dcrat | 5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Size

4.9MB
MD5

fbad13694fbd76b4a28785c6fa12af90
SHA1

35aca1ddefc9672625d9e94fd886810f30eea843
SHA256

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2
SHA512

0e4ec2070b6fde55ea405611c7d8bc73520670608a6dc0e2f605c9a70c96bfa44135f988c7c1c29d20f0a1edd0390e056d9e6d6401d4a8aefee0fa96e1cb447b
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1712	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1036-3-0x000000001B350000-0x000000001B47E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
324	powershell.exe
1360	powershell.exe
1744	powershell.exe
1596	powershell.exe
1800	powershell.exe
2796	powershell.exe
2840	powershell.exe
2600	powershell.exe
592	powershell.exe
2708	powershell.exe
1872	powershell.exe
1864	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2336	smss.exe
2516	smss.exe
1920	smss.exe
1248	smss.exe
2100	smss.exe
2336	smss.exe
1796	smss.exe
2356	smss.exe
1028	smss.exe
1932	smss.exe
2308	smss.exe
1976	smss.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXC485.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXBB8C.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\Internet Explorer\images\6cb0b6c459d5d3	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\6ccacd8608530f	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\csrss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\Internet Explorer\images\dwm.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cc11b995f2a76d	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\886983d96e3d3e	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCXAA25.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\Internet Explorer\images\dwm.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCXC967.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\csrss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\f3b6ecef712a24	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Panther\setup.exe\smss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Cursors\56085415360792	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXCB6B.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Cursors\RCXD04D.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Downloaded Program Files\spoolsv.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Resources\RCXAE9B.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Resources\System.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXC214.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\servicing\Sessions\sppsvc.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Cursors\wininit.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Panther\setup.exe\smss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Resources\System.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Panther\setup.exe\69ddcba757bf72	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Downloaded Program Files\spoolsv.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Cursors\wininit.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Resources\27d1bcfc3c54e0	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1276	schtasks.exe
1328	schtasks.exe
2312	schtasks.exe
676	schtasks.exe
1716	schtasks.exe
2072	schtasks.exe
2864	schtasks.exe
1860	schtasks.exe
748	schtasks.exe
1988	schtasks.exe
1600	schtasks.exe
2252	schtasks.exe
936	schtasks.exe
1756	schtasks.exe
2708	schtasks.exe
1652	schtasks.exe
2272	schtasks.exe
2736	schtasks.exe
2636	schtasks.exe
528	schtasks.exe
2772	schtasks.exe
1768	schtasks.exe
2852	schtasks.exe
1644	schtasks.exe
2912	schtasks.exe
1720	schtasks.exe
2028	schtasks.exe
2908	schtasks.exe
328	schtasks.exe
1564	schtasks.exe
2484	schtasks.exe
3004	schtasks.exe
1580	schtasks.exe
1636	schtasks.exe
2868	schtasks.exe
1536	schtasks.exe
2596	schtasks.exe
968	schtasks.exe
1772	schtasks.exe
648	schtasks.exe
1996	schtasks.exe
2628	schtasks.exe
1244	schtasks.exe
404	schtasks.exe
3008	schtasks.exe
1796	schtasks.exe
2256	schtasks.exe
2404	schtasks.exe
1188	schtasks.exe
2684	schtasks.exe
2932	schtasks.exe
2756	schtasks.exe
2268	schtasks.exe
1268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
2600	powershell.exe
324	powershell.exe
2796	powershell.exe
1596	powershell.exe
2840	powershell.exe
2708	powershell.exe
1800	powershell.exe
1744	powershell.exe
1360	powershell.exe
1872	powershell.exe
1864	powershell.exe
592	powershell.exe
2336	smss.exe
2516	smss.exe
1920	smss.exe
1248	smss.exe
2100	smss.exe
2336	smss.exe
1796	smss.exe
2356	smss.exe
1028	smss.exe
1932	smss.exe
2308	smss.exe
1976	smss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2336	smss.exe
Token: SeDebugPrivilege	2516	smss.exe
Token: SeDebugPrivilege	1920	smss.exe
Token: SeDebugPrivilege	1248	smss.exe
Token: SeDebugPrivilege	2100	smss.exe
Token: SeDebugPrivilege	2336	smss.exe
Token: SeDebugPrivilege	1796	smss.exe
Token: SeDebugPrivilege	2356	smss.exe
Token: SeDebugPrivilege	1028	smss.exe
