dcrat | 5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2

Analysis

max time kernel
119s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Size

4.9MB
MD5

fbad13694fbd76b4a28785c6fa12af90
SHA1

35aca1ddefc9672625d9e94fd886810f30eea843
SHA256

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2
SHA512

0e4ec2070b6fde55ea405611c7d8bc73520670608a6dc0e2f605c9a70c96bfa44135f988c7c1c29d20f0a1edd0390e056d9e6d6401d4a8aefee0fa96e1cb447b
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	484	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Idle.exeIdle.exeIdle.exeIdle.exeIdle.exe5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2380-3-0x000000001B910000-0x000000001BA3E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1276	powershell.exe
716	powershell.exe
1716	powershell.exe
272	powershell.exe
2200	powershell.exe
1536	powershell.exe
2448	powershell.exe
1828	powershell.exe
908	powershell.exe
1532	powershell.exe
536	powershell.exe
1796	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

Idle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	Process
1588	Idle.exe
2248	Idle.exe
548	Idle.exe
1680	Idle.exe
896	Idle.exe
1364	Idle.exe
2428	Idle.exe
960	Idle.exe
2332	Idle.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Idle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exeIdle.exeIdle.exeIdle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 20 IoCs

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\833a0a0d7fbe38	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Google\5940a34987c991	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\886983d96e3d3e	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXDF8A.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXF825.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\833a0a0d7fbe38	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Google\dllhost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCXFA96.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXFE9D.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Google\dllhost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\101b941d020240	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Google\RCXE595.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

Drops file in Windows directory 21 IoCs

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteApps\winlogon.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\AppPatch\en-US\sppsvc.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\AppPatch\en-US\0a1fd5f707cd16	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Migration\WTR\RCXEE12.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXFC9A.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Migration\WTR\6ccacd8608530f	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\winlogon.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Migration\WTR\Idle.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\69ddcba757bf72	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\CSC\v2.0.6\wininit.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXEA0A.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\AppPatch\en-US\RCXEC0E.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\AppPatch\en-US\sppsvc.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Migration\WTR\Idle.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\RCXF219.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\RemotePackages\RemoteApps\cc11b995f2a76d	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\833a0a0d7fbe38	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2524	schtasks.exe
2416	schtasks.exe
2796	schtasks.exe
1756	schtasks.exe
1644	schtasks.exe
1740	schtasks.exe
2748	schtasks.exe
664	schtasks.exe
1104	schtasks.exe
2016	schtasks.exe
2840	schtasks.exe
2784	schtasks.exe
620	schtasks.exe
948	schtasks.exe
700	schtasks.exe
1800	schtasks.exe
1828	schtasks.exe
1780	schtasks.exe
2580	schtasks.exe
2196	schtasks.exe
1248	schtasks.exe
1640	schtasks.exe
1804	schtasks.exe
2652	schtasks.exe
2816	schtasks.exe
2632	schtasks.exe
1364	schtasks.exe
2556	schtasks.exe
860	schtasks.exe
1504	schtasks.exe
1116	schtasks.exe
600	schtasks.exe
800	schtasks.exe
2964	schtasks.exe
2880	schtasks.exe
1392	schtasks.exe
1704	schtasks.exe
2888	schtasks.exe
2636	schtasks.exe
2500	schtasks.exe
1344	schtasks.exe
1556	schtasks.exe
1268	schtasks.exe
2384	schtasks.exe
2120	schtasks.exe
3044	schtasks.exe
1280	schtasks.exe
2232	schtasks.exe
1884	schtasks.exe
2208	schtasks.exe
1636	schtasks.exe
2436	schtasks.exe
768	schtasks.exe
1728	schtasks.exe
1964	schtasks.exe
1808	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	Process
2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
1532	powershell.exe
1796	powershell.exe
1276	powershell.exe
1716	powershell.exe
536	powershell.exe
716	powershell.exe
1828	powershell.exe
908	powershell.exe
1536	powershell.exe
272	powershell.exe
2200	powershell.exe
2448	powershell.exe
1588	Idle.exe
2248	Idle.exe
548	Idle.exe
1680	Idle.exe
896	Idle.exe
1364	Idle.exe
2428	Idle.exe
960	Idle.exe
2332	Idle.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1588	Idle.exe
Token: SeDebugPrivilege	2248	Idle.exe
Token: SeDebugPrivilege	548	Idle.exe
Token: SeDebugPrivilege	1680	Idle.exe
Token: SeDebugPrivilege	896	Idle.exe
Token: SeDebugPrivilege	1364	Idle.exe
Token: SeDebugPrivilege	2428	Idle.exe
Token: SeDebugPrivilege	960	Idle.exe
Token: SeDebugPrivilege	2332	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exeIdle.exeWScript.exeIdle.exeWScript.exeIdle.exeWScript.exe

