dcrat | fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Size

2.1MB
MD5

cd1a763ca658b71be35993a9291d4461
SHA1

2effbe1057c3c1aebd05f87ff7aa7459d9433f69
SHA256

fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6
SHA512

d7f3f0e680f81ae7f5062bdd62de252e4dabd06f10aab7623da2783ca8d455394aaf079b8363c797858f9626efea62c034413c00526ae0cfb4be57179736da39
SSDEEP

49152:D3B3BNkmneOg9/liOjsCpfAwq1jwaCJtn:zFBNkB9NiOjsC5A91jw5

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\", \"C:\\Windows\\Globalization\\ICU\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\it-IT\\sysmon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\", \"C:\\Windows\\Globalization\\ICU\\smss.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\", \"C:\\Windows\\Globalization\\ICU\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\", \"C:\\Windows\\Globalization\\ICU\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\", \"C:\\Windows\\Globalization\\ICU\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\it-IT\\sysmon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\SearchApp.exe\", \"C:\\odt\\sihost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\", \"C:\\Windows\\Globalization\\ICU\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\it-IT\\sysmon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\SearchApp.exe\", \"C:\\odt\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\", \"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\", \"C:\\Windows\\Globalization\\ICU\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\it-IT\\sysmon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\SearchApp.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	220	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	220	schtasks.exe	93

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2100-0-0x0000000000400000-0x0000000000616000-memory.dmp	dcrat
behavioral2/files/0x000700000002320e-35.dat	dcrat
behavioral2/files/0x000e00000002323c-146.dat	dcrat
behavioral2/files/0x000700000002320e-402.dat	dcrat
behavioral2/files/0x000700000002320e-401.dat	dcrat