Token: SeDebugPrivilege	1932	smss.exe
Token: SeDebugPrivilege	2308	smss.exe
Token: SeDebugPrivilege	1976	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 1744	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	86
PID 1036 wrote to memory of 1744	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	86
PID 1036 wrote to memory of 1744	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	86
PID 1036 wrote to memory of 1596	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	87
PID 1036 wrote to memory of 1596	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	87
PID 1036 wrote to memory of 1596	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	87
PID 1036 wrote to memory of 2600	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	88
PID 1036 wrote to memory of 2600	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	88
PID 1036 wrote to memory of 2600	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	88
PID 1036 wrote to memory of 1800	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	89
PID 1036 wrote to memory of 1800	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	89
PID 1036 wrote to memory of 1800	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	89
PID 1036 wrote to memory of 592	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	90
PID 1036 wrote to memory of 592	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	90
PID 1036 wrote to memory of 592	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	90
PID 1036 wrote to memory of 2796	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	91
PID 1036 wrote to memory of 2796	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	91
PID 1036 wrote to memory of 2796	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	91
PID 1036 wrote to memory of 2708	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	92
PID 1036 wrote to memory of 2708	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	92
PID 1036 wrote to memory of 2708	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	92
PID 1036 wrote to memory of 1872	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	93
PID 1036 wrote to memory of 1872	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	93
PID 1036 wrote to memory of 1872	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	93
PID 1036 wrote to memory of 1864	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	94
PID 1036 wrote to memory of 1864	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	94
PID 1036 wrote to memory of 1864	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	94
PID 1036 wrote to memory of 2840	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	95
PID 1036 wrote to memory of 2840	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	95
PID 1036 wrote to memory of 2840	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	95
PID 1036 wrote to memory of 324	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	96
PID 1036 wrote to memory of 324	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	96
PID 1036 wrote to memory of 324	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	96
PID 1036 wrote to memory of 1360	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	97
PID 1036 wrote to memory of 1360	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	97
PID 1036 wrote to memory of 1360	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	97
PID 1036 wrote to memory of 2444	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	110
PID 1036 wrote to memory of 2444	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	110
PID 1036 wrote to memory of 2444	1036	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	110
PID 2444 wrote to memory of 2080	2444	cmd.exe	112
PID 2444 wrote to memory of 2080	2444	cmd.exe	112
PID 2444 wrote to memory of 2080	2444	cmd.exe	112
PID 2444 wrote to memory of 2336	2444	cmd.exe	113
PID 2444 wrote to memory of 2336	2444	cmd.exe	113
PID 2444 wrote to memory of 2336	2444	cmd.exe	113
PID 2336 wrote to memory of 1080	2336	smss.exe	114
PID 2336 wrote to memory of 1080	2336	smss.exe	114
PID 2336 wrote to memory of 1080	2336	smss.exe	114
PID 2336 wrote to memory of 616	2336	smss.exe	115
PID 2336 wrote to memory of 616	2336	smss.exe	115
PID 2336 wrote to memory of 616	2336	smss.exe	115
PID 1080 wrote to memory of 2516	1080	WScript.exe	116
PID 1080 wrote to memory of 2516	1080	WScript.exe	116
PID 1080 wrote to memory of 2516	1080	WScript.exe	116
PID 2516 wrote to memory of 1500	2516	smss.exe	117
PID 2516 wrote to memory of 1500	2516	smss.exe	117
PID 2516 wrote to memory of 1500	2516	smss.exe	117
PID 2516 wrote to memory of 1780	2516	smss.exe	118
PID 2516 wrote to memory of 1780	2516	smss.exe	118
PID 2516 wrote to memory of 1780	2516	smss.exe	118
PID 1500 wrote to memory of 1920	1500	WScript.exe	119
PID 1500 wrote to memory of 1920	1500	WScript.exe	119
PID 1500 wrote to memory of 1920	1500	WScript.exe	119
PID 1920 wrote to memory of 1868	1920	smss.exe	120

