dcrat | 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Size

4.9MB
MD5

0f75edb514278b6e45793f61c9a91a50
SHA1

e767580f580339a4b7091fc105ffebfbb7d00f03
SHA256

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c
SHA512

940e37f693ea83fcf991acdf85ffc3bb50b880c8f9ffe3cb4d7420651b9973f1bfd9d16d36e0ee0eaa08ad0d1f0b6da75e56e856e55a6ce6aeff4915c291f0ed
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2748	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2748	schtasks.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2384-3-0x000000001B750000-0x000000001B87E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1648	powershell.exe
1784	powershell.exe
2512	powershell.exe
2896	powershell.exe
2120	powershell.exe
1508	powershell.exe
2608	powershell.exe
1232	powershell.exe
2128	powershell.exe
1072	powershell.exe
332	powershell.exe
2628	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	process
2404	services.exe
1772	services.exe
2072	services.exe
3060	services.exe
2384	services.exe
1596	services.exe
2320	services.exe
2596	services.exe
1004	services.exe
1952	services.exe
2784	services.exe
2664	services.exe
1644	services.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Program Files directory 20 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\RCXBE7D.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Idle.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\OSPPSVC.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\1610b97d3ab4a7	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\OSPPSVC.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\Windows Mail\it-IT\Idle.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCXA49A.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCXC0EE.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\DVD Maker\fr-FR\886983d96e3d3e	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\csrss.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\42af1c969fbb7b	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\DVD Maker\fr-FR\csrss.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXB11F.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCXC4F6.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\5940a34987c991	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files\Windows Mail\it-IT\6ccacd8608530f	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

Drops file in Windows directory 8 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

description	ioc	process
File created	C:\Windows\PLA\System\Idle.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Windows\PLA\System\6ccacd8608530f	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Windows\Speech\RCXA8A2.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Windows\Speech\OSPPSVC.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Windows\PLA\System\RCXAAA6.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Windows\PLA\System\Idle.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Windows\Speech\OSPPSVC.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Windows\Speech\1610b97d3ab4a7	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3068	schtasks.exe
3032	schtasks.exe
860	schtasks.exe
1108	schtasks.exe
1976	schtasks.exe
1136	schtasks.exe
1728	schtasks.exe
2644	schtasks.exe
1984	schtasks.exe
2440	schtasks.exe
1792	schtasks.exe
2096	schtasks.exe
2956	schtasks.exe
2784	schtasks.exe
2656	schtasks.exe
852	schtasks.exe
2388	schtasks.exe
2772	schtasks.exe
2020	schtasks.exe
1160	schtasks.exe
1824	schtasks.exe
2604	schtasks.exe
2044	schtasks.exe
2928	schtasks.exe
2008	schtasks.exe
2640	schtasks.exe
2620	schtasks.exe
1652	schtasks.exe
2212	schtasks.exe
108	schtasks.exe
1404	schtasks.exe
1752	schtasks.exe
2452	schtasks.exe
3060	schtasks.exe
332	schtasks.exe
792	schtasks.exe
1708	schtasks.exe
664	schtasks.exe
2920	schtasks.exe
2584	schtasks.exe
528	schtasks.exe
2628	schtasks.exe
768	schtasks.exe
1596	schtasks.exe
3008	schtasks.exe
2404	schtasks.exe
1188	schtasks.exe
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	process
2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
2628	powershell.exe
1072	powershell.exe
2120	powershell.exe
1784	powershell.exe
332	powershell.exe
1232	powershell.exe
1648	powershell.exe
2608	powershell.exe
2512	powershell.exe
2896	powershell.exe
1508	powershell.exe
2128	powershell.exe
2404	services.exe
1772	services.exe
2072	services.exe
3060	services.exe
2384	services.exe
1596	services.exe
2320	services.exe
2596	services.exe
1004	services.exe
1952	services.exe
2784	services.exe
2664	services.exe
1644	services.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	2404	services.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1772	services.exe
Token: SeDebugPrivilege	2072	services.exe
Token: SeDebugPrivilege	3060	services.exe
Token: SeDebugPrivilege	2384	services.exe
Token: SeDebugPrivilege	1596	services.exe
Token: SeDebugPrivilege	2320	services.exe
Token: SeDebugPrivilege	2596	services.exe
Token: SeDebugPrivilege	1004	services.exe
Token: SeDebugPrivilege	1952	services.exe
Token: SeDebugPrivilege	2784	services.exe
Token: SeDebugPrivilege	2664	services.exe
Token: SeDebugPrivilege	1644	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exeservices.exeWScript.exeservices.exeWScript.exeservices.exeWScript.exe