Detects executables packed with SmartAssembly 7 IoCs

resource	yara_rule
behavioral2/memory/2100-8-0x0000000002830000-0x0000000002840000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/2100-14-0x000000001B2F0000-0x000000001B2FC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/2100-16-0x000000001B970000-0x000000001B97C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/2100-20-0x000000001BBD0000-0x000000001BBDC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/2100-19-0x00000000026D0000-0x00000000026E0000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/2100-25-0x000000001BC20000-0x000000001BC2A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/2100-24-0x000000001BC10000-0x000000001BC1C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	services.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\it-IT\\sysmon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\ICU\\smss.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\it-IT\\sysmon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Reference Assemblies\\SearchApp.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Reference Assemblies\\SearchApp.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\StartMenuExperienceHost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\ICU\\smss.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Common Files\\System\\ja-JP\\taskhostw.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Uninstall Information\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\SystemApps\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\services.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\taskhostw.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Uninstall Information\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\odt\\sihost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\odt\\sihost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\lsass.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\winlogon.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\WindowsPowerShell\Modules\29c1c3cc0f7685	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\ea9f0e6c9e2dcd	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\winlogon.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX546D.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Uninstall Information\winlogon.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCX5D0C.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX4E50.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCX5259.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\taskhostw.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6125.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files (x86)\Reference Assemblies\SearchApp.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\SearchApp.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\55b276f4edf653	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files (x86)\Reference Assemblies\38384e6a620884	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RCX5054.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX6733.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\taskhostw.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\cc11b995f2a76d	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Common Files\System\ja-JP\taskhostw.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Common Files\System\ja-JP\ea9f0e6c9e2dcd	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\taskhostw.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\6203df4a6bafc7	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\RCX5886.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\ICU\69ddcba757bf72	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\it-IT\sysmon.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\it-IT\121e5b5079f7c0	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RCX5681.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\Globalization\ICU\smss.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\it-IT\RCX652E.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\Globalization\ICU\smss.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\c5b4cb5e9653cc	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\Globalization\ICU\RCX5F11.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\it-IT\sysmon.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3544	schtasks.exe
2760	schtasks.exe
1272	schtasks.exe
4884	schtasks.exe
4728	schtasks.exe
4448	schtasks.exe
2996	schtasks.exe
3656	schtasks.exe
1476	schtasks.exe
516	schtasks.exe
448	schtasks.exe
4780	schtasks.exe
4384	schtasks.exe
3728	schtasks.exe
4516	schtasks.exe
2220	schtasks.exe
4436	schtasks.exe
1368	schtasks.exe
2548	schtasks.exe
1724	schtasks.exe
4708	schtasks.exe
5108	schtasks.exe
4380	schtasks.exe
4784	schtasks.exe
4584	schtasks.exe
2000	schtasks.exe
2968	schtasks.exe
3952	schtasks.exe
2236	schtasks.exe
2828	schtasks.exe
3660	schtasks.exe
380	schtasks.exe
4908	schtasks.exe
3856	schtasks.exe
2868	schtasks.exe
1932	schtasks.exe
3556	schtasks.exe
4624	schtasks.exe
2412	schtasks.exe
4452	schtasks.exe
2836	schtasks.exe
892	schtasks.exe
4428	schtasks.exe
1888	schtasks.exe
3884	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
2452	powershell.exe
2452	powershell.exe
3700	powershell.exe
3700	powershell.exe
532	powershell.exe
532	powershell.exe
1924	powershell.exe
1924	powershell.exe
3608	powershell.exe
3608	powershell.exe
3588	powershell.exe
3588	powershell.exe
4544	powershell.exe
4544	powershell.exe
3576	powershell.exe
3576	powershell.exe
2980	powershell.exe
2980	powershell.exe
1048	powershell.exe
1048	powershell.exe
4708	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	2704	services.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3500	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	144
PID 2100 wrote to memory of 3500	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	144
PID 2100 wrote to memory of 2452	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	145
PID 2100 wrote to memory of 2452	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	145
PID 2100 wrote to memory of 3576	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	146
PID 2100 wrote to memory of 3576	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	146
PID 2100 wrote to memory of 532	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	147
PID 2100 wrote to memory of 532	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	147
PID 2100 wrote to memory of 4708	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	148
PID 2100 wrote to memory of 4708	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	148
PID 2100 wrote to memory of 2576	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	149
PID 2100 wrote to memory of 2576	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	149
PID 2100 wrote to memory of 1924	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	150
PID 2100 wrote to memory of 1924	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	150
PID 2100 wrote to memory of 3700	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	151
PID 2100 wrote to memory of 3700	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	151
PID 2100 wrote to memory of 3608	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	152
PID 2100 wrote to memory of 3608	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	152
PID 2100 wrote to memory of 3588	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	154
PID 2100 wrote to memory of 3588	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	154
PID 2100 wrote to memory of 1048	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	155
PID 2100 wrote to memory of 1048	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	155
PID 2100 wrote to memory of 4352	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	156
PID 2100 wrote to memory of 4352	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	156
PID 2100 wrote to memory of 4544	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	157
PID 2100 wrote to memory of 4544	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	157
PID 2100 wrote to memory of 4248	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	158
PID 2100 wrote to memory of 4248	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	158
PID 2100 wrote to memory of 5100	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	159
PID 2100 wrote to memory of 5100	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	159
PID 2100 wrote to memory of 2980	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	160
PID 2100 wrote to memory of 2980	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	160
PID 2100 wrote to memory of 4772	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	175
PID 2100 wrote to memory of 4772	2100	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	175
PID 4772 wrote to memory of 6084	4772	cmd.exe	178
PID 4772 wrote to memory of 6084	4772	cmd.exe	178
PID 4772 wrote to memory of 2704	4772	cmd.exe	181
PID 4772 wrote to memory of 2704	4772	cmd.exe	181

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
"C:\Users\Admin\AppData\Local\Temp\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ja-JP\taskhostw.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\taskhostw.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ICU\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\sysmon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\SearchApp.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i6mSxvpijy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:6084
- - C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe
    "C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\ja-JP\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\ja-JP\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\ICU\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ICU\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\RCX6733.tmp

