FEF6C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-169-0x000007FEF62A0000-0x000007FEF6C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-182-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2376-4-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2440-336-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2440-340-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/2440-334-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-335-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-344-0x00000000024CB000-0x0000000002532000-memory.dmp

Filesize
412KB

Download
memory/2716-359-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-363-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/2716-361-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-360-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/2716-362-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/2716-371-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/2788-380-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2788-383-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-379-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-365-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-364-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2852-375-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2852-373-0x000007FEEE860000-0x000007FEEF1FD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-366-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2852-367-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download