dcrat | 175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Size

4.9MB
MD5

303d8c66df0ffc6d289235da26a7e6d7
SHA1

6bbf1deae5b1811adb32856f563e9014b7fc9661
SHA256

175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6
SHA512

509668909753ea4a1143690b8367911195d40feb42c2e0bcfe8cbcaa796411622beb28728bbd527d4e033986703bb443c1a60b8b2caec880e8e509948f1fef00
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2804	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2972-3-0x000000001B4E0000-0x000000001B60E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe
320	powershell.exe
2140	powershell.exe
2900	powershell.exe
992	powershell.exe
2236	powershell.exe
1032	powershell.exe
2848	powershell.exe
548	powershell.exe
944	powershell.exe
2432	powershell.exe
2956	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2152	OSPPSVC.exe
1340	OSPPSVC.exe
2928	OSPPSVC.exe
1528	OSPPSVC.exe
2212	OSPPSVC.exe
3028	OSPPSVC.exe
2140	OSPPSVC.exe
1708	OSPPSVC.exe
1756	OSPPSVC.exe
2368	OSPPSVC.exe
984	OSPPSVC.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\75a57c1bdf437c	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Program Files\Java\jre7\lib\69ddcba757bf72	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX12A1.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\WMIADAP.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX1BC9.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\RCX24B2.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\smss.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Program Files\Uninstall Information\smss.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\WMIADAP.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Program Files\Java\jre7\lib\smss.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\WMIADAP.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\75a57c1bdf437c	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Program Files\Uninstall Information\smss.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\RCX2723.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\WMIADAP.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\6203df4a6bafc7	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\ehome\winlogon.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\RCX1DCD.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\ehome\cc11b995f2a76d	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\24dbde2999530e	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\Microsoft.NET\b75386f1303e64	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\69ddcba757bf72	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\Microsoft.NET\taskhost.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX2241.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\Prefetch\ReadyBoot\lsass.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\Microsoft.NET\taskhost.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\WmiPrvSE.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXBBB.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\Microsoft.NET\RCX1754.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\RCX737.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\AppCompat\Programs\explorer.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\AppCompat\Programs\7a0fd90576e088	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\ehome\RCX2C1.tmp	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\lsass.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File opened for modification	C:\Windows\AppCompat\Programs\explorer.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\ehome\winlogon.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\WmiPrvSE.exe	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3044	schtasks.exe
2196	schtasks.exe
1000	schtasks.exe
1568	schtasks.exe
2224	schtasks.exe
2556	schtasks.exe
1996	schtasks.exe
632	schtasks.exe
1524	schtasks.exe
2740	schtasks.exe
2792	schtasks.exe
2436	schtasks.exe
876	schtasks.exe
2672	schtasks.exe
2092	schtasks.exe
2500	schtasks.exe
1980	schtasks.exe
1072	schtasks.exe
2504	schtasks.exe
1356	schtasks.exe
696	schtasks.exe
2272	schtasks.exe
112	schtasks.exe
320	schtasks.exe
796	schtasks.exe
2952	schtasks.exe
2472	schtasks.exe
756	schtasks.exe
2164	schtasks.exe
928	schtasks.exe
2884	schtasks.exe
908	schtasks.exe
984	schtasks.exe
2020	schtasks.exe
2168	schtasks.exe
1308	schtasks.exe
2568	schtasks.exe
2676	schtasks.exe
1660	schtasks.exe
1676	schtasks.exe
896	schtasks.exe
2652	schtasks.exe
1728	schtasks.exe
2828	schtasks.exe
2612	schtasks.exe
1460	schtasks.exe
1068	schtasks.exe
2208	schtasks.exe
1488	schtasks.exe
2988	schtasks.exe
2668	schtasks.exe
1664	schtasks.exe
1120	schtasks.exe
1852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
2140	powershell.exe
320	powershell.exe
992	powershell.exe
944	powershell.exe
2432	powershell.exe
2900	powershell.exe
1032	powershell.exe
2844	powershell.exe
548	powershell.exe
2956	powershell.exe
2236	powershell.exe
2848	powershell.exe
2152	OSPPSVC.exe
1340	OSPPSVC.exe
2928	OSPPSVC.exe
1528	OSPPSVC.exe
2212	OSPPSVC.exe
3028	OSPPSVC.exe
2140	OSPPSVC.exe
1708	OSPPSVC.exe
1756	OSPPSVC.exe
2368	OSPPSVC.exe
984	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2152	OSPPSVC.exe
Token: SeDebugPrivilege	1340	OSPPSVC.exe