description	pid	process	target process
PID 2384 wrote to memory of 2896	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2896	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2896	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2628	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2628	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2628	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1648	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1648	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1648	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1784	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1784	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1784	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2120	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2120	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2120	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1508	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1508	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1508	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2608	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2608	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2608	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1232	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1232	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1232	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1072	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1072	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 1072	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2512	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2512	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2512	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2128	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2128	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2128	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 332	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 332	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 332	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	powershell.exe
PID 2384 wrote to memory of 2404	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	services.exe
PID 2384 wrote to memory of 2404	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	services.exe
PID 2384 wrote to memory of 2404	2384	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	services.exe
PID 2404 wrote to memory of 2952	2404	services.exe	WScript.exe
PID 2404 wrote to memory of 2952	2404	services.exe	WScript.exe
PID 2404 wrote to memory of 2952	2404	services.exe	WScript.exe
PID 2404 wrote to memory of 2744	2404	services.exe	WScript.exe
PID 2404 wrote to memory of 2744	2404	services.exe	WScript.exe
PID 2404 wrote to memory of 2744	2404	services.exe	WScript.exe
PID 2952 wrote to memory of 1772	2952	WScript.exe	services.exe
PID 2952 wrote to memory of 1772	2952	WScript.exe	services.exe
PID 2952 wrote to memory of 1772	2952	WScript.exe	services.exe
PID 1772 wrote to memory of 2796	1772	services.exe	WScript.exe
PID 1772 wrote to memory of 2796	1772	services.exe	WScript.exe
PID 1772 wrote to memory of 2796	1772	services.exe	WScript.exe
PID 1772 wrote to memory of 1156	1772	services.exe	WScript.exe
PID 1772 wrote to memory of 1156	1772	services.exe	WScript.exe
PID 1772 wrote to memory of 1156	1772	services.exe	WScript.exe
PID 2796 wrote to memory of 2072	2796	WScript.exe	services.exe
PID 2796 wrote to memory of 2072	2796	WScript.exe	services.exe
PID 2796 wrote to memory of 2072	2796	WScript.exe	services.exe
PID 2072 wrote to memory of 1776	2072	services.exe	WScript.exe
PID 2072 wrote to memory of 1776	2072	services.exe	WScript.exe
PID 2072 wrote to memory of 1776	2072	services.exe	WScript.exe
PID 2072 wrote to memory of 1520	2072	services.exe	WScript.exe
PID 2072 wrote to memory of 1520	2072	services.exe	WScript.exe
PID 2072 wrote to memory of 1520	2072	services.exe	WScript.exe
PID 1776 wrote to memory of 3060	1776	WScript.exe	services.exe

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
"C:\Users\Admin\AppData\Local\Temp\76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2404
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e257c2c-9433-4f26-9329-c39f58152a36.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
      "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4edbac19-d7b4-4a1c-b3cf-0cc41e38f0fd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4367d321-bfda-4984-8bd1-184bccc700e6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0524b27e-9414-4656-9f72-21b9d6fc6ae5.vbs"
        9⤵
        
        PID:2752
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1617d6d7-83d3-4d52-b89d-e77c34c2076a.vbs"
        11⤵
        
        PID:536
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\987c996e-466a-49dc-9ed2-1f5d2ffb8d03.vbs"
        13⤵
        
        PID:2376
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7490ea38-659f-4d8d-b97a-c6a594ce0584.vbs"
        15⤵
        
        PID:2152
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adb2fbcd-e83b-4ce0-bcd1-ca672167115c.vbs"
        17⤵
        
        PID:576
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6778510d-6dfa-46b2-9913-5f349812366f.vbs"
        19⤵
        
        PID:2264
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2740e9c-755c-4a65-a530-6711aa143b3b.vbs"
        21⤵
        
        PID:1976
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72486c46-a12d-4f92-90c1-bf80d5c108b4.vbs"
        23⤵
        