Filesize
2.0MB

MD5
072af58d992619a905d3c9ab1e9a2a0c

SHA1
6ba4955eb550c7ca2b586c1ecda573759e404e54

SHA256
32c3b6efb5ca8853e2153ab668c24ef61b22ef11d73d3513e442fb6d29a3f5d3

SHA512
4deb8ae5977a07842b1d7394466ce5646b01a88641bd2518b0cf4dc214f5f4456267be3fabbe812e814d204e23f3b898d00dad8d29e9499ac3b5e0042b370981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
243347db405974f6277b941306d57ddb

SHA1
48a7563230d78ecfe8aaa7b749bf985c6078b4e4

SHA256
876100d0ce1aff677a0cab677787ca9858a989f4e5c13b05c8931f709232b835

SHA512
1c45eae761fb4224943debe2f2d553793146bb6d4bf2535de2bded3f9c78665607bc1fce7d4ecf905569488e42e42d0bf4b6d20dfcf8cda77a354b8faf17a951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cedprwp0.jor.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6mSxvpijy.bat

Filesize
242B

MD5
07089a13fc642a7087bc1683ecfb0509

SHA1
cbc67565696de36ea2ee420b6cf8a5d2c9a85f28

SHA256
932aa3cf88e1fa40803fe38cde458c30f9d9cba2b9f7d0ba6306be5d64d1bccd

SHA512
e52fe2ee091ca7ce9aef2895cdc0d2aa8a54c12b9c5aceab342373967286b0e177a9c42e0c182011529cb9df1c9199ace8fbe50aed5f66e5ff72a183f9ee282c

Download Submit
C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe

Filesize
1.7MB

MD5
5b03697eda9b2988162beb4fb2fe50ee

SHA1
dc76a6e98ebe711028a16f2e30e22329cc86c667

SHA256
b27f15145a89e128a5eb0a9ccd2672bbf0ab0c5dd44f0fe95b2c1d26ca5abbfd

SHA512
466e02b8fe744c5bcb60988271a72658b5af456a4039852cb0abb544c6b294220efcd5fa5ceaa9b590b6cfa56eb9e605a5a8dcc3003175601893179672936902

Download Submit
C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe

Filesize
727KB

MD5
804ee4980a5197f9b4ad2c0649ad00e5

SHA1
37a941fac8f9d5e69d392c52df6684581ef1fe65

SHA256
fbcdbd9d74805bb3caf18ecc88dae4f5ce3315583b62574c6c46f3add9f665e7

SHA512
70160115890f0d608fc1b3ef55b6742b1e26638004642aef6aa2f5373243dbe829b5190bc6b5a3557743bff2b56707acb2490f20f50efe7b157262c98d69b7d7

Download Submit
C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\services.exe

Filesize
512KB

MD5
f813a98e418bb3ff14e159e25edd49d6

SHA1
7899218633b2006083bb528cdd639fe376583c94

SHA256
c7e30ff81cfb1590fc12a59056f0cac168092f75b77dbcff1266bf7ec06391f4

SHA512
ce7ee589383501b8ce4231191bf6a357d8b142ecdd0049ef705dcb21f42d3094290748ce0d6d4eb51b5e31b2a7a8102fad78291c683b31a2ae5a9d96a6bdc2fd

Download Submit
memory/532-176-0x000001E124D10000-0x000001E124D20000-memory.dmp

Filesize
64KB

Download
memory/532-175-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/532-177-0x000001E124D10000-0x000001E124D20000-memory.dmp

Filesize
64KB

Download
memory/1048-336-0x00000239A5BF0000-0x00000239A5C00000-memory.dmp

Filesize
64KB

Download
memory/1048-334-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/1924-317-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/2100-20-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

Filesize
48KB

Download
memory/2100-15-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/2100-26-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/2100-24-0x000000001BC10000-0x000000001BC1C000-memory.dmp

Filesize
48KB

Download
memory/2100-23-0x000000001BC00000-0x000000001BC0E000-memory.dmp

Filesize
56KB

Download
memory/2100-22-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/2100-21-0x000000001BBE0000-0x000000001BBEE000-memory.dmp

