dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

Analysis

max time kernel
1396s
max time network
1159s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29/10/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat credential_access defense_evasion discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	smss.exe

Process spawned unexpected child process 61 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1408	schtasks.exe	160
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	1408	schtasks.exe	160
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1408	schtasks.exe	160
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	1408	schtasks.exe	160

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/files/0x001d00000002ab2d-8.dat	dcrat
behavioral4/files/0x001900000002ab34-23.dat	dcrat
behavioral4/memory/2504-25-0x0000000000C10000-0x0000000000CE6000-memory.dmp	dcrat

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\RNDISMP.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ws2ifsl.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\Microsoft.Bluetooth.Profiles.HidOverGatt.dll	smss.exe
File opened for modification	C:\Windows\System32\drivers\KNetPwrDepBroker.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\mup.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\volume.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\appid.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\USBCAMD2.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\disk.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mountmgr.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\volsnap.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vhdmp.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\agilevpn.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\vmgencounter.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\evbda.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\IddCx.dll	smss.exe
File opened for modification	C:\Windows\System32\drivers\IPMIDrv.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ntfs.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sermouse.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\HidTelephony.dll	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\NdisVirtualBus.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nvmedisk.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\parport.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SMCCx.dll	smss.exe
File opened for modification	C:\Windows\System32\drivers\bthmodem.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\dumpsd.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\usbuhci.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\BTHUSB.SYS.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mslldp.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SensorsCx.dll	smss.exe
File opened for modification	C:\Windows\System32\drivers\mausbip.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\mmcss.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\bthport.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scmbus.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\hvsocket.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\spacedump.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rdpdr.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\portcfg.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\IddCx.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\USBXHCI.SYS	smss.exe
File opened for modification	C:\Windows\System32\drivers\vhdmp.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\CAD.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\mstee.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\CmBatt.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pcmcia.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\partmgr.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volsnap.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\rdpbus.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\umpass.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\UsbccidDriver.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\smbdirect.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\sdstor.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\storport.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\tcpip.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\netvsc.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\en-US\spaceport.sys.mui	smss.exe
File opened for modification	C:\Windows\System32\drivers\hdaudbus.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\kbdclass.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\rhproxy.sys	smss.exe
File opened for modification	C:\Windows\System32\drivers\srvnet.sys	smss.exe

Manipulates Digital Signatures 4 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	smss.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	smss.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
5004	smss.exe

