dcrat | f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Size

1.8MB
MD5

8392193c5fb165f60a6c16e76cf22e7c
SHA1

142c9abfc95aeadab045c315ac8cc65539a8124e
SHA256

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216
SHA512

80328d829071ed38655eea9fcaade51244abb0f669438dd1d80b39445d663d9fda7d6bbc64a8467aa02af47d3d83d4e826488827a1125152735fce06c216d5fb
SSDEEP

49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	2360	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2360	schtasks.exe	86

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exef27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exeupfc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4992-1-0x0000000000B60000-0x0000000000D2E000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c9d-26.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3344	powershell.exe
3896	powershell.exe
2384	powershell.exe
3928	powershell.exe
2984	powershell.exe
5044	powershell.exe
3452	powershell.exe
744	powershell.exe
3280	powershell.exe
664	powershell.exe
4996	powershell.exe
220	powershell.exe
3580	powershell.exe
3600	powershell.exe
1212	powershell.exe
4012	powershell.exe
3640	powershell.exe
216	powershell.exe
3936	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 7 IoCs

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

pid	Process
6136	upfc.exe
804	upfc.exe
5332	upfc.exe
4544	upfc.exe
5788	upfc.exe
4688	upfc.exe
5868	upfc.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exef27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exeupfc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe

Drops file in Program Files directory 21 IoCs

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\sppsvc.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\Windows Sidebar\sppsvc.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\Windows Sidebar\0a1fd5f707cd16	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\Windows Defender\ja-JP\backgroundTaskHost.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXA2BF.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\Windows Sidebar\sppsvc.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\backgroundTaskHost.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB5E2.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\services.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\sppsvc.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\0a1fd5f707cd16	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXB7E6.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\Windows Defender\ja-JP\eddb19405b7ce1	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\c5b4cb5e9653cc	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCXA4C4.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\RCXA94A.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe

Drops file in Windows directory 16 IoCs

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe

description	ioc	Process
File created	C:\Windows\ModemLogs\wininit.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\RCXA745.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\ModemLogs\RCX9898.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\RuntimeBroker.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\RCXB3DD.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\PolicyDefinitions\en-US\886983d96e3d3e	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\ModemLogs\wininit.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\csrss.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXBA68.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\SKB\LanguageModels\RuntimeBroker.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\SKB\LanguageModels\9e8d7a4ca61bd9	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RuntimeBroker.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\ModemLogs\56085415360792	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\RuntimeBroker.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\9e8d7a4ca61bd9	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\PolicyDefinitions\en-US\csrss.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exef27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exeupfc.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
4584	schtasks.exe
1388	schtasks.exe
3584	schtasks.exe
1868	schtasks.exe
436	schtasks.exe
4632	schtasks.exe
2128	schtasks.exe
1288	schtasks.exe
2696	schtasks.exe
1304	schtasks.exe
1376	schtasks.exe
664	schtasks.exe
5076	schtasks.exe
3032	schtasks.exe
4676	schtasks.exe
1164	schtasks.exe
4168	schtasks.exe
2248	schtasks.exe
4384	schtasks.exe
5000	schtasks.exe
1500	schtasks.exe
4072	schtasks.exe
5092	schtasks.exe
3108	schtasks.exe
1324	schtasks.exe
2316	schtasks.exe
2812	schtasks.exe
5108	schtasks.exe
3540	schtasks.exe
2524	schtasks.exe
2288	schtasks.exe
4772	schtasks.exe
312	schtasks.exe
1652	schtasks.exe
3956	schtasks.exe
1964	schtasks.exe
964	schtasks.exe
1260	schtasks.exe
4500	schtasks.exe
2220	schtasks.exe
884	schtasks.exe
2364	schtasks.exe
4112	schtasks.exe
4804	schtasks.exe
212	schtasks.exe
1732	schtasks.exe
1956	schtasks.exe
1768	schtasks.exe
860	schtasks.exe
2040	schtasks.exe
2464	schtasks.exe
4348	schtasks.exe
452	schtasks.exe
3160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
2984	powershell.exe
2984	powershell.exe
3928	powershell.exe
3928	powershell.exe
3580	powershell.exe
3580	powershell.exe
3600	powershell.exe
3600	powershell.exe
3936	powershell.exe
3936	powershell.exe
1212	powershell.exe
2384	powershell.exe
1212	powershell.exe
2384	powershell.exe
3896	powershell.exe
3896	powershell.exe
3452	powershell.exe
3452	powershell.exe
5044	powershell.exe
5044	powershell.exe
3280	powershell.exe
3280	powershell.exe
3640	powershell.exe
3640	powershell.exe
4012	powershell.exe
4012	powershell.exe
744	powershell.exe
744	powershell.exe
4996	powershell.exe
4996	powershell.exe
216	powershell.exe
216	powershell.exe
220	powershell.exe
220	powershell.exe
3344	powershell.exe
3344	powershell.exe
664	powershell.exe
664	powershell.exe
2984	powershell.exe
2984	powershell.exe
3344	powershell.exe
3580	powershell.exe
3580	powershell.exe
3936	powershell.exe
3640	powershell.exe
3600	powershell.exe
3600	powershell.exe
220	powershell.exe
1212	powershell.exe
216	powershell.exe
4996	powershell.exe
3452	powershell.exe
3928	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	6136	upfc.exe
Token: SeDebugPrivilege	804	upfc.exe
Token: SeDebugPrivilege	5332	upfc.exe
Token: SeDebugPrivilege	4544	upfc.exe
Token: SeDebugPrivilege	5788	upfc.exe
Token: SeDebugPrivilege	4688	upfc.exe
Token: SeDebugPrivilege	5868	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.execmd.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exe

