dcrat | 991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Size

4.9MB
MD5

b5578d55623a79cf105d62dc41402e67
SHA1

2914b5f5b47c4d4e7ab756aa8529a1648df22947
SHA256

991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b
SHA512

09160ba1ef2cfdac9a125cc4660ccc0b4a6b01f7b7334494cdda34fd9845e8b70fe4eae96d2d2a1a63d839c0593ba144176f8754311a5dd8237ce92e4040477e
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2660	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2336-3-0x000000001B590000-0x000000001B6BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2756	powershell.exe
1964	powershell.exe
768	powershell.exe
2536	powershell.exe
2564	powershell.exe
1940	powershell.exe
2688	powershell.exe
2996	powershell.exe
1928	powershell.exe
1856	powershell.exe
2052	powershell.exe
1448	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

pid	Process
2044	WmiPrvSE.exe
1596	WmiPrvSE.exe
1424	WmiPrvSE.exe
1644	WmiPrvSE.exe
2944	WmiPrvSE.exe
2608	WmiPrvSE.exe
1748	WmiPrvSE.exe
2392	WmiPrvSE.exe
2832	WmiPrvSE.exe
2936	WmiPrvSE.exe
2996	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe

Drops file in System32 directory 4 IoCs

Processes:

991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe

description	ioc	Process
File created	C:\Windows\System32\Printing_Admin_Scripts\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\27d1bcfc3c54e0	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\System32\Printing_Admin_Scripts\RCXFF8D.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\System32\Printing_Admin_Scripts\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe

Drops file in Program Files directory 16 IoCs

Processes:

991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\RCXFD1C.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\WmiPrvSE.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXFB18.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Program Files (x86)\Google\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\RCXF1D1.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Program Files (x86)\Google\RCXF6A3.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Program Files (x86)\Microsoft Office\explorer.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\explorer.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\27d1bcfc3c54e0	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Program Files (x86)\Google\27d1bcfc3c54e0	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\WmiPrvSE.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\24dbde2999530e	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Program Files (x86)\Google\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Program Files (x86)\Microsoft Office\7a0fd90576e088	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe

Drops file in Windows directory 20 IoCs

Processes:

991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXEF7E.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\system\RCX6E0.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\RCXDC6.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\Prefetch\ReadyBoot\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\system\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\24dbde2999530e	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\PLA\System\Idle.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\PLA\System\6ccacd8608530f	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\Offline Web Pages\6ccacd8608530f	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXBC2.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\Offline Web Pages\Idle.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\PLA\System\Idle.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\system\27d1bcfc3c54e0	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\system\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\PLA\System\RCXFCA.tmp	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\System.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\Prefetch\ReadyBoot\27d1bcfc3c54e0	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\Offline Web Pages\Idle.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\WmiPrvSE.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\WmiPrvSE.exe	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3024	schtasks.exe
1852	schtasks.exe
1520	schtasks.exe
2332	schtasks.exe
2812	schtasks.exe
2804	schtasks.exe
2884	schtasks.exe
1800	schtasks.exe
932	schtasks.exe
1456	schtasks.exe
604	schtasks.exe
1720	schtasks.exe
336	schtasks.exe
2404	schtasks.exe
3056	schtasks.exe
2788	schtasks.exe
1648	schtasks.exe
2880	schtasks.exe
2684	schtasks.exe
1788	schtasks.exe
1688	schtasks.exe
2592	schtasks.exe
1796	schtasks.exe
2712	schtasks.exe
1888	schtasks.exe
1180	schtasks.exe
2584	schtasks.exe
568	schtasks.exe
1960	schtasks.exe
1008	schtasks.exe
1516	schtasks.exe
1652	schtasks.exe
2240	schtasks.exe
1632	schtasks.exe
2348	schtasks.exe
2888	schtasks.exe
2352	schtasks.exe
1472	schtasks.exe
1900	schtasks.exe
1576	schtasks.exe
2908	schtasks.exe
2032	schtasks.exe
2808	schtasks.exe
1640	schtasks.exe
2536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