Executes dropped EXE 13 IoCs

pid	Process
2764	kendalcp.exe
2504	reviewDll.exe
5004	smss.exe
4484	OfficeClickToRun.exe
4824	spoolsv.exe
4560	sihost.exe
828	sysmon.exe
1716	explorer.exe
2856	smss.exe
4688	dllhost.exe
2032	Idle.exe
2756	fontdrvhost.exe
2388	smss.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\HardwareEvents.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\OAlerts.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Security.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Application.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Device Management.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Cache%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Key Management Service.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx	smss.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx	smss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.22000.1_none_5253db794fd19bbe\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.22000.1_none_76ef4b64e8508b21\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.22000.1_none_da2961292c6298e1\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.22000.1_none_6d5619d8ba52aa97\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-themea_31bf3856ad364e35_10.0.22000.1_none_2d195b32a9bbd3f8\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-themec_31bf3856ad364e35_10.0.22000.1_none_2d192da2a9bc073a\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.22000.1_none_9741789b0187fcd2\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.22000.1_none_b98817a80d8613cb\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.22000.1_none_425ab98abe32f108\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.22000.348_none_d5c2f424027f1f86\f\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.22000.1_none_4967740657087a96\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.22000.1_none_cf5a34ed394a500a\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.22000.1_none_6c2c3d6bec34b2ca\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.22000.1_none_a514e307ccfabd4f\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.22000.1_none_d695fba48209fefe\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.22000.1_none_a4d2399e2ef2be0c\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.22000.348_none_5e9c11248df37d0b\f\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.22000.1_none_5c4b3db25aa82850\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.22000.1_none_6bdf1ccd370e3a39\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.22000.1_none_30aefaa78211b646\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.22000.1_none_f4c93628f8665e8e\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.22000.1_none_ad443680f74b3fb3\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.22000.1_none_d8c36377b4a5396d\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.22000.1_none_486cc349b51d4319\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.22000.348_none_5e9c11248df37d0b\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.22000.348_none_5e9c11248df37d0b\r\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-themeb_31bf3856ad364e35_10.0.22000.1_none_2d19446aa9bbed99\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.22000.1_none_c15b80aa83c606f8\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.22000.1_none_eb60fb76c15c81dc\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.22000.1_none_b4ddd1a2a1f02731\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.22000.1_none_d4b0de3f8c6d0020\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.22000.1_none_3289a7001344c6bd\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.22000.348_none_d5c2f424027f1f86\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.22000.348_none_d5c2f424027f1f86\r\Desktop.ini	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.22000.348_none_d5c2f424027f1f86\f\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.22000.1_none_7a47cb5c18eed439\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.22000.1_none_ab5b9bd8136d6a0f\desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.22000.1_none_5e882f2798e1d266\Desktop.ini	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-themed_31bf3856ad364e35_10.0.22000.1_none_2d1916daa9bc20db\Desktop.ini	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.22000.348_none_5e9c11248df37d0b\f\Desktop.ini	smss.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	smss.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.22000.1_none_d85560fac0cc6c41\autorun.inf	smss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\it-IT\dosvc.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\it-IT\nbtstat.exe.mui	smss.exe
File opened for modification	C:\Windows\System32\netid.dll	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\helloface.inf_amd64_740102fec05a8397\FaceRecognitionSensorAdapter.dll	smss.exe
File opened for modification	C:\Windows\System32\en-US\CaptureService.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\ja-jp\auditpol.exe.mui	smss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WmiPerfInst.dll	smss.exe
File opened for modification	C:\Windows\System32\C_20000.NLS	smss.exe
File opened for modification	C:\Windows\System32\notepad.exe	smss.exe
File opened for modification	C:\Windows\System32\de-DE\netcorehc.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\fr-FR\DeviceCenter.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\dmview.ocx	smss.exe
File opened for modification	C:\Windows\System32\EhStorShell.dll	smss.exe
File opened for modification	C:\Windows\System32\SensorsClassExtension.dll	smss.exe
File opened for modification	C:\Windows\System32\de-DE\rasautou.exe.mui	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_LE_5.bin	smss.exe
File opened for modification	C:\Windows\System32\it-IT\query.exe.mui	smss.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\SmsRouterSvc-Replacement.man	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\mdmirmdm.inf_loc	smss.exe
File opened for modification	C:\Windows\System32\wbem\en-US\dnsclientpsprovider.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\de-DE\shsvcs.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\fr-FR\sdcpl.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\it-IT\PasswordOnWakeSettingFlyout.exe.mui	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\NETwew01.sys	smss.exe
File opened for modification	C:\Windows\System32\wbem\en-US\wbemcntl.dll.mui	smss.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\IMTCCORE.DLL	smss.exe
File opened for modification	C:\Windows\System32\SettingsHandlers_Troubleshoot.dll	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\image.inf_loc	smss.exe
File opened for modification	C:\Windows\System32\en-US\grb.rs.mui	smss.exe
File opened for modification	C:\Windows\System32\fr-FR\inetres.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\uk-UA\MbaeApi.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\uk-UA\twinui.pcshell.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\pspluginwkr.dll.mui	smss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDefaultHeatProcessor.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\sr-Latn-RS\comctl32.dll.mui	smss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\nlsvc.mof	smss.exe
File opened for modification	C:\Windows\System32\wbem\msv1_0.mof	smss.exe
File opened for modification	C:\Windows\SysWOW64\netprovisionsp.dll	smss.exe
File opened for modification	C:\Windows\System32\de-DE\diskperf.exe.mui	smss.exe
File opened for modification	C:\Windows\System32\Dism\ja-JP\SmiProvider.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-store-rtm.xrm-ms	smss.exe
File opened for modification	C:\Windows\System32\wbem\wmipiprt.mof	smss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\msv1_0.mof	smss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\powershell.exe.mui	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_69e8e0efb212ba16\I386\PJLMON.DLL	smss.exe