description	pid	Process	procid_target
PID 4992 wrote to memory of 664	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	152
PID 4992 wrote to memory of 664	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	152
PID 4992 wrote to memory of 3600	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	153
PID 4992 wrote to memory of 3600	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	153
PID 4992 wrote to memory of 2984	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	154
PID 4992 wrote to memory of 2984	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	154
PID 4992 wrote to memory of 3580	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	155
PID 4992 wrote to memory of 3580	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	155
PID 4992 wrote to memory of 3928	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	156
PID 4992 wrote to memory of 3928	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	156
PID 4992 wrote to memory of 2384	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	157
PID 4992 wrote to memory of 2384	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	157
PID 4992 wrote to memory of 3896	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	158
PID 4992 wrote to memory of 3896	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	158
PID 4992 wrote to memory of 3936	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	159
PID 4992 wrote to memory of 3936	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	159
PID 4992 wrote to memory of 3280	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	161
PID 4992 wrote to memory of 3280	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	161
PID 4992 wrote to memory of 220	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	162
PID 4992 wrote to memory of 220	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	162
PID 4992 wrote to memory of 3344	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	164
PID 4992 wrote to memory of 3344	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	164
PID 4992 wrote to memory of 744	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	165
PID 4992 wrote to memory of 744	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	165
PID 4992 wrote to memory of 3452	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	167
PID 4992 wrote to memory of 3452	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	167
PID 4992 wrote to memory of 216	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	168
PID 4992 wrote to memory of 216	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	168
PID 4992 wrote to memory of 5044	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	170
PID 4992 wrote to memory of 5044	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	170
PID 4992 wrote to memory of 4012	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	171
PID 4992 wrote to memory of 4012	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	171
PID 4992 wrote to memory of 4996	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	172
PID 4992 wrote to memory of 4996	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	172
PID 4992 wrote to memory of 3640	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	173
PID 4992 wrote to memory of 3640	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	173
PID 4992 wrote to memory of 1212	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	174
PID 4992 wrote to memory of 1212	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	174
PID 4992 wrote to memory of 2284	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	190
PID 4992 wrote to memory of 2284	4992	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	190
PID 2284 wrote to memory of 5436	2284	cmd.exe	192
PID 2284 wrote to memory of 5436	2284	cmd.exe	192
PID 2284 wrote to memory of 6136	2284	cmd.exe	194
PID 2284 wrote to memory of 6136	2284	cmd.exe	194
PID 6136 wrote to memory of 5888	6136	upfc.exe	196
PID 6136 wrote to memory of 5888	6136	upfc.exe	196
PID 6136 wrote to memory of 5820	6136	upfc.exe	197
PID 6136 wrote to memory of 5820	6136	upfc.exe	197
PID 5888 wrote to memory of 804	5888	WScript.exe	199
PID 5888 wrote to memory of 804	5888	WScript.exe	199
PID 804 wrote to memory of 5952	804	upfc.exe	201
PID 804 wrote to memory of 5952	804	upfc.exe	201
PID 804 wrote to memory of 5708	804	upfc.exe	202
PID 804 wrote to memory of 5708	804	upfc.exe	202
PID 5952 wrote to memory of 5332	5952	WScript.exe	208
PID 5952 wrote to memory of 5332	5952	WScript.exe	208
PID 5332 wrote to memory of 5732	5332	upfc.exe	210
PID 5332 wrote to memory of 5732	5332	upfc.exe	210
PID 5332 wrote to memory of 5204	5332	upfc.exe	211
PID 5332 wrote to memory of 5204	5332	upfc.exe	211
PID 5732 wrote to memory of 4544	5732	WScript.exe	213
PID 5732 wrote to memory of 4544	5732	WScript.exe	213
PID 4544 wrote to memory of 4468	4544	upfc.exe	215
PID 4544 wrote to memory of 4468	4544	upfc.exe	215