description	pid	Process	procid_target
PID 2380 wrote to memory of 272	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	89
PID 2380 wrote to memory of 272	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	89
PID 2380 wrote to memory of 272	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	89
PID 2380 wrote to memory of 2200	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	90
PID 2380 wrote to memory of 2200	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	90
PID 2380 wrote to memory of 2200	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	90
PID 2380 wrote to memory of 908	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	91
PID 2380 wrote to memory of 908	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	91
PID 2380 wrote to memory of 908	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	91
PID 2380 wrote to memory of 1532	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	92
PID 2380 wrote to memory of 1532	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	92
PID 2380 wrote to memory of 1532	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	92
PID 2380 wrote to memory of 1828	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	94
PID 2380 wrote to memory of 1828	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	94
PID 2380 wrote to memory of 1828	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	94
PID 2380 wrote to memory of 1536	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	95
PID 2380 wrote to memory of 1536	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	95
PID 2380 wrote to memory of 1536	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	95
PID 2380 wrote to memory of 1796	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	97
PID 2380 wrote to memory of 1796	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	97
PID 2380 wrote to memory of 1796	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	97
PID 2380 wrote to memory of 2448	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	98
PID 2380 wrote to memory of 2448	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	98
PID 2380 wrote to memory of 2448	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	98
PID 2380 wrote to memory of 1716	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	99
PID 2380 wrote to memory of 1716	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	99
PID 2380 wrote to memory of 1716	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	99
PID 2380 wrote to memory of 716	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	101
PID 2380 wrote to memory of 716	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	101
PID 2380 wrote to memory of 716	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	101
PID 2380 wrote to memory of 1276	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	102
PID 2380 wrote to memory of 1276	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	102
PID 2380 wrote to memory of 1276	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	102
PID 2380 wrote to memory of 536	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	103
PID 2380 wrote to memory of 536	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	103
PID 2380 wrote to memory of 536	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	103
PID 2380 wrote to memory of 1588	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	113
PID 2380 wrote to memory of 1588	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	113
PID 2380 wrote to memory of 1588	2380	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	113
PID 1588 wrote to memory of 2564	1588	Idle.exe	114
PID 1588 wrote to memory of 2564	1588	Idle.exe	114
PID 1588 wrote to memory of 2564	1588	Idle.exe	114
PID 1588 wrote to memory of 2000	1588	Idle.exe	115
PID 1588 wrote to memory of 2000	1588	Idle.exe	115
PID 1588 wrote to memory of 2000	1588	Idle.exe	115
PID 2564 wrote to memory of 2248	2564	WScript.exe	116
PID 2564 wrote to memory of 2248	2564	WScript.exe	116
PID 2564 wrote to memory of 2248	2564	WScript.exe	116
PID 2248 wrote to memory of 1444	2248	Idle.exe	117
PID 2248 wrote to memory of 1444	2248	Idle.exe	117
PID 2248 wrote to memory of 1444	2248	Idle.exe	117
PID 2248 wrote to memory of 2832	2248	Idle.exe	118
PID 2248 wrote to memory of 2832	2248	Idle.exe	118
PID 2248 wrote to memory of 2832	2248	Idle.exe	118
PID 1444 wrote to memory of 548	1444	WScript.exe	119
PID 1444 wrote to memory of 548	1444	WScript.exe	119
PID 1444 wrote to memory of 548	1444	WScript.exe	119
PID 548 wrote to memory of 2208	548	Idle.exe	120
PID 548 wrote to memory of 2208	548	Idle.exe	120
PID 548 wrote to memory of 2208	548	Idle.exe	120
PID 548 wrote to memory of 584	548	Idle.exe	121
PID 548 wrote to memory of 584	548	Idle.exe	121
PID 548 wrote to memory of 584	548	Idle.exe	121
PID 2208 wrote to memory of 1680	2208	WScript.exe	122