        PID:2324
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75510307-a4d6-4a30-9d2e-7607b83fdb6b.vbs"
        25⤵
        
        PID:2436
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe"
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9793dc29-d1ea-4c24-8ac0-2ff711d150a4.vbs"
        27⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73031afa-35c7-45c4-96a2-7dd934d194a7.vbs"
        27⤵
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bae23e2-42c2-4091-b8d2-0a3a9e7c5317.vbs"
        25⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d85239d-a985-498a-b659-f2a5722eb12d.vbs"
        23⤵
        
        PID:112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a157090-0444-49ff-af95-e47869cad46a.vbs"
        21⤵
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca14e8d6-29e0-46dc-8f45-9bad503d8a15.vbs"
        19⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a352b560-72b8-4c26-a0f8-236835a2dad4.vbs"
        17⤵
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3a4a00-4e2d-4c4a-bf78-d451e1906bd0.vbs"
        15⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1f269a0-921c-42d5-a817-ed2c7d384766.vbs"
        13⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eadc9841-eba0-4fd9-89fb-2aba68f20963.vbs"
        11⤵
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c4439e7-4b6c-4f7f-a663-b56a7ef6d197.vbs"
        9⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10dd7d16-44f0-4ee3-b762-29fc7f70b09e.vbs"
        7⤵
        
        PID:1520
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72d00bf7-9e0b-4976-b204-b3227de3cc13.vbs"
        5⤵
        
        PID:1156
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\992b6894-4323-47c3-8033-15e3267f8195.vbs"
    3⤵
    PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Speech\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe

Filesize
4.9MB

MD5
0f75edb514278b6e45793f61c9a91a50

SHA1
e767580f580339a4b7091fc105ffebfbb7d00f03

SHA256
76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c

SHA512
940e37f693ea83fcf991acdf85ffc3bb50b880c8f9ffe3cb4d7420651b9973f1bfd9d16d36e0ee0eaa08ad0d1f0b6da75e56e856e55a6ce6aeff4915c291f0ed

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe

Filesize
4.9MB

MD5
66816dd7b5308ab0a0fd7570a9f0d352

SHA1
1fe1204c874d213c7f6b728e827d26bcdcc82a79

SHA256
793790a3f017ef94d57e7ce3f977b0191d0a1ba0beb60e1966d58ce5c593faf1

SHA512
6a5fe5e5cf7a9063d166793515fce5ab6fb679a1049c2e62e9b3e22ae94e889cb34d8241b7667e13951d962b615402e6fd976f49ce6847e6897fce5f5dad307e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0524b27e-9414-4656-9f72-21b9d6fc6ae5.vbs

Filesize
751B

MD5
6a4cd2305ccff3d1290d730af5b611ba

SHA1
7da648a95128455c76a6908ca532c870169c0887

SHA256
eb81e6033d8b35ff3588f96751a34aaf5318b4a5b4db0440e500bb19d750a049

SHA512
3490a6569070b5c9451f00038ca347b55c5bad3a8fd5cd5b3b3aeace094e5f69665fd800793a0254e78b1d74e6c07422fc8a04170058a0f9fabebdf9d31cd750

Download Submit
C:\Users\Admin\AppData\Local\Temp\1617d6d7-83d3-4d52-b89d-e77c34c2076a.vbs

Filesize
751B

MD5
8c0710d9296ff978d5ec51f2e0b24ff1

SHA1
2569567597bad5784479ec797d3c07d4979a9e9c

SHA256
76710e0366dc2473e24b60bb2d41a0d04dc47c1c429bca9b1f2b43625085651a

SHA512
8a8024c4e194c034b8ac05b8160d442de270678ec993225e7168b418a8532d83685ae47686e18919ee38427a9d978da567f5fb17a533c95506b385630e72ba07

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e257c2c-9433-4f26-9329-c39f58152a36.vbs

Filesize
751B

MD5
c48490063f7a17182cb92520263b1685

SHA1
62d84ae879020cc4d4cb7946d05597d44f5e1ef5

SHA256
84e310bdc9dc6818f89a7df338f6ff2e7963f84a9ce304b08e3068d19e49d5b4

SHA512
8acb0768f4e0bf02f7662eeca4292a37c9e6afcc014fcbb7fb395d5423d4383d6d607a5c99f9674a1673f9113351cf532ba2b3e5e91c564b04731cd66937761d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4367d321-bfda-4984-8bd1-184bccc700e6.vbs