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exef27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exeupfc.exeupfc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
"C:\Users\Admin\AppData\Local\Temp\f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\AppData\Local\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Pester\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\en-US\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TIt1NKYHRv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5436
- - C:\Users\Default User\upfc.exe
    "C:\Users\Default User\upfc.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:6136
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28c51df0-f909-49ed-a15d-7e83aae9d773.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5888
    - - C:\Users\Default User\upfc.exe
        
        "C:\Users\Default User\upfc.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:804
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bea90d8-eb42-40c1-8dfe-4e04e093bea7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5952
        
        C:\Users\Default User\upfc.exe
        
        "C:\Users\Default User\upfc.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11c66c73-2aba-4bb7-a878-b915d4a77f48.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5732
        
        C:\Users\Default User\upfc.exe
        
        "C:\Users\Default User\upfc.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cc55458-df11-470f-93e9-54048b14312d.vbs"
        10⤵
        
        PID:4468
        
        C:\Users\Default User\upfc.exe
        
        "C:\Users\Default User\upfc.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb333d7b-ee82-4b4f-b60f-c59c5d613ebb.vbs"
        12⤵
        
        PID:2936
        
        C:\Users\Default User\upfc.exe
        
        "C:\Users\Default User\upfc.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1afa5b17-7b6f-4dc7-bc9c-b72f5169dfea.vbs"
        14⤵
        
        PID:5656
        
        C:\Users\Default User\upfc.exe
        
        "C:\Users\Default User\upfc.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeadd81d-f011-439e-a611-6ad9cc571935.vbs"
        16⤵
        
        PID:3368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a71d673e-49a9-4e8c-9261-fce6cbf1b973.vbs"
        16⤵
        
        PID:5784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1393bbde-5c57-4066-a1d6-1199b0f7c304.vbs"
        14⤵
        
        PID:5340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bed3879a-3b95-4916-94db-bc8dc1d94890.vbs"
        12⤵
        
        PID:5136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8b7311-b851-4a97-8389-5730e8e86719.vbs"
        10⤵
        
        PID:5948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f55e355e-611a-4d25-b12c-cd28569bf30b.vbs"
        8⤵
        
        PID:5204
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26a311f4-3853-467c-a09b-de1dc2f05970.vbs"
        6⤵
        
        PID:5708
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce6094a4-aeb6-4dc9-96a7-1bdeca82142b.vbs"
      4⤵
      PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\ja-JP\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\AppData\Local\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\AppData\Local\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\LocalService\AppData\Local\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sihost.exe

Filesize
1.8MB

MD5
8392193c5fb165f60a6c16e76cf22e7c

SHA1
142c9abfc95aeadab045c315ac8cc65539a8124e

SHA256
f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216

SHA512
80328d829071ed38655eea9fcaade51244abb0f669438dd1d80b39445d663d9fda7d6bbc64a8467aa02af47d3d83d4e826488827a1125152735fce06c216d5fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1b6092a05634abdfce9c7d9f7923327

SHA1
c44dbf1f15b196e236181572d7305b17d05972c6

SHA256
a0917ce76bde1dc92950380eb01692aacc0f3dfc2982eaf2bdd31c317a7bcad1

SHA512
a24c71158124ca030fd8e4e96f44fc97614d588f3684fd62b786d993028bbfa73d142ef223aeca41b6ba9854fc481d09fbb493d9ed3af8bec91929cbde888bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\11c66c73-2aba-4bb7-a878-b915d4a77f48.vbs