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
"C:\Users\Admin\AppData\Local\Temp\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\Migration\WTR\Idle.exe
  "C:\Windows\Migration\WTR\Idle.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1588
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c61d24e8-d350-4f0c-8cce-d58d26afb0fe.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\Migration\WTR\Idle.exe
      C:\Windows\Migration\WTR\Idle.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2248
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed3e4e91-7570-45a3-acf0-58a851511e18.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\Migration\WTR\Idle.exe
        
        C:\Windows\Migration\WTR\Idle.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c94ed26-df72-4a57-8d5c-e446ddd4d30a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\Migration\WTR\Idle.exe
        
        C:\Windows\Migration\WTR\Idle.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddce5539-0bf6-4290-9f33-0929dfb314a6.vbs"
        9⤵
        
        PID:1168
        
        C:\Windows\Migration\WTR\Idle.exe
        
        C:\Windows\Migration\WTR\Idle.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82fab213-f5a6-4b7d-8570-080071f1cac2.vbs"
        11⤵
        
        PID:1580
        
        C:\Windows\Migration\WTR\Idle.exe
        
        C:\Windows\Migration\WTR\Idle.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ea7056b-e76d-4355-a348-4f62b2b9ef91.vbs"
        13⤵
        
        PID:3012
        
        C:\Windows\Migration\WTR\Idle.exe
        
        C:\Windows\Migration\WTR\Idle.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d63ccb08-01ab-4ac8-a8b1-eb5c2ba9acbc.vbs"
        15⤵
        
        PID:1332
        
        C:\Windows\Migration\WTR\Idle.exe
        
        C:\Windows\Migration\WTR\Idle.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9eeb6250-3f32-4b48-bbae-26bd315187ce.vbs"
        17⤵
        
        PID:2084
        
        C:\Windows\Migration\WTR\Idle.exe
        
        C:\Windows\Migration\WTR\Idle.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ad8b5d6-b42a-4fea-9b67-e9f6d0514542.vbs"
        19⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2dfa27-4d79-40b0-9c38-1b3d02d8c5b1.vbs"
        19⤵
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54deaf93-aa35-470a-ab99-f44d0e38e984.vbs"
        17⤵
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd8db7c1-f266-4530-baac-058ca6b2eeaf.vbs"
        15⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4ce0ea9-65b9-4c0c-a700-7dc605657404.vbs"
        13⤵
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2998b5fd-0d96-46ba-9d41-836970d6f722.vbs"
        11⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e5601ba-f1cd-404c-b3e4-f7d0f9ad1dc8.vbs"
        9⤵
        
        PID:800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d0c6c8c-2645-48a2-85b6-1a3b9f5f35c5.vbs"
        7⤵
        
        PID:584
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cb9a6b7-dd2e-4d60-9d43-4cb5ef693569.vbs"
        5⤵
        
        PID:2832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\080599ca-b65f-4c3e-ba93-f5055a898aa0.vbs"
    3⤵
    PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N5" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N5" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N5" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N5" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N5" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N5" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

Filesize
4.9MB

MD5
a1cf1fcaab25d64a00f9c30de7983b3f

SHA1
8f06fa4f4bcde37145113822f20ff099be3f91a2

SHA256
058a093811098b21047ed0d4ea3dce733e6bef396ae96764c5b06570b49609dd

SHA512
777de67dd30543ab4fd72134df826e534ddd6d4336a67dee3411386521595b312fc9f2d0fd4ded4d72db3902684f2ac31e66c90862fee3663f397b23b087afc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\080599ca-b65f-4c3e-ba93-f5055a898aa0.vbs

Filesize
485B

MD5
fd1dd102cb1607e2dd875559fcc8b944

SHA1
888b51f66e51989c729944257cce3a29ca59eb6d

SHA256
c8d3ef9f24bc7349e742f3d80df187a23eaa2bf3474d38f5f425c1ee8c8c6527

SHA512
c0251a9dbff3fc201de45f5d646f63a39200bf2d273b074e5436c4148ef9671a85a4cef6b4ffdf23980f737026a2e9b117432f353c7af37a1802713121346c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ea7056b-e76d-4355-a348-4f62b2b9ef91.vbs