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
"C:\Users\Admin\AppData\Local\Temp\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DYpxlgJN6F.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2080
- - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
    "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2336
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87602315-8cc6-45a6-bd52-9bb68f4e9e3f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2516
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\766f256c-1583-4262-bf73-20ae8065e6af.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9da14c9-1ccb-4435-b965-a4e6666874f1.vbs"
        8⤵
        
        PID:1868
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a98a578a-7a4f-4d79-80f2-b0233b9f72a3.vbs"
        10⤵
        
        PID:1028
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70482d38-db01-4e4b-95d3-cd5b8d740866.vbs"
        12⤵
        
        PID:1300
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbee6452-f37a-41e3-88ba-a1ad6a47940e.vbs"
        14⤵
        
        PID:2916
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0dcfa2c-5fdc-448c-b5ba-2e15c59f02c1.vbs"
        16⤵
        
        PID:2644
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d706e1a-b4cc-48b7-b80d-4fc96bf0f585.vbs"
        18⤵
        
        PID:2936
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bc1e605-8c49-4466-855b-52de6c462c87.vbs"
        20⤵
        
        PID:2260
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c134970-b210-4c8b-9900-5cc26854c619.vbs"
        22⤵
        
        PID:2132
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\948f391a-403c-4080-b9b8-7a5f04678337.vbs"
        24⤵
        
        PID:1692
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e3433ad-c670-4ee4-b3b4-572cfcbd67e3.vbs"
        26⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ebee23-4481-48dc-8026-2c473b4f9ffa.vbs"
        26⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37a4f893-48ed-4758-bd40-2657937670b4.vbs"
        24⤵
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3dae877-6a46-4a75-a120-04150d6f875a.vbs"
        22⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b4e05ed-c9eb-4ec1-b66f-55ffda0d1870.vbs"
        20⤵
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f4dcd4b-ad7a-42f7-91e9-784144c51b15.vbs"
        18⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83749964-7022-4393-9ccf-ae7496bc35eb.vbs"
        16⤵
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb5fc0f-7c86-4f65-a64f-e4a3f15df7e3.vbs"
        14⤵
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2c97596-ac06-4d12-b4ed-b6083cbee252.vbs"
        12⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ad08c9b-a821-4af8-b57b-b237086a230d.vbs"
        10⤵
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b18beef7-777a-47d3-abfb-1fff3d742054.vbs"
        8⤵
        
        PID:2280
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48afd720-b849-4746-8c4e-7447a08835f9.vbs"
        6⤵
        
        PID:1780
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c5b648-e176-48e4-955f-d21e926985f0.vbs"
      4⤵
      PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Cursors\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

Filesize
4.9MB

MD5
fbad13694fbd76b4a28785c6fa12af90

SHA1
35aca1ddefc9672625d9e94fd886810f30eea843

SHA256
5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2

SHA512
0e4ec2070b6fde55ea405611c7d8bc73520670608a6dc0e2f605c9a70c96bfa44135f988c7c1c29d20f0a1edd0390e056d9e6d6401d4a8aefee0fa96e1cb447b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bc1e605-8c49-4466-855b-52de6c462c87.vbs

Filesize
747B

MD5
50f88b099a2bda45bf8750805ac4c68b

SHA1
ad866871e69af652090b410cd6f51e1ce44a1f98

SHA256
f4ee6f8ca3d092c2e1f9267565c8170b536b549525c0e74b7132fe1a31f12235

SHA512
d09adbbdeac2f621ee0ecd8b37d99e32e444d3c30141dccf45c98cb174e44b5888db01450a801af7f457c626ae07af039477a82d24627c6866911e58a930766b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d706e1a-b4cc-48b7-b80d-4fc96bf0f585.vbs

Filesize
747B

MD5
892c49cc1dd94dbab204e4b0144ab0f4

SHA1
f8440e381ca4242758cff878ca0797dbf0d66993

SHA256
28c9dcff8e2858893b025c7bf4fbe040d1bc114d42f86c6daf3f11831551ba31

SHA512
b14740fff8105c24f0655a9112d11f972fd4eabd109408d79ea9e335d45ba58f8704692d956d108405930e99b0255502f813a600ad6e0dbc8d25cc8815593ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\49c5b648-e176-48e4-955f-d21e926985f0.vbs

Filesize
523B

MD5
a95c45a314c4d475615a0e52e1d267b3

SHA1
f9b81654ebee82575500b21271b04096d8761e9c

SHA256
506941e299caccba06f45d0c10415d43a7e90187c42785eba73ace8da784a2c9

SHA512
1e9d0e56886911e314eff9933e25e789f7a3be1d34d3aa5f414420afead77d0cb28bb8700049ce4a7a429dc0879c5dc917c8987289bb0db690810ba214816b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\70482d38-db01-4e4b-95d3-cd5b8d740866.vbs