Filesize
706B

MD5
4550dd5f84dd13eb16539a34f2e60f1f

SHA1
e8f778138816dd20c3b8bf20a8fbe32fbba387f5

SHA256
35da1b67aa9f74aafcc7ac27e02a54c9d490527e7d66871d62eed6f549e6b72a

SHA512
58f555f377fbf272bfb090d50ee7a1356467b4b2af73a4955d5b7dbd0d9cc74674a9185ecc006a38e3af5cf39673e96678afbe58b04fe329c5f667a3815d945b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1afa5b17-7b6f-4dc7-bc9c-b72f5169dfea.vbs

Filesize
706B

MD5
31950badfbd3c9b405ee9579bb25edf2

SHA1
cf278dd5dc782493b2e06284838398c31643bf8f

SHA256
641533f600d2457b5ec283c5bdf9b511ef8f0ed351164799aa1d1de9a444868f

SHA512
b63c3359c11b175d3c962d7ee57fde64c1a8b667211d7627ba455b06e1dbab2ba23ed7324b2c824f03cd1d0a867c8cc7775b7e594e3cbcb16bbdc72e2c18c894

Download Submit
C:\Users\Admin\AppData\Local\Temp\28c51df0-f909-49ed-a15d-7e83aae9d773.vbs

Filesize
706B

MD5
4132d2dd0b70e6b1c03f0f6b70eee247

SHA1
0ecc67bc5f73f42a8ae335c83f4a30817fca0573

SHA256
485611cea9a220cafd2363c88a0dd7ccc70f09858e4ed429fac787eb051f34fb

SHA512
7020f4afd0d9d49c6937901774efc22b1a8a13ed1526dd4f1b0d0f5dc7bcc247d0e142a687788602137933cb282ffb6919212b67e0e581b26cc00c98a039665b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bea90d8-eb42-40c1-8dfe-4e04e093bea7.vbs

Filesize
705B

MD5
7a6be0d625523a3b4698f42fad488379

SHA1
b58521ef12982ba1c8fd02f6436a6d8c6370868a

SHA256
b0a94f7b401d3d1cd55d1c93f92981420b485736782edf5895b93712de7f5034

SHA512
a3e49fce2a5253fc1d885d2f07cd7cfeefd2ece566a771476eca53034192aa18c3c804671123a4be5b6bc3bde4b1745d3db1a4b023c82a9a1a044a8de2802c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cc55458-df11-470f-93e9-54048b14312d.vbs

Filesize
706B

MD5
715b4d912565069af09739e2affb8e55

SHA1
ff692bf7f3fd12d2c07ea09b404b9c13e6ca1284

SHA256
728d3da1a4aec3fda271d06526e37c7bf1cd669514e7904acb8e5442c6d66b1c

SHA512
a5e5ebdfc9d86230e2c0f8157a98a0232601351734523b384dd0f4a1dda13a25c0603f8a8e6ee64087696d0c35a85095da17f60925c13db6891164b22d412282

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIt1NKYHRv.bat

Filesize
195B

MD5
d7569c1504350efb123d12c0561ad076

SHA1
0dbd27db7929bd5ea23ade6478bf0d438dfffc1c

SHA256
9053a7c20bcb0ee72f9d2c91f89c8c311875374e9a0629c175563c903e1e6fbe

SHA512
f1a5196f1b9179f7c7bb3c3b46588bf6ecd151aa5ced39772440c138290ae1b79ca0d2c560eb9617c67b3ab069c90e369f4fa7678448550f51f4ed15e11dcffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4lylqhr.u5r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeadd81d-f011-439e-a611-6ad9cc571935.vbs

Filesize
706B

MD5
31327abad43bb020e0c92b5178c172da

SHA1
fb8e23e02455cf158146fd1b6abdd5a67ebaeab0

SHA256
fa773b5ef2945bed190d4b1f8e94cb50dcc1621322dab00a7c58d2a6a8bc9c37

SHA512
17a0f9cbc5cd8018993181d73f990201c2ecda49f1be784eeac40187ad9ed977c617ea94bdc116c68ae04731a2de8dd334895a5b5f574cb1535eb28fbe853e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb333d7b-ee82-4b4f-b60f-c59c5d613ebb.vbs