Token: SeDebugPrivilege	2928	OSPPSVC.exe
Token: SeDebugPrivilege	1528	OSPPSVC.exe
Token: SeDebugPrivilege	2212	OSPPSVC.exe
Token: SeDebugPrivilege	3028	OSPPSVC.exe
Token: SeDebugPrivilege	2140	OSPPSVC.exe
Token: SeDebugPrivilege	1708	OSPPSVC.exe
Token: SeDebugPrivilege	1756	OSPPSVC.exe
Token: SeDebugPrivilege	2368	OSPPSVC.exe
Token: SeDebugPrivilege	984	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2140	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	86
PID 2972 wrote to memory of 2140	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	86
PID 2972 wrote to memory of 2140	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	86
PID 2972 wrote to memory of 548	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	87
PID 2972 wrote to memory of 548	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	87
PID 2972 wrote to memory of 548	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	87
PID 2972 wrote to memory of 320	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	88
PID 2972 wrote to memory of 320	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	88
PID 2972 wrote to memory of 320	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	88
PID 2972 wrote to memory of 2956	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	90
PID 2972 wrote to memory of 2956	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	90
PID 2972 wrote to memory of 2956	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	90
PID 2972 wrote to memory of 2844	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	93
PID 2972 wrote to memory of 2844	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	93
PID 2972 wrote to memory of 2844	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	93
PID 2972 wrote to memory of 2848	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	94
PID 2972 wrote to memory of 2848	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	94
PID 2972 wrote to memory of 2848	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	94
PID 2972 wrote to memory of 1032	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	95
PID 2972 wrote to memory of 1032	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	95
PID 2972 wrote to memory of 1032	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	95
PID 2972 wrote to memory of 2236	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	96
PID 2972 wrote to memory of 2236	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	96
PID 2972 wrote to memory of 2236	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	96
PID 2972 wrote to memory of 2432	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	97
PID 2972 wrote to memory of 2432	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	97
PID 2972 wrote to memory of 2432	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	97
PID 2972 wrote to memory of 992	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	98
PID 2972 wrote to memory of 992	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	98
PID 2972 wrote to memory of 992	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	98
PID 2972 wrote to memory of 944	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	99
PID 2972 wrote to memory of 944	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	99
PID 2972 wrote to memory of 944	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	99
PID 2972 wrote to memory of 2900	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	100
PID 2972 wrote to memory of 2900	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	100
PID 2972 wrote to memory of 2900	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	100
PID 2972 wrote to memory of 2152	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	103
PID 2972 wrote to memory of 2152	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	103
PID 2972 wrote to memory of 2152	2972	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe	103
PID 2152 wrote to memory of 1836	2152	OSPPSVC.exe	111
PID 2152 wrote to memory of 1836	2152	OSPPSVC.exe	111
PID 2152 wrote to memory of 1836	2152	OSPPSVC.exe	111
PID 2152 wrote to memory of 1900	2152	OSPPSVC.exe	112
PID 2152 wrote to memory of 1900	2152	OSPPSVC.exe	112
PID 2152 wrote to memory of 1900	2152	OSPPSVC.exe	112
PID 1836 wrote to memory of 1340	1836	WScript.exe	113
PID 1836 wrote to memory of 1340	1836	WScript.exe	113
PID 1836 wrote to memory of 1340	1836	WScript.exe	113
PID 1340 wrote to memory of 1740	1340	OSPPSVC.exe	114
PID 1340 wrote to memory of 1740	1340	OSPPSVC.exe	114
PID 1340 wrote to memory of 1740	1340	OSPPSVC.exe	114
PID 1340 wrote to memory of 1760	1340	OSPPSVC.exe	115
PID 1340 wrote to memory of 1760	1340	OSPPSVC.exe	115
PID 1340 wrote to memory of 1760	1340	OSPPSVC.exe	115
PID 1740 wrote to memory of 2928	1740	WScript.exe	116
PID 1740 wrote to memory of 2928	1740	WScript.exe	116
PID 1740 wrote to memory of 2928	1740	WScript.exe	116
PID 2928 wrote to memory of 320	2928	OSPPSVC.exe	117
PID 2928 wrote to memory of 320	2928	OSPPSVC.exe	117
PID 2928 wrote to memory of 320	2928	OSPPSVC.exe	117
PID 2928 wrote to memory of 2412	2928	OSPPSVC.exe	118
PID 2928 wrote to memory of 2412	2928	OSPPSVC.exe	118
PID 2928 wrote to memory of 2412	2928	OSPPSVC.exe	118
PID 320 wrote to memory of 1528	320	WScript.exe	119