pid	Process
2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
2052	powershell.exe
1856	powershell.exe
1928	powershell.exe
2756	powershell.exe
1448	powershell.exe
2996	powershell.exe
2536	powershell.exe
1964	powershell.exe
1940	powershell.exe
2688	powershell.exe
768	powershell.exe
2564	powershell.exe
2044	WmiPrvSE.exe
1596	WmiPrvSE.exe
1424	WmiPrvSE.exe
1644	WmiPrvSE.exe
2944	WmiPrvSE.exe
2608	WmiPrvSE.exe
1748	WmiPrvSE.exe
2392	WmiPrvSE.exe
2832	WmiPrvSE.exe
2936	WmiPrvSE.exe
2996	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2044	WmiPrvSE.exe
Token: SeDebugPrivilege	1596	WmiPrvSE.exe
Token: SeDebugPrivilege	1424	WmiPrvSE.exe
Token: SeDebugPrivilege	1644	WmiPrvSE.exe
Token: SeDebugPrivilege	2944	WmiPrvSE.exe
Token: SeDebugPrivilege	2608	WmiPrvSE.exe
Token: SeDebugPrivilege	1748	WmiPrvSE.exe
Token: SeDebugPrivilege	2392	WmiPrvSE.exe
Token: SeDebugPrivilege	2832	WmiPrvSE.exe
Token: SeDebugPrivilege	2936	WmiPrvSE.exe
Token: SeDebugPrivilege	2996	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.execmd.exeWmiPrvSE.exeWScript.exeWmiPrvSE.exeWScript.exeWmiPrvSE.exe

description	pid	Process	procid_target
PID 2336 wrote to memory of 2996	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	77
PID 2336 wrote to memory of 2996	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	77
PID 2336 wrote to memory of 2996	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	77
PID 2336 wrote to memory of 1928	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	78
PID 2336 wrote to memory of 1928	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	78
PID 2336 wrote to memory of 1928	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	78
PID 2336 wrote to memory of 1448	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	79
PID 2336 wrote to memory of 1448	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	79
PID 2336 wrote to memory of 1448	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	79
PID 2336 wrote to memory of 1856	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	81
PID 2336 wrote to memory of 1856	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	81
PID 2336 wrote to memory of 1856	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	81
PID 2336 wrote to memory of 2052	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	83
PID 2336 wrote to memory of 2052	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	83
PID 2336 wrote to memory of 2052	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	83
PID 2336 wrote to memory of 2688	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	84
PID 2336 wrote to memory of 2688	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	84
PID 2336 wrote to memory of 2688	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	84
PID 2336 wrote to memory of 768	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	86
PID 2336 wrote to memory of 768	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	86
PID 2336 wrote to memory of 768	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	86
PID 2336 wrote to memory of 1964	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	88
PID 2336 wrote to memory of 1964	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	88
PID 2336 wrote to memory of 1964	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	88
PID 2336 wrote to memory of 2756	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	89
PID 2336 wrote to memory of 2756	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	89
PID 2336 wrote to memory of 2756	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	89
PID 2336 wrote to memory of 1940	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	90
PID 2336 wrote to memory of 1940	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	90
PID 2336 wrote to memory of 1940	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	90
PID 2336 wrote to memory of 2564	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	91
PID 2336 wrote to memory of 2564	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	91
PID 2336 wrote to memory of 2564	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	91
PID 2336 wrote to memory of 2536	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	92
PID 2336 wrote to memory of 2536	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	92
PID 2336 wrote to memory of 2536	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	92
PID 2336 wrote to memory of 2584	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	101
PID 2336 wrote to memory of 2584	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	101
PID 2336 wrote to memory of 2584	2336	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe	101
PID 2584 wrote to memory of 2976	2584	cmd.exe	103
PID 2584 wrote to memory of 2976	2584	cmd.exe	103
PID 2584 wrote to memory of 2976	2584	cmd.exe	103
PID 2584 wrote to memory of 2044	2584	cmd.exe	104
PID 2584 wrote to memory of 2044	2584	cmd.exe	104
PID 2584 wrote to memory of 2044	2584	cmd.exe	104
PID 2044 wrote to memory of 2568	2044	WmiPrvSE.exe	105
PID 2044 wrote to memory of 2568	2044	WmiPrvSE.exe	105
PID 2044 wrote to memory of 2568	2044	WmiPrvSE.exe	105
PID 2044 wrote to memory of 2552	2044	WmiPrvSE.exe	106
PID 2044 wrote to memory of 2552	2044	WmiPrvSE.exe	106
PID 2044 wrote to memory of 2552	2044	WmiPrvSE.exe	106
PID 2568 wrote to memory of 1596	2568	WScript.exe	107
PID 2568 wrote to memory of 1596	2568	WScript.exe	107
PID 2568 wrote to memory of 1596	2568	WScript.exe	107
PID 1596 wrote to memory of 2248	1596	WmiPrvSE.exe	108
PID 1596 wrote to memory of 2248	1596	WmiPrvSE.exe	108
PID 1596 wrote to memory of 2248	1596	WmiPrvSE.exe	108
PID 1596 wrote to memory of 412	1596	WmiPrvSE.exe	109
PID 1596 wrote to memory of 412	1596	WmiPrvSE.exe	109
PID 1596 wrote to memory of 412	1596	WmiPrvSE.exe	109
PID 2248 wrote to memory of 1424	2248	WScript.exe	110
PID 2248 wrote to memory of 1424	2248	WScript.exe	110
PID 2248 wrote to memory of 1424	2248	WScript.exe	110
PID 1424 wrote to memory of 528	1424	WmiPrvSE.exe	111