Filesize
747B

MD5
164fc5a7e1557d6dc1ac0cfde173a165

SHA1
cbc6fc249ce00b00fab6e8f1f109e9a8e3ddf377

SHA256
0c3233669ef99b730f5d10a5660c15830a0478157bfe20cb0c9010b6f18c78e3

SHA512
d1f2f2c5d108deab5127c7d0df59b53a65555513236942ebcd6dc9cadf4ffd8b8bb51a39df059c2daa2a09dd97a6651702e2bfe9f78748de578497478faf36ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\766f256c-1583-4262-bf73-20ae8065e6af.vbs

Filesize
747B

MD5
86b36c9458b0621e108464334d618cc0

SHA1
6f6a3b5f5647292f58fe994b4a669e3072f67b7c

SHA256
528b06bc69b5359b76cce28a0192ba6d61e3a75841861849463045956399fa72

SHA512
10b1b32773a70c6210694d5060e1f6282ea7599afb3a700d948d4328235d0d85d98da60dae10f554932f278bfb132dae9e0b497f6271bd05cee2f46705d2d4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\87602315-8cc6-45a6-bd52-9bb68f4e9e3f.vbs

Filesize
747B

MD5
197944d0245eb2dccaa729cf858d0af3

SHA1
2b4a5512083d66c0d285e0a73cb5028e7bdb458d

SHA256
da68fd8ac6c9cd48b5ddb6ea05cee4169d5242f35704455c72c155435211d8b2

SHA512
29276f0b0b85ea95ca11562e4123871a8a38350d5c81c45765af21af693a1546c2f5ab6e4f98c3839ec4f4f061ca976d905acf9c83d4b93a4f9023d69eb71bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e3433ad-c670-4ee4-b3b4-572cfcbd67e3.vbs

Filesize
747B

MD5
22cd72234ccb7705b207b5f19858d839

SHA1
76881c7c9bc704efeb5d919d84f234a077be59aa

SHA256
a749ff74b9bef6680f06accf99b0cd019e6de30d8c5d10b2ab8017b87a3323d3

SHA512
ce6c570d1e94db6f3da322dd21cf4d1e3bb4208ada3d83101bebf75c17f85995e11c135616017353310bd892ec0949c8af9798d495ace8ee13ee958167367535

Download Submit
C:\Users\Admin\AppData\Local\Temp\948f391a-403c-4080-b9b8-7a5f04678337.vbs

Filesize
747B

MD5
997b5ebf2cb084c773a370428e9adb62

SHA1
7fcd8cc256613e4e35f9d4e4b4e1bedc1f7b44f7

SHA256
0184799aaa705bd223a0b946072a9fe2273d40b8293b4595c6aa7a8a2613c0f9

SHA512
fa5e49eeefb6b7b9e7b6eb1206b3747246ed281b38fc6db7fc00953cb9cf410959d3509409e30334fae0f77ae470b3b4b4dc7af14bffcaa0815d20934dc2a63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c134970-b210-4c8b-9900-5cc26854c619.vbs

Filesize
747B

MD5
d12f0f1db4d67bb504279c23fca89ed8

SHA1
ffa2d78ca8af7a168c4d46d5b1f8184c8734c936

SHA256
2f863ad6e491427e54600675a5f593c6cbdf5e87e8905a0aa1e1dc1209654c33

SHA512
f9c6552e4dc0192a149d7d703e51ba7ddad060a7500307b2149fe3c01c45413dc7a84077ba7bf24281e12de00bec396c738f92d9dbb09a38e47847615e5e542f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYpxlgJN6F.bat

Filesize
236B

MD5
34fe29362fe7d4187ae497b85ca22acc

SHA1
46523752de659445362cb98f1ed9a0771e9fb363

SHA256
c994bdf16bac7538f7c975acdda7d64686cd945f688b1894f0ad272fd88e9ab6

SHA512
5ac3c5e78ee96245eb4616a9f7ccba0e7d2baba433bdfab1249776065427a14626c8acc6d6f535a07e28e976d0cc8a4410a0ba7579787a284654db2f367a6c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a98a578a-7a4f-4d79-80f2-b0233b9f72a3.vbs

Filesize
747B

MD5
d82e0687f3806f6be75e597e01bb7ef7

SHA1
dd6cada8acfe5734bd6afba9eba4d6bd090c1888

SHA256
605c04d17ae6991a232390c0065a80ce867468cfd8fb2e6852025b26db19657a

SHA512
d130ba9ad7d1da44989a20106c673917a4ffe38060e274d34a14ed87ae2a4690b5130ce1328ae1246ebb8bdf4244a3922779380589787b426b66780301205369