File opened for modification	C:\Windows\System32\fr-FR\rpcping.exe.mui	smss.exe
File opened for modification	C:\Windows\SysWOW64\windowsudk.shellcommon.dll	smss.exe
File opened for modification	C:\Windows\System32\ndfhcdiscovery.dll	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\ChargeArbitration.inf_loc	smss.exe
File opened for modification	C:\Windows\System32\en-US\ActiveSyncCsp.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\es-ES\lprmon.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\ja-jp\bridgeres.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\ja-jp\dot3msm.dll.mui	smss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.format.ps1xml	smss.exe
File opened for modification	C:\Windows\System32\de-DE\Taskbar.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\en-US\printercleanuptask.dll.mui	smss.exe
File opened for modification	C:\Windows\System32\PointOfService\ProtocolProviders\it-IT\BarcodeScannerProtocolProvider.dll.mui	smss.exe
File opened for modification	C:\Windows\SysWOW64\wlidprov.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\urlmon.dll.mui	smss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetISATAPConfiguration.types.ps1xml	smss.exe
File opened for modification	C:\Windows\System32\DpiScaling.exe	smss.exe
File opened for modification	C:\Windows\System32\WLanHC.dll	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_A.bin	smss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_176f48e56eb2de15\drmk.sys	smss.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	smss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-white\MicrosoftSolitaireAppList.targetsize-72_altform-unplated_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_SplashScreen.scale-125_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-lightunplated_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-100.png	smss.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll	smss.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBe.snippets.ps1xml	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-125_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-80_altform-lightunplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\Square44x44Logo.targetsize-256.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square150x150Logo.scale-200_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	smss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\sl-si\Resources.resw	smss.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\KeytipLayer.js	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\ModifiedAlphaTexturePixelShader.cso	smss.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-96_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smss.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Grid.js	smss.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll	smss.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-16_altform-unplated_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-lightunplated_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-300.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-24_altform-lightunplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\contrast-white\CameraLargeTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\NotepadSmallTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-48_altform-unplated_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib\version.js	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.UI.Xaml.Core.Direct.XamlDirectContract.winmd	smss.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DetailsList\DetailsList.types.js	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherMedTile.scale-125_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-48_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PaintSmallTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-150.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-16.png	smss.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LargeTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\EdgeLogo.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Selection.js	smss.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\IScheme.js	smss.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-32_altform-unplated_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppCS\Assets\ImportFromDevice.png	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_system.servicemodel.web.resources_31bf3856ad364e35_4.0.15806.0_it-it_ccadd82c0bf90e59\System.ServiceModel.Web.resources.dll	smss.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoftwindows.client.cbs_cw5n1h2txyewy_valuebanner_assets_fonts_1ebb14400c1bd350.cdf-ms	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-onecore-d..ier-tools.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_522dd243bd6bc2a5.manifest	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-mccs-syncres.resources_31bf3856ad364e35_10.0.22000.348_pt-br_20eb139fac869468.manifest	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalEducationN-License-Package~31bf3856ad364e35~amd64~~10.0.22000.348.cat	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l..alization.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_21b0ad505f446e9a\luafv.sys.mui	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\Square44x44Logo.scale-125.png	smss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_zh-CN.xml	smss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.22000.1_none_3ccc038fc75b3c47\imecfmps.dll	smss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_10.0.22000.1_it-it_8e0d6f0f3ccdf8a9\_ServiceModelServicePerfCounters_D.ini	smss.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Wireless.xml	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-WinPE-SKU-Foundation-merged-Package~31bf3856ad364e35~amd64~nb-NO~10.0.22000.434.cat	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-a..epository.resources_31bf3856ad364e35_10.0.22000.1_it-it_0bcc4f71ef16c46e.manifest	smss.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..formers-shell-extra_31bf3856ad364e35_10.0.22000.1_none_e433cec7c9952d0d\shtransform.dll	smss.exe
File opened for modification	C:\Windows\Fonts\8514fix.fon	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Graphics-Display-DisplayEnhancementService-Package~31bf3856ad364e35~amd64~~10.0.22000.469.cat	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.22000.120_cs-cz_398a3cb357da06de\f\audit.exe.mui	smss.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-UnifiedWriteFilter-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_netathr10x.inf_31bf3856ad364e35_10.0.22000.1_none_a4b0d4efa1b6f6a1\eeprom_ar6320_3p0_NFA344A_power1213_DE_0410.bin	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..workstation-license_31bf3856ad364e35_10.0.22000.348_none_60cf484990ef3775\f\ProfessionalWorkstation-OEM-DM-1-pl-rtm.xrm-ms	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-win32k_31bf3856ad364e35_10.0.22000.282_none_b419cd8b1fe32103\win32kfull.sys	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-aspnet_regiis_exe_b03f5f7f11d50a3a_4.0.15806.0_none_814d9cd431d93bd0\aspnet_regiis.exe	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Hyper-V-WinPE-Drivers-Package~31bf3856ad364e35~amd64~nl-NL~10.0.22000.469.cat	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-CoreSystem-RemoteFS-Server-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.348.cat	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_termmou.inf.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_4262eafb477debda\termmou.inf_loc	smss.exe