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe
"C:\Users\Admin\AppData\Local\Temp\991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uJ4aKJis7Y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2976
- - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
    "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2044
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6e1adaf-f0ca-4f94-ad03-7464dbbd4990.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1596
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31f26bdc-8b99-4ccd-904d-64431faf109f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1037b878-63e0-4b83-b9bf-2b7cd0e5eb20.vbs"
        8⤵
        
        PID:528
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8965c79-8bd7-4784-aa19-58233d9e361d.vbs"
        10⤵
        
        PID:3064
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cdacfd8-abc1-4600-8b20-1ec52bec4a95.vbs"
        12⤵
        
        PID:2704
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a138f44c-3404-42b9-a442-949dd16c2867.vbs"
        14⤵
        
        PID:1908
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67e086fd-d899-4652-98ec-dca794cdf5d6.vbs"
        16⤵
        
        PID:2916
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f8281dd-3ca0-41fa-a612-092a4ecb4408.vbs"
        18⤵
        
        PID:1680
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\808ecd4c-d086-424a-8d25-5bfc83edb9d2.vbs"
        20⤵
        
        PID:2456
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16556d79-5f97-4eda-bd8d-41ec5e047221.vbs"
        22⤵
        
        PID:2812
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5c9c9e0-3658-4917-875e-d6ef0e653b09.vbs"
        24⤵
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7974f1b2-4650-4a2e-b464-ecf90a96065b.vbs"
        24⤵
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd5566b4-6ded-40ae-a9fc-ce68dfa58780.vbs"
        22⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e81569d-abfe-4c5d-b99c-e3276d05201b.vbs"
        20⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ef0893d-1196-43cf-be43-f7d53ecaeb7c.vbs"
        18⤵
        
        PID:800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d604da1-d107-4bc1-a392-0021123979d0.vbs"
        16⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38c6178e-6246-46a4-832c-e479fb8e426a.vbs"
        14⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae8d7f89-bc20-44e5-b07d-f3e51efb863f.vbs"
        12⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be6131f2-c8a3-4141-8c49-f8beb2297568.vbs"
        10⤵
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\366157f3-ad3c-49c0-adab-2f1e585663b3.vbs"
        8⤵
        
        PID:956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a846943-1028-4bc4-8cbe-66685789bc1e.vbs"
        6⤵
        
        PID:412
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bf9ff63-43d3-4f4d-9c9c-50e2b96b8e8b.vbs"
      4⤵
      PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\Printing_Admin_Scripts\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\System32\Printing_Admin_Scripts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\Printing_Admin_Scripts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\system\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\system\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\system\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\Basebrd\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\System\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
4.9MB

MD5
b5578d55623a79cf105d62dc41402e67

SHA1
2914b5f5b47c4d4e7ab756aa8529a1648df22947

SHA256
991ad52e8f01839d1b6553cde8cd95ac42fb4da694c36dfc53d700b45a189b6b

SHA512
09160ba1ef2cfdac9a125cc4660ccc0b4a6b01f7b7334494cdda34fd9845e8b70fe4eae96d2d2a1a63d839c0593ba144176f8754311a5dd8237ce92e4040477e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bf9ff63-43d3-4f4d-9c9c-50e2b96b8e8b.vbs

Filesize
527B

MD5
38df877aa861e544cfa7519e2dc78c19

SHA1
4947a95b2424c1a8bde92f5be2c1fda649518a02

SHA256
2a0f467449e83278d67c0a3df465bd283347e04939f2e097d08ed512c247c057

SHA512
12403906df277a961f3bfb9b2285a093c2d6318a56184f7dcae2e8b8ef70d968cb2f712df8b5ce169f27d136bf242d7cd1ae77fc590022cec14d632c0b1f816c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1037b878-63e0-4b83-b9bf-2b7cd0e5eb20.vbs

Filesize
751B

MD5
5b7740375c7570dc5632ecf733c49885

SHA1
d7dab00e4aa599f26086e84f5df5d6c3f0210c7e

SHA256
addaaf699714896b506928439c5e6e8afba76753ea6bf9b865d2dcd622028046

SHA512
86106498c74d040dbecd2a9c8bea0ae0d1fa2cc72a5c6dbe421d4ea63329db487bdd13fa697e0a8e8ef5083e202dec5f5adb83fae59e6c76b5918c3f2918a386