Filesize
56KB

Download
memory/2100-49-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/2100-19-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/2100-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2100-9-0x000000001B280000-0x000000001B296000-memory.dmp

Filesize
88KB

Download
memory/2100-4-0x0000000002700000-0x000000000270E000-memory.dmp

Filesize
56KB

Download
memory/2100-1-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/2100-172-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/2100-2-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/2100-18-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/2100-17-0x000000001BA80000-0x000000001BA88000-memory.dmp

Filesize
32KB

Download
memory/2100-25-0x000000001BC20000-0x000000001BC2A000-memory.dmp

Filesize
40KB

Download
memory/2100-16-0x000000001B970000-0x000000001B97C000-memory.dmp

Filesize
48KB

Download
memory/2100-3-0x00000000026F0000-0x00000000026FE000-memory.dmp

Filesize
56KB

Download
memory/2100-6-0x000000001B260000-0x000000001B27C000-memory.dmp

Filesize
112KB

Download
memory/2100-8-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2100-7-0x000000001B910000-0x000000001B960000-memory.dmp

Filesize
320KB

Download
memory/2100-5-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2100-10-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

Filesize
64KB

Download
memory/2100-12-0x000000001B2C0000-0x000000001B2D2000-memory.dmp

Filesize
72KB

Download
memory/2100-11-0x000000001B2B0000-0x000000001B2BC000-memory.dmp

Filesize
48KB

Download
memory/2100-13-0x000000001BE90000-0x000000001C3B8000-memory.dmp

Filesize
5.2MB

Download
memory/2100-14-0x000000001B2F0000-0x000000001B2FC000-memory.dmp

Filesize
48KB

Download
memory/2452-170-0x000002C9F1640000-0x000002C9F1650000-memory.dmp

Filesize
64KB

Download
memory/2452-342-0x000002C9F1640000-0x000002C9F1650000-memory.dmp

Filesize
64KB

Download
memory/2452-169-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/2576-343-0x000002556A080000-0x000002556A090000-memory.dmp

Filesize
64KB

Download
memory/2576-341-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/2980-333-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/3500-340-0x00000251736A0000-0x00000251736B0000-memory.dmp

Filesize
64KB

Download
memory/3500-350-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/3576-219-0x000001EEE9B30000-0x000001EEE9B40000-memory.dmp

Filesize
64KB

Download
memory/3576-200-0x000001EEE9B30000-0x000001EEE9B40000-memory.dmp

Filesize
64KB

Download
memory/3576-347-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/3588-185-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/3588-199-0x0000023AB1140000-0x0000023AB1150000-memory.dmp

Filesize
64KB

Download
memory/3588-189-0x0000023AB1140000-0x0000023AB1150000-memory.dmp

Filesize
64KB

Download
memory/3608-280-0x000001A7A3680000-0x000001A7A3690000-memory.dmp

Filesize
64KB

Download
memory/3608-344-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/3700-174-0x00000153CD3C0000-0x00000153CD3D0000-memory.dmp

Filesize
64KB

Download
memory/3700-184-0x00000153CD620000-0x00000153CD642000-memory.dmp

Filesize
136KB

Download
memory/3700-345-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/3700-173-0x00000153CD3C0000-0x00000153CD3D0000-memory.dmp

Filesize
64KB

Download
memory/4248-335-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/4248-337-0x00000183755A0000-0x00000183755B0000-memory.dmp

Filesize
64KB

Download
memory/4248-338-0x00000183755A0000-0x00000183755B0000-memory.dmp

Filesize
64KB

Download
memory/4352-318-0x000001EE629C0000-0x000001EE629D0000-memory.dmp

Filesize
64KB

Download
memory/4352-348-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/4544-346-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/4708-260-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/5100-349-0x00007FFDAD880000-0x00007FFDAE341000-memory.dmp

Filesize
10.8MB

Download
memory/5100-339-0x000001E6F5090000-0x000001E6F50A0000-memory.dmp

Filesize
64KB

Download