File opened for modification	C:\Windows\WinSxS\wow64_eventviewersettings.resources_31bf3856ad364e35_10.0.22000.1_es-es_f7959753cd35267b\miguiresource.dll.mui	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..tform-media-onecore_31bf3856ad364e35_10.0.22000.376_none_005c344966df65ac\f\wdscommonlib.dll	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\Cortana.UI\Assets\splashscreen.contrast-white_scale-80.png	smss.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..rofessional-license_31bf3856ad364e35_10.0.22000.348_none_7744f0e97b18358e\f\Professional-OEM-DM-4-ul-oob-rtm.xrm-ms	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-EditionPack-Professional-Package~31bf3856ad364e35~amd64~bg-BG~10.0.22000.318.mum	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-l..oem-coren.resources_31bf3856ad364e35_10.0.22000.493_zh-tw_312852dda3f4ea37.manifest	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-chsime-binaries_31bf3856ad364e35_10.0.22000.282_none_76ac76bf4dd760c8\r\ServiceDS.dll	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\Assets\contrast-black\GetStartedAppList.targetsize-40_altform-unplated_contrast-black.png	smss.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.22000.1_en-us_d184b1ebc1046f40_iprtrmgr.dll.mui_eb023b92	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_dc21x4vm.inf.resources_31bf3856ad364e35_10.0.22000.1_it-it_680c76660a698daf.manifest	smss.exe
File opened for modification	C:\Windows\INF\mdmgl003.inf	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-l..-oem-core.resources_31bf3856ad364e35_10.0.22000.493_nl-nl_4e47b748bb23ae84\f\license.rtf	smss.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\0f000ceb5108e767a0bb8ac0f887d5bc36b7eb7cc704ae7d52687bf972be1aa8.cat	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..rofessional-license_31bf3856ad364e35_10.0.22000.120_none_77528aa57b0f38a6\Professional-Volume-CSVLK-2-ul-store-rtm.xrm-ms	smss.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.22000.1_none_53a7ba91b32fb1a9_8514oem.fon_c20e1190	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_75db5c8e53e39021.manifest	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.22000.1_en-gb_121e10c07733e90a.manifest	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlm_31bf3856ad364e35_10.0.22000.438_none_781555c7e7b920fe\f\msv1_0.dll	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_mlx4_bus.inf.resources_31bf3856ad364e35_10.0.22000.1_it-it_35303178bafaab22\mlx4_bus.inf_loc	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-r..-agilevpn.resources_31bf3856ad364e35_10.0.22000.1_it-it_023983a3b056cfc4.manifest	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_system.speech.resources_31bf3856ad364e35_4.0.15806.0_en-us_903eb01b59a21e58.manifest	smss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-t..vice-core.resources_31bf3856ad364e35_10.0.22000.1_en-us_2abd034184cd8954\TableTextService.dll.mui	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.22000.1_en-us_98936202ee3e0ee8\clipsvc.dll.mui	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-printerdiagnostic_31bf3856ad364e35_10.0.22000.1_none_1c02ded69f82821d\TS_PrinterDriver.ps1	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-wof-tasks.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_f289bda5963c5cfa.manifest	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-EditionPack-PPIPro-Package~31bf3856ad364e35~amd64~hr-HR~10.0.22000.318.mum	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_amdgpio2.inf.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_49ec8a29d5b03069\AMDGPIO2.inf_loc	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-h..centercpl.resources_31bf3856ad364e35_10.0.22000.1_es-es_fd158d82ee9a244e\ActionCenterCPL.dll.mui	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.22000.1_it-it_5c95b39117f75ae7\storagewmi.dll.mui	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\Assets\GetStartedAppList.targetsize-36_altform-lightunplated.png	smss.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\f465ea4cf13805bd98961cd1835bff3d04984be37b90224d85fc633f17613ea6.cat	smss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\ja\MSBuild.resources.dll	smss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-d..ndsdomain-datafiles_31bf3856ad364e35_10.0.22000.348_none_1a913686f0ea5b5f\f\ChsPinyinDM43.lex	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.22000.1_none_320485a967710068\DefaultSystemNotification.contrast-white_scale-100.png	smss.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_inf_.netframework_266880c2626e99c6.cdf-ms	smss.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_c_firmware.inf-languagepack_31bf3856ad364e35_10.0.22000.1_uk-ua_f76bd51e38f583d4.manifest	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-composable-switcher.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_58762c3033faa105\ShellComponents.Switcher.fr-FR.pri	smss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-clip.resources_31bf3856ad364e35_10.0.22000.1_de-de_a6bb57a5f08a88c0\clip.exe.mui	smss.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	kendalcp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2232	schtasks.exe
3560	schtasks.exe
3932	schtasks.exe
4908	schtasks.exe
4512	schtasks.exe
4888	schtasks.exe
1476	schtasks.exe
4936	schtasks.exe
2244	schtasks.exe
4556	schtasks.exe
1644	schtasks.exe
3504	schtasks.exe
4696	schtasks.exe
1992	schtasks.exe
872	schtasks.exe
2068	schtasks.exe
3792	schtasks.exe
3888	schtasks.exe
4112	schtasks.exe
5096	schtasks.exe
4460	schtasks.exe
3360	schtasks.exe
3484	schtasks.exe
4304	schtasks.exe
2480	schtasks.exe
1936	schtasks.exe
832	schtasks.exe
3424	schtasks.exe
3368	schtasks.exe
4180	schtasks.exe
5036	schtasks.exe
4472	schtasks.exe
2800	schtasks.exe
2324	schtasks.exe
2452	schtasks.exe
2132	schtasks.exe
868	schtasks.exe
1964	schtasks.exe
764	schtasks.exe
4380	schtasks.exe
2128	schtasks.exe
4008	schtasks.exe
5000	schtasks.exe
992	schtasks.exe
4716	schtasks.exe
2312	schtasks.exe
3940	schtasks.exe
4988	schtasks.exe
4880	schtasks.exe
4720	schtasks.exe
4964	schtasks.exe
1572	schtasks.exe
1648	schtasks.exe
3732	schtasks.exe
3952	schtasks.exe
1456	schtasks.exe
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2504	reviewDll.exe
2504	reviewDll.exe
2504	reviewDll.exe
2504	reviewDll.exe
2504	reviewDll.exe
2504	reviewDll.exe
2504	reviewDll.exe
5004	smss.exe
5004	smss.exe
5004	smss.exe
5004	smss.exe
5004	smss.exe
5004	smss.exe
5004	smss.exe
5004	smss.exe
5004	smss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5004	smss.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	reviewDll.exe
Token: SeDebugPrivilege	5004	smss.exe
Token: SeDebugPrivilege	4484	OfficeClickToRun.exe
Token: SeDebugPrivilege	4824	spoolsv.exe
Token: SeDebugPrivilege	4560	sihost.exe
Token: SeDebugPrivilege	828	sysmon.exe
Token: SeDebugPrivilege	1716	explorer.exe
Token: SeDebugPrivilege	2856	smss.exe
Token: SeDebugPrivilege	4688	dllhost.exe
Token: SeDebugPrivilege	2032	Idle.exe
Token: SeDebugPrivilege	2756	fontdrvhost.exe
Token: SeManageVolumePrivilege	3732	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 2764	4048	XBinderOutput(1).exe	82
PID 4048 wrote to memory of 2764	4048	XBinderOutput(1).exe	82
PID 4048 wrote to memory of 2764	4048	XBinderOutput(1).exe	82
PID 2764 wrote to memory of 1416	2764	kendalcp.exe	83
PID 2764 wrote to memory of 1416	2764	kendalcp.exe	83
PID 2764 wrote to memory of 1416	2764	kendalcp.exe	83
PID 1416 wrote to memory of 4884	1416	WScript.exe	84
PID 1416 wrote to memory of 4884	1416	WScript.exe	84
PID 1416 wrote to memory of 4884	1416	WScript.exe	84
PID 4884 wrote to memory of 2504	4884	cmd.exe	86
PID 4884 wrote to memory of 2504	4884	cmd.exe	86
PID 2504 wrote to memory of 5004	2504	reviewDll.exe	145
PID 2504 wrote to memory of 5004	2504	reviewDll.exe	145
PID 5004 wrote to memory of 3408	5004	smss.exe	165
PID 5004 wrote to memory of 3408	5004	smss.exe	165
PID 3408 wrote to memory of 2428	3408	cmd.exe	167
PID 3408 wrote to memory of 2428	3408	cmd.exe	167