Filesize
751B

MD5
5534272a224e01e94edca5990f82d0fa

SHA1
5e14091d3b4eedcf3c0ba8da29ced23fc8381f75

SHA256
900f690e3195eb74b94876083e46310b072e1e82237a49ae52d8d8573dfff82f

SHA512
1b67980f20e4160e4b82cb10dbb7302a4707c5d4851eaa4dff1fec6436c643d5e1be6e9bbcf094547455581f4ec161cce1349c9f7d9b763f94cedef5f8dca152

Download Submit
C:\Users\Admin\AppData\Local\Temp\4edbac19-d7b4-4a1c-b3cf-0cc41e38f0fd.vbs

Filesize
751B

MD5
4e2928c80c246196c6d5bd80b440dff5

SHA1
05148dda59aab9333d605b5667003f01d6dbc3a7

SHA256
eae352a3ec260f4022651ce8737bf8f9e3dfaaf7943afe206387e281e138b9c5

SHA512
e06a164ea7cd309e5dd69947b076c200bc1bb38016fd1174ee57c5ce1ee7b24f3a843b1226e7421c476db844f47b67434d6c3ae89429dae8ec7be38a858fab96

Download Submit
C:\Users\Admin\AppData\Local\Temp\6778510d-6dfa-46b2-9913-5f349812366f.vbs

Filesize
751B

MD5
4391d4059226c9022e0ffdd561596644

SHA1
14a4e8800f9b050f7f0822cb62a10fc4495aed6a

SHA256
bfe0e3769cd0d1b343f4c49598361b220992a398499d93909038887faf05aac7

SHA512
d200ee64b81d50038cff4a5ee73bc694fd839d86f045bf85f36404aa922dfb9b726574092371467aefb0e486b40daee545283e5216eee92a0b00d7cb3ddd70fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\72486c46-a12d-4f92-90c1-bf80d5c108b4.vbs

Filesize
751B

MD5
3ee487ebefe14ca15e490fee7e07b3be

SHA1
113bf9cc9c48c82a0868f8630f4d5e4e5fbc8e6a

SHA256
6a3b0f6fec4c811d9a2c457283206a6c4fc894caa063b2ad32e6bf84be43fe46

SHA512
e89592541547be111c523ac08d8d6cd50ca877d4bbdff308af45a327d3a9319e07c6319a692f8854cf2e2ad0611fd4027d566151146b319738597a117f3baa8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7490ea38-659f-4d8d-b97a-c6a594ce0584.vbs

Filesize
751B

MD5
38934c430c3083c00e8d50597b733d00

SHA1
342007e4c8e60cf9b12470edfafce4be1b4984b6

SHA256
e34221407b88ba084429829fb9a2877a1d2816ed0a0e6941964d646a6a8e73de

SHA512
31fe1d11a4dd68c2c137d30284b3bb1e2e5b7235077bbe43bc1fb29d797cb08872b61e5ee1a43fdebcc78535b3033033efb325591ad8a684ec83f44103749247

Download Submit
C:\Users\Admin\AppData\Local\Temp\75510307-a4d6-4a30-9d2e-7607b83fdb6b.vbs

Filesize
751B

MD5
d2d9a27941eff0dd6876bcf3aef0de4e

SHA1
a18f55e1d69fa53b4096b25b040d4278a5ca0bd3

SHA256
b6149055ea6c36e423a388aa426acf58516fca627845965e50abb903c6940f24

SHA512
99ff2438072477de87a72ce1e983199a2017d7d255fd236bcac957a358253e587d7774f8cd89f7a665613e0170f45367faf774e091f628031adeb4c72e2c0ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\9793dc29-d1ea-4c24-8ac0-2ff711d150a4.vbs

Filesize
751B

MD5
25155145419c4261ebd912d2f4f38dd7

SHA1
539054db964ec60d061edd24a20767e30c02ba50

SHA256
ca1ecaba619cf03282c5aa6c136f83c7aa9f220851e19061114c5a3b2722b935

SHA512
3d7dd39474725b0243bacb9081b527c796dcaae91dc88111328a0e88ed3c6d7f8864aeb550d39f604fea183dd1664ac05e2057ea3b6d5c76d0bdd740bee10557