Download Submit
C:\Users\Admin\AppData\Local\Temp\16556d79-5f97-4eda-bd8d-41ec5e047221.vbs

Filesize
751B

MD5
2b2783952e4191f1bbdd710bd5d1b716

SHA1
dbaa69839f70ccdbd5e8de646cd15c9c9bcd2b0d

SHA256
6f9cd790099d82014fbe3cc0dc040a946e53559f08421488c07da52330ccfd37

SHA512
07f7d2dee82b004e204bf470b385f448609ee864fc9c096e569a2bdb0b315944c32eef4e56f3e577334d06982e182e5eaa337fefa6f45c75e5a2ec14752f1bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\31f26bdc-8b99-4ccd-904d-64431faf109f.vbs

Filesize
751B

MD5
7ab8bb2aaa454d40dcf4703d0a2b6f55

SHA1
29e82444970cfeedc9609683eb8ceb87046b7c08

SHA256
9007f301c2d6bfa6970a59ec63f19ae354e23e58f4d3152a1c92d23704a78f47

SHA512
ba9532fc81c480af04b2f14b1328aa7af35217e878e91d8dd14294a8208f835c67f7f2f40812a38d8177655cdd79b442334b2cd83e03bec343515cf1589a6ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f8281dd-3ca0-41fa-a612-092a4ecb4408.vbs

Filesize
751B

MD5
7b9d4424e289e7d9f5968a42d4915d8e

SHA1
76ae8dc117103d17c4c71f7fb3a0acb01f113be3

SHA256
385a4ae362764f032db495e4db308c4e1b156db9bfc509c21a096e286fd22463

SHA512
8ffd8c2d0a59756eeec533ea6b0fb3247ce721a013fcf4fb27f73e62fc1bd6d06d9aa4e139a33bccec6fe7fc30488dac4aca3ccffa222b5e821c1b72284788f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\67e086fd-d899-4652-98ec-dca794cdf5d6.vbs

Filesize
751B

MD5
3910895478c5f5c4315e8a21539c5d92

SHA1
224f18159d2414a28c557f553aa76e556055749a

SHA256
b58345c6cbda0a3d09fb53329581e3a4d4c7ade03ee17620b40ea5ce26ecefaf

SHA512
ffb2849df5924415a8cd318e1e59333605f95877e3c203159791a0a9dda541f77c6efdd11aeb955b2f8a34d56163ea4fbee4bb9acb30c6abedbfb57e7c68473e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cdacfd8-abc1-4600-8b20-1ec52bec4a95.vbs

Filesize
751B

MD5
d6ef37e4784eddf33339fe67d1e9924d

SHA1
15defceb4f65ac6b396535dcce13035df5bd5374

SHA256
5cdad1d7809637ce22f9538e790a5d8525139bfa08ba1176a9b457bc5e31be78

SHA512
b7f2e76ebab551bb9b058808dc143c442aeb4d9c797549a4a77fa6752d4388a84f34ef5fccaa71cd5d0e5385210279b392359257ab380470243c5ca3ab6cc7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\808ecd4c-d086-424a-8d25-5bfc83edb9d2.vbs

Filesize
751B

MD5
032d3b3bcec89a04d08506d4316dd331

SHA1
837f471115a89c6f6a272c4e44bca1f15b69f7f6

SHA256
36799733e0558575b59e5f20f90e85ad7ef72890612818c2293d0ccfcc8f4fba

SHA512
90ccebc67548a289f79a67e2ded8e0134b4ab0bd0599a4fc5c648dcf4644d3e9b6ca52013fb90791e511aa2512d26444693f03c571311ae74b934a69a60951fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a138f44c-3404-42b9-a442-949dd16c2867.vbs

Filesize
751B

MD5
ab8315f489004a30c0d47f77fe6e021b

SHA1
d23a12e2b6b37baee60388d29dc5b445ccd74eaf

SHA256
c74c152e274aa04bf3e7d684976085c655bf9ec1f31b78e43fe6589c6034c135

SHA512
9f4eb910463f5f243b8d1dc05058060cd88cc2808f947992efe35a7ef390c62cf1fa496ee57ba56ebbabad279b3e05b257933ef730c73a5d3509898d9f218d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5c9c9e0-3658-4917-875e-d6ef0e653b09.vbs