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        6⤵
        Modifies WinLogon for persistence
        Drops file in Drivers directory
        Manipulates Digital Signatures
        Deletes itself
        Executes dropped EXE
        Indicator Removal: Clear Windows Event Logs
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Drops file in System32 directory
        Modifies termsrv.dll
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\blocksavesperfMonitorDll\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\blocksavesperfMonitorDll\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\blocksavesperfMonitorDll\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\sysprep\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sysprep\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\sysprep\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\blocksavesperfMonitorDll\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\blocksavesperfMonitorDll\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe
"C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\blocksavesperfMonitorDll\sihost.exe
C:\blocksavesperfMonitorDll\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe
"C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Program Files (x86)\MSBuild\explorer.exe
"C:\Program Files (x86)\MSBuild\explorer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Recovery\WindowsRE\smss.exe
C:\Recovery\WindowsRE\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\blocksavesperfMonitorDll\Idle.exe
C:\blocksavesperfMonitorDll\Idle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\sysprep\en-US\fontdrvhost.exe
C:\Windows\SysWOW64\sysprep\en-US\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Recovery\WindowsRE\smss.exe
C:\Recovery\WindowsRE\smss.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "smss" /f
1⤵
- Process spawned unexpected child process
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "smsss" /f
1⤵
- Process spawned unexpected child process
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "smss" /f
1⤵
- Process spawned unexpected child process
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "smsss" /f
1⤵
- Process spawned unexpected child process
PID:3716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\cc11b995f2a76d