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9da14c9-1ccb-4435-b965-a4e6666874f1.vbs

Filesize
747B

MD5
e5d479d91a0757fda4673fec1fb0737a

SHA1
b1846ead8cbede937a6050acd19125b3f1464346

SHA256
9aca3d9a27bdc36564d34a7ab3b096667514d5f61c018b9de0efb2f7c8f8baa9

SHA512
23d9e1970d4d5137e326a88f60a33362babd40a273eee1689ad6b48eff15c674c728a470a2ed784b86f795286c4bef46439e7addbd3d4c68b90f25a99167cb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0dcfa2c-5fdc-448c-b5ba-2e15c59f02c1.vbs

Filesize
747B

MD5
32d60d1b352296f1e609c698c8659db8

SHA1
a70d32f9f6511ebef8ddca36e8705d239ef7d9e5

SHA256
ab9093c9a83ab8782a7b7c8a8c26543ab8a7d3b6c52df5e632466f383813a6f2

SHA512
c4470e63f83ff116204fb30e037011672d76014348866c14201961bd961cf0a16fae3f3c71bec1cc55f7498122f42872a81a317375a5ffff4e5143015dc8651b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF824.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1dfd8e003775da720cbdba870fa59bcd

SHA1
c08bdac2ae97b32e6ba514947e38fbef19f3af13

SHA256
dcfa06478497bfa9d6ad235ad4a30a54f441f6a0e08a238303fdd24d18a105e8

SHA512
685ce1ad08def69491146f490f68b9d0e40bda4f86b258211cdf1e11d401ba1df52cb61ce02a04a58e264910a2b54cbb9b9985f10490849ae3e91103e75fb070

Download Submit
C:\Users\Public\wininit.exe

Filesize
4.9MB

MD5
5e3e873459f592c3f0df806bf38417b8

SHA1
c3179c5792c424b40e0a0703a790fc954f4f74ad

SHA256
1502b0a809478246024d28fc7618df785f5985797887b37b489fe6156f3c06ef

SHA512
441c882e4fb6ee2a2ba4b12092da8163695abf4de38a04a9dfca68f8abbc4b9f5a1e457597ff2f632bb9f514c6b03ade3722fd178492725f4305fb452486c160

Download Submit
memory/1028-366-0x00000000002F0000-0x00000000007E4000-memory.dmp

Filesize
5.0MB

Download
memory/1036-12-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download
memory/1036-9-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/1036-157-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-14-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/1036-1-0x0000000000EE0000-0x00000000013D4000-memory.dmp

Filesize
5.0MB

Download
memory/1036-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-181-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-16-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/1036-3-0x000000001B350000-0x000000001B47E000-memory.dmp

Filesize
1.2MB

Download
memory/1036-15-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/1036-13-0x0000000000DE0000-0x0000000000DEE000-memory.dmp

Filesize
56KB

Download
memory/1036-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/1036-4-0x0000000000CD0000-0x0000000000CEC000-memory.dmp

Filesize
112KB

Download
memory/1036-11-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/1036-5-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/1036-10-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/1036-6-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1036-143-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/1036-7-0x0000000000D80000-0x0000000000D96000-memory.dmp

Filesize
88KB

Download
memory/1036-8-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1248-291-0x0000000000A70000-0x0000000000F64000-memory.dmp

Filesize
5.0MB

Download
memory/1796-336-0x0000000000850000-0x0000000000D44000-memory.dmp

Filesize
5.0MB

Download
memory/1920-276-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download
memory/1932-381-0x00000000011B0000-0x00000000016A4000-memory.dmp

Filesize
5.0MB

Download
memory/1976-411-0x0000000000920000-0x0000000000E14000-memory.dmp

Filesize
5.0MB

Download
memory/2100-306-0x0000000001130000-0x0000000001624000-memory.dmp

Filesize
5.0MB

Download
memory/2308-396-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/2336-321-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/2336-247-0x0000000000820000-0x0000000000D14000-memory.dmp

Filesize
5.0MB

Download
memory/2356-351-0x0000000001050000-0x0000000001544000-memory.dmp

Filesize
5.0MB

Download
memory/2516-261-0x0000000000A10000-0x0000000000F04000-memory.dmp

Filesize
5.0MB

Download
memory/2600-187-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2600-192-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download