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe
"C:\Users\Admin\AppData\Local\Temp\175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2152
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76b6fc1c-39d5-4284-a6fd-72d9e7c645c6.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1340
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\746dd3cc-6b6b-4111-ac44-5433bb89a1af.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca2b1462-74b3-41d7-8ced-41ea8a62fb64.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d218539-aabe-4068-b575-1c57a2442169.vbs"
        9⤵
        
        PID:1324
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29cf4294-384a-4cfd-8fbe-4ca8b5e81f65.vbs"
        11⤵
        
        PID:1208
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c4fdb16-c8c2-45d7-a4d4-b90f390b2486.vbs"
        13⤵
        
        PID:684
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93cdadf8-35c7-49f1-bd61-fc3d35847432.vbs"
        15⤵
        
        PID:964
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96157a72-2dc9-4457-b2e3-aae5de41ae60.vbs"
        17⤵
        
        PID:2384
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09c7bb5e-99e2-4958-8ec3-e88253c528db.vbs"
        19⤵
        
        PID:2512
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58b8ff20-fa99-4a51-9db3-ccef734e8fd8.vbs"
        21⤵
        
        PID:2736
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f04665b-6d6b-432a-88b9-f6d924d2b731.vbs"
        23⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43c4eae9-4c64-4c25-9813-a9d2026abf9d.vbs"
        23⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2e116b8-d8a2-4909-a272-431645f248b5.vbs"
        21⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3686aee4-37c4-4a64-b0b6-8a43205c4ee8.vbs"
        19⤵
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f88cb976-2eb5-422d-964c-d3a3ca3dc4c7.vbs"
        17⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fa0d26b-a363-40a9-a957-40c4bfface31.vbs"
        15⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c37829b-cd0f-4bd0-aa7a-b038bb30a5ee.vbs"
        13⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be7ff298-593c-4dca-a3c1-636d7c40d3ac.vbs"
        11⤵
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00dc437c-8d7e-441c-9a7a-da117ffc056d.vbs"
        9⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a331cebb-fe17-44c6-8e53-05287551f4e0.vbs"
        7⤵
        
        PID:2412
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dda4705-90a7-48f1-918b-a351e0cc720e.vbs"
        5⤵
        
        PID:1760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51b253b5-89bc-4ee7-905f-b2677101b3a1.vbs"
    3⤵
    PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ehome\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\WwanSvc\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\WwanSvc\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\WwanSvc\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\AppCompat\Programs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\lib\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe

Filesize
4.9MB

MD5
303d8c66df0ffc6d289235da26a7e6d7

SHA1
6bbf1deae5b1811adb32856f563e9014b7fc9661

SHA256
175b37895ceccd1ac88905f3c6459fc96e9f3f6172942f85b835391d24fdd6a6

SHA512
509668909753ea4a1143690b8367911195d40feb42c2e0bcfe8cbcaa796411622beb28728bbd527d4e033986703bb443c1a60b8b2caec880e8e509948f1fef00

Download Submit
C:\Program Files\Uninstall Information\smss.exe

Filesize
4.9MB

MD5
00deb4b2d22cb83002e312dfa303df52

SHA1
009d62fcb339136d80ea03118ae9006dd2a6ba84

SHA256
633e2c55391500ac89cf0601d36e38958443fa04554b10faddc0e4941a3133c0

SHA512
65243e5f4589f501e04fb0637e86eb7a20c37b37be4409b3a10a65ad3077842ecfbd4fe42de073088f7887e6187e4f77fc1e717d86366048d71ba3d4d76d54aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\09c7bb5e-99e2-4958-8ec3-e88253c528db.vbs

Filesize
750B

MD5
b029f5befa7b0336bd2ff7452caca13b

SHA1
c5e6a46314beda9aafdf72b9eebda361d1e3cc04

SHA256
6c7337552d121c4cdff330200f69faae0eb662b84882911bf9fd6c868e1ad6d1

SHA512
c3319e8a84c9f188dcc27e481d5b774ac2fc2a356f649680418c45395e44d90fcb9e10c7fa3ac9f0887acf420d8b7b08de7703e070d0b9662f48c6cf7eed928b