Filesize
185B

MD5
f7cc8b20f7779d16bf88b1cd0f669863

SHA1
7a76976f1d981208fd4d48935e87f1a569324292

SHA256
85baa3c5d7e01742f76e171f0b5c18bcf6df6ce15c4353fdd31c2ab5db693002

SHA512
7fc09e8ee10b6cd5bf59b7422d669e4134003533504478af7f0f9093cc7cf701de28472cda053cee7760595ca4b69624f37c43385334af128564f98934f1269e

Download Submit
C:\Program Files (x86)\Internet Explorer\it-IT\6203df4a6bafc7

Filesize
791B

MD5
4021646abcac93dd653c0945760eccfe

SHA1
32f25d3a8338eef290ca18b17d453df9920a4898

SHA256
3728daa7633647470c919f9c7b714a5c26697f4325ca56d65d2ab43efc532584

SHA512
22a7353080147f82c68463d319711a66a879699ca57c1c5ec206b9d7d660d606708c7606a0e98ac058f63b53ee9f9534637cd20598536d6a631331474b61bf24

Download Submit
C:\Program Files (x86)\MSBuild\7a0fd90576e088

Filesize
84B

MD5
c75bcd1169136f743bbce4a9d83f6376

SHA1
c24ba2ebc08d11aadbb98001e68fa2e4d9782beb

SHA256
900e3a9456982be2958aef0aea32118ddeebbff56882993f102306617c6d5493

SHA512
65f00b91133671d9dc64456ec4ac673892370f2f73367e6e3a9d5544ecbda52d31ed2385c076651b2fd5d93f36306c4b13d532d90cadbf1f99849fc818b98ae0

Download Submit
C:\Program Files (x86)\Windows Media Player\de-DE\e6c9b481da804f

Filesize
992B

MD5
e53655afd96df73f5e883ec7cec4b6d7

SHA1
f9a3fce3f15a296bba5e7e769a6a66c9c2937c47

SHA256
03de8d927dd4d302e2410ad746730ed200121b56b9adffcf6e461ded3493f870

SHA512
a1ef2b38fe85566cc5ebd1cb07f1ace7ab2e48d2d0984a530e1aee66784f7b9ba41ee1845968abeadb96e57448fae4191f7ded0419f88702c668771bc2a83a70

Download Submit
C:\Program Files\7-Zip\Lang\ee2ad38f3d4382

Filesize
98B

MD5
1ae32d6378eb5bd644f0fb36ae4df142

SHA1
75a4948dfd34711b7fb10333a21d02a2c0733b2d

SHA256
6b20072441126d5ead25112169888deae110de6d6a2884d8cbe3a24deb9c2d94

SHA512
5a25ecbf40eda024c1326b52513d1f66f31455d25a9b7934d87f43cc91e4e5b4ee301ae1907118d1ed7f63e38d200e42f632641154b843e4cf3a8a932608c076

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\121e5b5079f7c0

Filesize
383B

MD5
5ba1e2bd94bbae82dee009a2597ff42d

SHA1
fbc0386faa4d398de028642e669729cd47a907e9

SHA256
6712f5625e0853f35983d29a16a2935c3dde610754aeab8a8e371646917f3aa0

SHA512
f04fb512dec2c3f838ef3ef0540e8b2f95784491cb695b1e730876fb586f5d61765d3d405b23cfcf77a1f684082227d138bcaddd165951d4a57f4116bfd4a408

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\27d1bcfc3c54e0

Filesize
986B

MD5
645becc9f2657377202edef4bf7b628f

SHA1
4a625a4a032d9cf07064d4d288b2565238b59e6b

SHA256
e29ad3ab3d970ac0b506107985d1fa2edd20ee274164f009e4663f2f5bd00b45

SHA512
1f0350ccf3373a7c585f8341f158cb2cd816fa694f2451c6b9bea62704a623862d49185dd44dc199f75c741b2178930133963f81ac56a30c5a51ec6bbb3feaef