Filesize
709B

MD5
6ba2e73ff9e26113261d96185a522dea

SHA1
59695dc6ba2620214bd5bb0463eb38ae51b0afe9

SHA256
72f95a2202b44e7f865fe09002550e83841bbcc797b79581fbf0aafbf2adbefb

SHA512
b7eac3df11b66b5221571cdb385e2089988b560168511f0008d6fd97c3d8e1f4b181a37eceb4549c0293c9574eef1001c6cc3926ca14a1dad976403ba0d793b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c94ed26-df72-4a57-8d5c-e446ddd4d30a.vbs

Filesize
708B

MD5
3df86042a718ab995a814fa10fb369eb

SHA1
2aeeb7a70edea5cfd4c325568cd41e3d45bf3e46

SHA256
07f5e4ed98fad8820b3d5b2cdece60d05bdbde0c4c673f5c5617a1fa75db9380

SHA512
39c237f41a11a5e86849af48e296380458b365403cfbeaede666402a8f085b133603236abc0235302238e00515af0e878261c8feee91645426a928f3eeae1738

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ad8b5d6-b42a-4fea-9b67-e9f6d0514542.vbs

Filesize
709B

MD5
bc11c5a530f36c87243b6b0749ec7429

SHA1
da24f40d951b7f6766a84b7e50f993b2bc5cb5a3

SHA256
64e3a435682984a4a8affc6c2406637ebb9a65c6f485b5fc02a5b82a7610d860

SHA512
416891b9d595aa8148307269121677a7523c62b674d3f6a39ace24c5e24deed67017525e77977800503712035f47f0e52c977543af2e1aa63baa3c1ff70446dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\82fab213-f5a6-4b7d-8570-080071f1cac2.vbs

Filesize
708B

MD5
f3c290900270949da951a5b35f16cf9c

SHA1
7e3030905f698312c15e32aba9915d7719e86e5a

SHA256
384ebb4d933afa033c4ee1d26809025944e0f3df94c77fcf9a6836a3485ac935

SHA512
dbdfad45b719ce5b3ff412f2dfda0d9caf80693f1718d864362c4bc8042fc5c24740fe2dab40c5e6d560cd16c656235c9423ab3acd6a15028d5e1bc5ddf55dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9eeb6250-3f32-4b48-bbae-26bd315187ce.vbs

Filesize
708B

MD5
6dcaab0932e8ff2dc7f2c79c91e04dab

SHA1
630cf33c510cabedb0dfda9572022649bc78b30a

SHA256
8ac7b34bb28cdf137da10843cb6a8a1c8ddcaf340077b6bdef0e53713acfbc8e

SHA512
429c563c7684f784fff63bcb55c1b16656090e988db1feb43e343e75c303fb06efc92033c5623ba81fe3a6a3b0d66cb997a9300f48580bf571256a1d14cedc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\c61d24e8-d350-4f0c-8cce-d58d26afb0fe.vbs

Filesize
709B

MD5
2d92cd66af688637156fec8208c69d38

SHA1
cb22baf186b28181c48a2153e6a2b0d79e0d4d12

SHA256
41659fbd190c41700bae0443cd36fcc9ab36c725cd7137c03cbd1cf2e649debd

SHA512
27bb819b44ed32990fbcb905bdc35fe51d342ce488b0f61ff7841b56a3244282001d2c54002fd610f4442747247232ac72df937a7d38f49b899962394c899942

Download Submit
C:\Users\Admin\AppData\Local\Temp\d63ccb08-01ab-4ac8-a8b1-eb5c2ba9acbc.vbs

Filesize
709B

MD5
a0b71c93e8752f081546d927dd34a1fe

SHA1
30681573d70344ba54d1587ad4df6f31f0e98d3f

SHA256
87f97c03806b96c40573d4f8f1630e4d29c283b67ad8b95e44fa9145ef98925e

SHA512
6806616f4a593f3f66a29369e9ce80703332bbe93d960ef683bf66a0b24013a621ee76624b1db5df6812f736457be93ccae17d2a52f5fca9cf811a0e94d71be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddce5539-0bf6-4290-9f33-0929dfb314a6.vbs