Download Submit
C:\Users\Admin\AppData\Local\Temp\29cf4294-384a-4cfd-8fbe-4ca8b5e81f65.vbs

Filesize
750B

MD5
d38ca7a432898bfebc4e401a54416bed

SHA1
8c56d46dfbd261858bd2d655189849652a59295e

SHA256
844c4c8430003ab2de38726b7420783dc20096674ba1392219bacbe580706949

SHA512
583fbebc5def44b29de735d8816fafb92c0a7271d1593fbcd1b3517ebb3fba1ca43969670d25c9b84ba9a1699bf1943f1315bc4065e6d3330894928fa4f285fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f04665b-6d6b-432a-88b9-f6d924d2b731.vbs

Filesize
749B

MD5
3945f6b1be6fcaa721833b76fd31bba0

SHA1
4f16bc712fa01484ca60029f437f4b2900529334

SHA256
e505b6f2f92890d6f1e162b1e71a0085001569985c4c04288a139eea47b83058

SHA512
04a420286580328a6f390019093ba0df324d4322f890d8c749991184b2479017372bbe7de90252b7de78c4f25d03620c15e31062e39d1737106e77f0a71610f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\51b253b5-89bc-4ee7-905f-b2677101b3a1.vbs

Filesize
526B

MD5
64cd3d607105106ab3016c26416ebab8

SHA1
3838df1d73af8000be993758ecdfed7426fdd4a2

SHA256
f940f59aa85d4dc00ade1afa6be378e4923ec4adae774de1a5bf8e9c9b99deef

SHA512
d541a3ffa6f47d981d9f14022bd0b5e1b48b133a15a5d51510d09594aa392675edc0a0218cc23354bb6539cc595015e0ea6a7e2e06824e197430aae29b45fbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\58b8ff20-fa99-4a51-9db3-ccef734e8fd8.vbs

Filesize
750B

MD5
3638207dc73115ca2f7330277adafdc0

SHA1
d57b717f149f75e170aaf6af53f30ad0ff778d95

SHA256
1816a26c6c56d6979407900cf029b269b30ee1fa1a42b18fc09ae325ab3e4372

SHA512
96a0c7bb26b7d4b793001db5754b759d2b18077b035c47db12a08f18482a1beb74f84af070d7943c687543cf325e9f1be537d4b63d82cc66dd540efe576a3eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c4fdb16-c8c2-45d7-a4d4-b90f390b2486.vbs

Filesize
750B

MD5
70e54588ba055f081d485993e5bc124b

SHA1
aa2a05b7b385b90768bf547fa1b067b7051c9672

SHA256
e9f863226c86a119a879edadc127b117494512624390865be47f866df80edad7

SHA512
6df78c915c9f0f8a7edc049daa15751866dece37e7829b90cf9cf84a544acbfadee804128be6e5a771d90aab04fb0be3f180dffc6b94de5b57ebb0e46f128e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\746dd3cc-6b6b-4111-ac44-5433bb89a1af.vbs

Filesize
750B

MD5
3d0b521fffd36a48f62e5a5a7ee4f2b5

SHA1
171dbafcecddd9a2ae4ceee040af4d821827abba

SHA256
23f322fa1bcf32dea3225bf187a8e819b3a2830c9fd6dc34a9071fd399b46440

SHA512
e2207f86f0f92a353c451c1e9983405f64ae637010e81192347f813cec1de06594539b0ea372c536a9273f3d7f69eee77365dec06e57e628503c7e2828dc1e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\76b6fc1c-39d5-4284-a6fd-72d9e7c645c6.vbs

Filesize
750B

MD5
57235131cb5f4fb0210d82a7ba4557e4

SHA1
2c5aeeee84329afc79ef481f7be9b48d4257ff3a

SHA256
d4c38ed3e06584209c9854cf1d7927d124c3861db2f594d9b6c207da750a2abd

SHA512
8169d2eaaace70cb42fb819a730c474e569b40ec7e7c6302f99b8dfdcda1f3efd16dfde6ff6fadaccbf82df489ab801cb29fb66e6d8bad8f4edf6dc84feb268c

Download Submit
C:\Users\Admin\AppData\Local\Temp\93cdadf8-35c7-49f1-bd61-fc3d35847432.vbs