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\f3b6ecef712a24

Filesize
498B

MD5
aa43104d0406671ff37dc47cb94f8569

SHA1
41050514abe4f2521c1d6b9d8a05035e52362eb1

SHA256
131acb8f993b772249b28d9db21314c1903c2bd2a971bf3f3c52642e6650c8d0

SHA512
969097f41f2b715f39344b1d613a96e2e224d77b8743658f79a61dad7fbc9e633771c01458db5f572b1f0218f6de8727406c314bedafebea3fdf824dafacfb96

Download Submit
C:\Recovery\WindowsRE\5940a34987c991

Filesize
522B

MD5
c1c828bb956a2a389a5a6b1c0ba2ce79

SHA1
367facb8f0c0794950651469a414ea3afa5052e7

SHA256
1fef8e0e7cefb330d12fb8ca9b52ac2d2f5fec2037f5efad7ead2aef9f3e5d2c

SHA512
c068c37be37ddb55d256c5f286a94be6e7db3ff2688439413bd6524e2be2cc9523738b6f9a79d616d9e4031b7eda319ba04a2d08bf843e9c8a6228a4a68da4f2

Download Submit
C:\Recovery\WindowsRE\6203df4a6bafc7

Filesize
602B

MD5
24a16b32eb7ce0b2210358b1d620a5d6

SHA1
437a8cb598c83e763ec20caaed5b9cf5363be1a4

SHA256
fb1f17e789e723d4e3e81e612ac5ecd49017f9a33254fb14412110d8e3c044a2

SHA512
df5e99725625679c25909f2e03955c733bdcf6d92b5f8980fdf235e273f6a04ed5d591edddf5279e784efbafbedb7cf02c19e96a887295bd1210b3736e4e6895

Download Submit
C:\Recovery\WindowsRE\69ddcba757bf72

Filesize
666B

MD5
be5cec236c86ef396cd095d184ee4c5a

SHA1
89870d0d060488de04a905a9d5dd1a765065d0b2

SHA256
f456d0d78b2cfe8c870335d5cbc44d4df90ae08c1ec4635215f1ae23d037ce80

SHA512
a7761f23b5542bc3f5bec9bcde60e0b4d00b4a6f049797cceb6d78095dee42b678b728f944065ba851211a4942c863f7b2cf7f80188a3b10269261b2d34d164d

Download Submit
C:\Recovery\WindowsRE\f3b6ecef712a24

Filesize
846B

MD5
ff545f56c469c98a4fe231942fe8f383

SHA1
cf6985d8e6c3b006869983840977fc128f054433

SHA256
787635ab4508aef1ebaf0d2208b41f7951003f9fe0c629f12301756a9a7548f7

SHA512
d8ed19b3ccf4a4204972ce6513d9d67ad5a47b8e62f4348624ef9cb6ec7b74c39cdea1bca6525d1a64efb5df130887c5f7b44090265fe1e157c201f77f82bc2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XBinderOutput(1).exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewDll.exe.log

Filesize
1KB

MD5
400b532c938aca538f01c5616cf318cd

SHA1
598a59a9434e51a6416f91a4c83bd02505ecb846

SHA256
28e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d

SHA512
b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\Users\Default\Downloads\e1ef82546f0b02

Filesize
884B

MD5
429c24b0f79a3a452032f0a8c2c5b4c8

SHA1
6b5f9506025da5f5f5af28996d176cfb5e183472

SHA256
5787a78ee233f22e5bf06a9a80c0e65ffc5d42b410bd7365bc4041737670108a

SHA512
f16978e3a16231a377c662de2c50c958ba57339d62eb15e13f43d7bce50fb957eef97381bfb89703fc596f945d7d5e67f6f2fb853e568e29347b1488aac222d4

Download Submit
C:\Windows\Registration\CRMLog\cc11b995f2a76d

Filesize
118B

MD5
2d6855e24699ef1fa23f8dfee2f75bd0

SHA1
c1c01ea184d46920757b4bd9c42a5c1a4af7dfdb

SHA256
cdeb1a564cc5021ac440d379ba63ae81da644e4035c0cc744886be3f31ce80ee

SHA512
0276b1585919fde4fdb16fa10736b1783e4318ccf0bf2485b8f7b508c8cfa4a125c75d3b7da788936037ab5b7db6ba4934424cee493e08201b2485761e7df7ee

Download Submit
C:\blocksavesperfMonitorDll\66fc9ff0ee96c2

Filesize
508B

MD5
c5af94359af2b868bddc1c39469e588c

SHA1
79a9f4500d8fa6fccba6ddae06837f063d74c258

SHA256
c4797ac947430a949f6c90a8e00d6174901dd90c4494c52aad5c47a148ea8c58

SHA512
f11fe5536bf8cbf1c39c5553e769482b52a504d74b5f6f0ee236b3ea54d2c193b4bd9c2992df556be694555e0ffce0f58b8d09bb3ee682502090a7ec463b2bb0