Filesize
709B

MD5
15b2bfb9b920a738177d0148a23629de

SHA1
ad65844af6a7bc089aac16ef4e9708e9a5411db1

SHA256
f2d43d7f8c8cf62c7182ffaf74a27a249c5455fbc4a1ac502b263ad52c6ac43e

SHA512
a17ef5c10d6d715dcef1671c1219cc38fc9f234faa3fb18d19e57334d3ec223de967f20fc68504dbfe5edab74952e0d8e92dc9c2d2f26cfd1837977cfa1691ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddd1e17670373e33c95e500db3664a00d1963bb2.exe

Filesize
4.9MB

MD5
38222a900e7bd69bdc295b2e4c7a0262

SHA1
5db57e783d3ae20f5e9fc03c1bd23176feca9e0e

SHA256
a2ea125fb85d5acef6b69bbaa57750284eebc876c3e843cd4be87dfe80530295

SHA512
5d127f7266e7fe9725d45fac03ea3943e9d5ce46d14ecce8b330b10127e0d402e266f84f36719c3c4ef1e105e6f4fc782f0e0918d759ac3a9a4cbefe04c3f921

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed3e4e91-7570-45a3-acf0-58a851511e18.vbs

Filesize
709B

MD5
c38142ecea94e67247df084404d0d971

SHA1
1d4baf5f2cb547abc5f2286d6c0d3c5a6200f472

SHA256
fcf802abc5180f0446cb5d8dfd54b92ecb028f77592c7c1b4e1bd883558218a4

SHA512
8bbdef5d8bf6ce77988f859d0f5f90d7ea98357ae1b6e6de4c84b87a7a0e3d074ba58436f6a9ca7d684068eb1c51e011083a054e6edb7fef6a2c576ec2192c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5c3474724ac6e6ca8616a56b6c56862

SHA1
f8ee571c401d9303b72f195cb9a9449808b87516

SHA256
9a557e430ae2c555f77061c1b0a702ca155532b50f236c95c67507e82c7a05f6

SHA512
20e3a4b084e72e7fa42717d70626b3d54430a95eef2ab577b4bdd08ed6ca00e64cfc5d49dfc8ed5a8fc68f4f0dad702dd8e16b3d70b620f593559a8a31dc257b

Download Submit
C:\Users\Admin\AppData\Roaming\dwm.exe

Filesize
4.9MB

MD5
fbad13694fbd76b4a28785c6fa12af90

SHA1
35aca1ddefc9672625d9e94fd886810f30eea843

SHA256
5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2

SHA512
0e4ec2070b6fde55ea405611c7d8bc73520670608a6dc0e2f605c9a70c96bfa44135f988c7c1c29d20f0a1edd0390e056d9e6d6401d4a8aefee0fa96e1cb447b

Download Submit
C:\Windows\AppPatch\en-US\RCXEC0E.tmp

Filesize
4.9MB

MD5
af535a0ef6f6b7ceeff0ab53e8c63b58

SHA1
103faa555284eb5d31d20ee11bb259d7030f968f

SHA256
ef65b4cd9779030cc1837155feebfeae0410c87291c9bdc6e3ae711e8b29c16b

SHA512
7703d512591a0e4694841970473cffba18e93ee5bc16d41f7eef97ee1b2b8228c3d0163a870b6f220c1680d064284a0ee3840aca381bce29e2e81cad0bcedd7a

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/896-316-0x0000000000920000-0x0000000000E14000-memory.dmp

Filesize
5.0MB

Download
memory/960-361-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1532-257-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1588-258-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/1588-197-0x00000000013D0000-0x00000000018C4000-memory.dmp

Filesize
5.0MB

Download
memory/1680-301-0x0000000000070000-0x0000000000564000-memory.dmp

Filesize
5.0MB

Download
memory/1796-211-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2248-272-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/2332-376-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/2380-10-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2380-8-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2380-15-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2380-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2380-13-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/2380-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2380-0-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2380-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2380-163-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-16-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2380-9-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2380-198-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-7-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/2380-6-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2380-5-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2380-1-0x0000000000D70000-0x0000000001264000-memory.dmp

Filesize
5.0MB

Download
memory/2380-149-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2380-2-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-3-0x000000001B910000-0x000000001BA3E000-memory.dmp

Filesize
1.2MB

Download
memory/2428-346-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2428-345-0x0000000000B40000-0x0000000001034000-memory.dmp

Filesize
5.0MB

Download