Filesize
750B

MD5
2d9ca170f4dc5a9b90984fef3a7b3bd8

SHA1
66ff27d3391e20de9f14d1d6bd6de9bbe59376bb

SHA256
6ad4c9b5e6f2b157b0f8f40c6e988a9bcad66e0fa211c9527e43ddf1b1c1ad2e

SHA512
2773ff827c8dfc170b8e3a6fd6ac0d984ddce378e1d52cb8986d95efd4921f657612561bfc0fcf6d145a6d5200be31de16f4af491f1dc2921e6c8ef77f37ae01

Download Submit
C:\Users\Admin\AppData\Local\Temp\96157a72-2dc9-4457-b2e3-aae5de41ae60.vbs

Filesize
750B

MD5
d210d58e2cf4dad176976483396bb710

SHA1
e40a1c50c2502a5d46c498fb414dbbed625da6eb

SHA256
b361d9c6ec56e2a762eb65f7297c05d1121e35a42ab466480664ec02e5cd1a59

SHA512
d4ec6876046512204821b9774b26c18be5344bb89e00950c0c9834b148a1d521a30e39f344984d1fd7ffc768e633f2e54dcf6518e32fc9fe60e0d0b3f4927ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca2b1462-74b3-41d7-8ced-41ea8a62fb64.vbs

Filesize
750B

MD5
af70de9ee46d3dbc2a010031bf2b4d04

SHA1
0c348b2cedcc6e8cbffbd11a77e6fed0d33c7f20

SHA256
e662401ae5c1074959b29090756e8f82542a86cc04b20dace70b227dcea47cc8

SHA512
54aee515acd4ae98fcc6e7ad1412d3f83cb9baba6571559e7da48b8ff03b39612739179d1587a8d6e0d842291925da87e670c4aeaef4fa51499e18ff9bcb46d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3708.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e4d3b7ec5b4403f71c3507d73307a1e9

SHA1
8100acd4a8ec42d2498aae1d2d3821658b31d4c7

SHA256
93ca7758f27652196fe489e8b070b38facfefcb3b9a297665eb0541c5fc61ba7

SHA512
5146da757a24a8152be5d50b1968cece58557d513852fd2350e54bf02ad42c850483d23e41af5e0fb0b2211f7c4ef96966695d345b638f5e669a62fcd3aeb5ed

Download Submit
C:\Windows\Microsoft.NET\RCX1754.tmp

Filesize
4.9MB

MD5
e75a6c915de22c8768a8177825e2541a

SHA1
3b37b405bd3936d3231c52797f15f3ce343b6320

SHA256
b6fb198db3a4dc96e1ae64d00711e84ebf57c429ce8bd6dcadb2427776c4dbbc

SHA512
0ba223130b511566d9d03eb7ef0ba9b96cb8517d450660c948b35ccd41bb1ad49e27431c72f2962850604e5ea931a3c91381fd1e797e8f0ae738a05c8dd57f45

Download Submit
C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe

Filesize
4.9MB

MD5
2bab4241bee447f0e1783f6d1ce14d4b

SHA1
2ca1fe3f74ec9ceea926562f872e17923ccc4e89

SHA256
193e886e6af76cd4accb18924dd69ff440b603e5f3244887f93f8801d92a0303

SHA512
084f16c92ef844c65cde092dbd4fb302be9d2776d9c0fc3286a92b574dc489260a6c210eb735d1f73b49b7875f947a861a92d05907f7a13d82dd61e05e8eef2c

Download Submit
memory/1340-258-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/1756-361-0x0000000000350000-0x0000000000844000-memory.dmp

Filesize
5.0MB

Download
memory/2140-193-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2140-332-0x00000000012F0000-0x00000000017E4000-memory.dmp

Filesize
5.0MB

Download
memory/2140-190-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2152-244-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2152-191-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/2212-301-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download
memory/2368-375-0x00000000013D0000-0x00000000018C4000-memory.dmp

Filesize
5.0MB

Download
memory/2928-273-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2972-12-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/2972-6-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2972-149-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-135-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2972-14-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2972-16-0x0000000002630000-0x000000000263C000-memory.dmp

Filesize
48KB

Download
memory/2972-15-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2972-13-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/2972-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2972-11-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/2972-10-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/2972-1-0x0000000000BA0000-0x0000000001094000-memory.dmp

Filesize
5.0MB

Download
memory/2972-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-9-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2972-8-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2972-7-0x0000000000670000-0x0000000000686000-memory.dmp

Filesize
88KB

Download
memory/2972-192-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-5-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2972-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2972-3-0x000000001B4E0000-0x000000001B60E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-317-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/3028-316-0x0000000000910000-0x0000000000E04000-memory.dmp

Filesize
5.0MB

Download