Filesize
751B

MD5
a7c177ba474ec90b61456ef940d268ef

SHA1
ec7630cba45ecea5567966940eb30b65b4b011df

SHA256
ebc4e8b185b682dac0883e546db4423b52732c3d345bfe5671c677759356a04c

SHA512
8126664ecc7354b88ecae11e0f93d491788b5f25317a65628233a064b5460537496f091a685e17e2aee9efecbc5cb5a1edda54b244c2486d1c643e3b5b74181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6e1adaf-f0ca-4f94-ad03-7464dbbd4990.vbs

Filesize
751B

MD5
d81f693a7fef7b602230c91680e1ad84

SHA1
44ba58c460b278077d6a5eeb15466ab94ceecb2f

SHA256
2fa9154a2d6163e133b5474d86c4352c5221788a066a3f9428cc9f84f6bc7192

SHA512
7aae6fe281d221f43b29895bbdf4677f97b6d700de7ea1e7b540bdc177c4a04313e65e9ea6288f46d18a811b0a6e425afdaa5c452ba28a136266fd332401d3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8965c79-8bd7-4784-aa19-58233d9e361d.vbs

Filesize
751B

MD5
b82d9d8dbbcff0c33a7cc894dbf21e96

SHA1
02db8a7b7ddb8828ef42ccf4773f5c6ed00ea867

SHA256
fe4c9549071b5b82f5dbc0bf5454fed070b467243c47d15b0e130f1424b9e6cd

SHA512
16a52e150ede3eebc2a6cc8901dfbbb8c46f16b95691c160587460bcbadc8b8c9722e33febac441fecf91d95360b0b8477b7fff2c1952446900b8aa9bff8e400

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37C3.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uJ4aKJis7Y.bat

Filesize
240B

MD5
32ab22aa455ea5eaaf4d87025a45b4dd

SHA1
1c1996dcc9e06ce1638c620e30f2aa104f967933

SHA256
2341637d19211143af760937024bb509f46ca0fac91eeba15af77f4de4ede879

SHA512
c6dfdf5603d803cf61a986cd112544d43c7502a9cec6bc7ece8d09c3c07ae1c5428cae313241e27e052b432e6d5ad3c184a77b4ad16f4df9f057cdc4429eda8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eb329fd1d4b64a5c6c91a7b23f5415bd

SHA1
821bbdcb49ee908cddb597a0350d9d5384c7bd8b

SHA256
42bd56405ecfe81623a1c70ad33759e39be8e3a59a354c0aa464f7c04a82147c

SHA512
5197fb44182306c69e20685d52d166fa5c7d3648f1393c83328954ba2d7ea21ec187c1cc640b2bc2d4d5341f25dfd539442b2f28a3a61c6ae8065f136d6d64eb

Download Submit
memory/1424-243-0x00000000011D0000-0x00000000016C4000-memory.dmp

Filesize
5.0MB

Download
memory/1596-228-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download
memory/1644-258-0x0000000000340000-0x0000000000834000-memory.dmp

Filesize
5.0MB

Download
memory/2044-214-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2044-213-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download
memory/2052-168-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2052-166-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2336-12-0x0000000002370000-0x000000000237E000-memory.dmp

Filesize
56KB

Download
memory/2336-11-0x0000000002360000-0x000000000236A000-memory.dmp

Filesize
40KB

Download
memory/2336-136-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-122-0x000007FEF6513000-0x000007FEF6514000-memory.dmp

Filesize
4KB

Download
memory/2336-16-0x0000000002630000-0x000000000263C000-memory.dmp

Filesize
48KB

Download
memory/2336-15-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2336-14-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/2336-13-0x0000000002470000-0x000000000247E000-memory.dmp

Filesize
56KB

Download
memory/2336-0-0x000007FEF6513000-0x000007FEF6514000-memory.dmp

Filesize
4KB

Download
memory/2336-4-0x0000000000920000-0x000000000093C000-memory.dmp

Filesize
112KB

Download
memory/2336-10-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/2336-9-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/2336-8-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/2336-1-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/2336-7-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/2336-2-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-6-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2336-5-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2336-3-0x000000001B590000-0x000000001B6BE000-memory.dmp

Filesize
1.2MB

Download
memory/2336-156-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp

Filesize
9.9MB

Download
memory/2392-318-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2392-317-0x00000000001A0000-0x0000000000694000-memory.dmp

Filesize
5.0MB

Download
memory/2608-288-0x00000000010E0000-0x00000000015D4000-memory.dmp

Filesize
5.0MB

Download
memory/2832-333-0x00000000012A0000-0x0000000001794000-memory.dmp

Filesize
5.0MB

Download
memory/2944-273-0x0000000000EB0000-0x00000000013A4000-memory.dmp

Filesize
5.0MB

Download
memory/2996-362-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download