Download Submit
C:\Users\Admin\AppData\Local\Temp\987c996e-466a-49dc-9ed2-1f5d2ffb8d03.vbs

Filesize
751B

MD5
9299d2461994a671b1357ece7879d9c4

SHA1
b8fd3b55b00d234eb891c86cba242cbbd506d7ba

SHA256
4902306fe3d5d24e0bafd7b68bcfd8574f15af1c84ca0202e7766590213a24e3

SHA512
0c22509efea94bd23c9287d03251dbc334c2c0024d43b43bc39c1d786ac9e8a826c07d1a697793be7eedea4e707b124e4e4e04432590f35992594602a2c2e1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\992b6894-4323-47c3-8033-15e3267f8195.vbs

Filesize
527B

MD5
019c1372e8d703043b41d32f7ce3d69b

SHA1
280ac45cf163ca021c14f52146744ab7368a8ed8

SHA256
8fe7126a1887b4b929fe05ea05b281e505592d4140132cbfdc1b51a405c51bc0

SHA512
da7ffc5796550c5dfc24595a207eed08fc1f33abb052404d99c0c28e2f1f07829707d004daf0f663a33902acda061c57894951b4aed406f93f5017e6f38a39e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\adb2fbcd-e83b-4ce0-bcd1-ca672167115c.vbs

Filesize
751B

MD5
78407ad3dd7faff6b701c30a1be42846

SHA1
b8446b3f61b8b62a9c753999f732d01aca895707

SHA256
b8b182cb38ef34da3ab0059754f20b7447fadbee5d291cff6d636e0be0fdc7a1

SHA512
d4d734b1c84e0f0b56ca47196c25fde63b7eb4c32ca586cc9cdd844137a12a2972409528ca4162e44006c5b8582c2e876766d6611b2958b53073fd7b1c6be8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2740e9c-755c-4a65-a530-6711aa143b3b.vbs

Filesize
751B

MD5
921760bd33186a88fe618cf52522b99d

SHA1
d37b0029ac76161ec0f6fcd45f145f468361e197

SHA256
6315b83b9a0eb5273a5abd471b32490a7a2895588a4cdbde5fb8d0c76cbb4bdc

SHA512
41e2e1dda864f4d97b6d63c7021c603aca2655b0d79e3abe1545eb2dc645ac92ba99adf1bf73aea838ca16d38e4b6ab30933d889fecfcf6d583cc2b47dfc2177

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD681.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b31835716efabf437895e62e63ae3b4

SHA1
760eab432d5ee26dc2edb66035d744c67dad6b7f

SHA256
1ffce8736424818d176aa2d21111a6b935f8086d379c30d753425d73a25e5cdb

SHA512
019088c34be9334d45c6a4a5b30d55c8ef305d42896c79f884e85744a79ab6245c86b0f734a728a362c705f6ba6a02d48a24155bd21fac5b1d7fe2d0dfd2b7ab

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1232-199-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/1232-200-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/1596-305-0x0000000000DD0000-0x00000000012C4000-memory.dmp

Filesize
5.0MB

Download
memory/1644-406-0x0000000000C90000-0x0000000001184000-memory.dmp

Filesize
5.0MB

Download
memory/1772-244-0x00000000010F0000-0x00000000015E4000-memory.dmp

Filesize
5.0MB

Download
memory/1772-245-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2384-13-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2384-289-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/2384-1-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/2384-2-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-3-0x000000001B750000-0x000000001B87E000-memory.dmp

Filesize
1.2MB

Download
memory/2384-155-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-140-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2384-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2384-15-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2384-14-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2384-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2384-4-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2384-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2384-192-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-290-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/2384-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2384-10-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2384-9-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2384-8-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2384-5-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2384-7-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2384-6-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2404-191-0x0000000000E90000-0x0000000001384000-memory.dmp

Filesize
5.0MB

Download
memory/2596-334-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/2628-177-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2628-176-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-391-0x0000000000280000-0x0000000000774000-memory.dmp

Filesize
5.0MB

Download
memory/3060-274-0x0000000001330000-0x0000000001824000-memory.dmp

Filesize
5.0MB

Download