Download Submit
C:\blocksavesperfMonitorDll\6ccacd8608530f

Filesize
161B

MD5
b5f26c7e7c1ee241ab938a6cc6da7d96

SHA1
2d5984efbd24bb7e32938659baec9f66792fbec5

SHA256
8f81f1ef116c7026e4beb46654831f0c8489406b4ba99e52dcd65a261699413a

SHA512
3a4a031e192736f0d3a269833827d004491ed435d47d6b1fe098d4d4060bc7fe58ef2e0fe2c6bb546d7bebcf611304444e984edb6611ee7fb0d62db72a8f6ace

Download Submit
C:\blocksavesperfMonitorDll\7a0fd90576e088

Filesize
559B

MD5
089102ee7bb982ab019f921bb95e26f3

SHA1
2837e60c62d038f3b9b5191eebfd01ac260f9ca3

SHA256
c41197cdd09dcd925aff8420d5337b3157d968416dc3e6729d417f17620b84bb

SHA512
880c10689b67ac0f2b5bea5545e530b9eda1278dd5e1ecccc4f5753995a63199491cc4f31e4839f4b881ac60ae4bb1015e22929ea67b2051710f66db0c54bb35

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\ebf1f9fa8afd6d

Filesize
396B

MD5
3d4fd5b699ce43820166da03dc7a964d

SHA1
0faa7f0fe9bdf8e7ec239aebde8b047814dd9c08

SHA256
cb578162d542211fb0b60ea126de6b2392fbc2465959a4f287e6d9bde974f44e

SHA512
382c14d07f6e344bece9c8b245723c597444e8155af64e83cff7081f61fb44e11a1f14e674932eb681435fbe4bc14d14de9f62b297a80bdbf5163c4ebe5df406

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/2388-140-0x000000001C530000-0x000000001CA60000-memory.dmp

Filesize
5.2MB

Download
memory/2504-25-0x0000000000C10000-0x0000000000CE6000-memory.dmp

Filesize
856KB

Download
memory/3732-184-0x000001DEBAFE0000-0x000001DEBAFE1000-memory.dmp

Filesize
4KB

Download
memory/3732-198-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-182-0x000001DEBAEA0000-0x000001DEBAEA1000-memory.dmp

Filesize
4KB

Download
memory/3732-147-0x000001DEB2B70000-0x000001DEB2B80000-memory.dmp

Filesize
64KB

Download
memory/3732-186-0x000001DEBAFE0000-0x000001DEBAFE1000-memory.dmp

Filesize
4KB

Download
memory/3732-187-0x000001DEBAFF0000-0x000001DEBAFF1000-memory.dmp

Filesize
4KB

Download
memory/3732-188-0x000001DEBAFF0000-0x000001DEBAFF1000-memory.dmp

Filesize
4KB

Download
memory/3732-189-0x000001DEBAFF0000-0x000001DEBAFF1000-memory.dmp

Filesize
4KB

Download
memory/3732-190-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-191-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-192-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-193-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-194-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-195-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-196-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-197-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-199-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-163-0x000001DEB2C70000-0x000001DEB2C80000-memory.dmp

Filesize
64KB

Download
memory/3732-200-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-201-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-203-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-202-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-204-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-205-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-206-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-208-0x000001DEBB020000-0x000001DEBB021000-memory.dmp

Filesize
4KB

Download
memory/3732-207-0x000001DEBB010000-0x000001DEBB011000-memory.dmp

Filesize
4KB

Download
memory/3732-210-0x000001DEBB130000-0x000001DEBB131000-memory.dmp

Filesize
4KB

Download
memory/3732-209-0x000001DEBB020000-0x000001DEBB021000-memory.dmp

Filesize
4KB

Download
memory/3732-211-0x000001DEBB080000-0x000001DEBB081000-memory.dmp

Filesize
4KB

Download
memory/3732-212-0x000001DEBB080000-0x000001DEBB081000-memory.dmp

Filesize
4KB

Download
memory/4048-0-0x00007FFC6FD93000-0x00007FFC6FD95000-memory.dmp

Filesize
8KB

Download
memory/4048-1-0x0000000000050000-0x00000000000EE000-memory.dmp

Filesize
632KB

Download
memory/4048-9-0x00007FFC6FD90000-0x00007FFC70852000-memory.dmp

Filesize
10.8MB

Download
memory/4048-11-0x00007FFC6FD90000-0x00007FFC70852000-memory.dmp

Filesize
10.8MB

Download