Filesize
706B

MD5
5aef8f7ee17693de502e0c15b9b2dbaa

SHA1
b333f39917e591f81fd5c717c7728a6b400b9deb

SHA256
2e4323c4ab3e8f37dd0d4d7f219ae4470c3de26e650e4d42af9b604f057fd81c

SHA512
740c0a0178e4267decdfb187edee82f2f5b0a2f709560a091dbb133bddbbecdda8db67fad0eeebb782cf7f1b52c5a6fe16f6cd7b2802ab733bcbf3b1b2a511b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce6094a4-aeb6-4dc9-96a7-1bdeca82142b.vbs

Filesize
482B

MD5
39b7d41245982827495daf70183059c6

SHA1
a17babc2e67e8ee54b1e86597c2391f49a866b34

SHA256
2892b5c6f9094451c7d6cfd13fe5574f9c12454e95d3930e20063c320aa72b32

SHA512
30283e0c009499216b039e49de7fc421ea6725ba7578e97b3e3700069f3e570d9b8779426d67079ba460fc3b98d28729a85d4f5244485efb66c67a740f7150cc

Download Submit
memory/2984-187-0x0000011D701F0000-0x0000011D70212000-memory.dmp

Filesize
136KB

Download
memory/4992-9-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/4992-6-0x0000000001510000-0x0000000001520000-memory.dmp

Filesize
64KB

Download
memory/4992-0-0x00007FFC80173000-0x00007FFC80175000-memory.dmp

Filesize
8KB

Download
memory/4992-13-0x000000001BA40000-0x000000001BA4A000-memory.dmp

Filesize
40KB

Download
memory/4992-14-0x000000001C160000-0x000000001C16E000-memory.dmp

Filesize
56KB

Download
memory/4992-15-0x000000001C170000-0x000000001C17E000-memory.dmp

Filesize
56KB

Download
memory/4992-12-0x000000001C690000-0x000000001CBB8000-memory.dmp

Filesize
5.2MB

Download
memory/4992-11-0x0000000002F30000-0x0000000002F42000-memory.dmp

Filesize
72KB

Download
memory/4992-10-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/4992-17-0x000000001C190000-0x000000001C19C000-memory.dmp

Filesize
48KB

Download
memory/4992-8-0x0000000002EB0000-0x0000000002EC2000-memory.dmp

Filesize
72KB

Download
memory/4992-7-0x0000000002E90000-0x0000000002EA6000-memory.dmp

Filesize
88KB

Download
memory/4992-16-0x000000001C180000-0x000000001C18C000-memory.dmp

Filesize
48KB

Download
memory/4992-1-0x0000000000B60000-0x0000000000D2E000-memory.dmp

Filesize
1.8MB

Download
memory/4992-3-0x0000000002E20000-0x0000000002E3C000-memory.dmp

Filesize
112KB

Download
memory/4992-148-0x00007FFC80170000-0x00007FFC80C31000-memory.dmp

Filesize
10.8MB

Download
memory/4992-4-0x0000000002EE0000-0x0000000002F30000-memory.dmp

Filesize
320KB

Download
memory/4992-5-0x00000000014F0000-0x00000000014F8000-memory.dmp

Filesize
32KB

Download
memory/4992-138-0x00007FFC80173000-0x00007FFC80175000-memory.dmp

Filesize
8KB

Download
memory/4992-181-0x00007FFC80170000-0x00007FFC80C31000-memory.dmp

Filesize
10.8MB

Download
memory/4992-2-0x00007FFC80170000-0x00007FFC80C31000-memory.dmp

Filesize
10.8MB

Download
memory/5332-418-0x0000000002B60000-0x0000000002B72000-memory.dmp

Filesize
72KB

Download
memory/5788-441-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

Filesize
72KB

Download
memory/5788-442-0x000000001C330000-0x000000001C342000-memory.dmp

Filesize
72KB

Download
memory/6136-394-0x000000001BA10000-0x000000001BA22000-memory.dmp

Filesize
72KB

Download
memory/6136-393-0x0000000002EA0000-0x0000000002EB2000-memory.dmp

Filesize
72KB

Download