dcrat | c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Size

4.9MB
MD5

6980bcd5d7d665f70f434120a1d20549
SHA1

8104f0c2f92ecb1ab9c6700f14d56059a93a9465
SHA256

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
SHA512

2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2564	schtasks.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2644-2-0x000000001B2F0000-0x000000001B41E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1284	powershell.exe
1772	powershell.exe
1952	powershell.exe
2848	powershell.exe
1396	powershell.exe
1972	powershell.exe
608	powershell.exe
1740	powershell.exe
2156	powershell.exe
580	powershell.exe
2412	powershell.exe
1724	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	process
2508	sppsvc.exe
2748	sppsvc.exe
2556	sppsvc.exe
1972	sppsvc.exe
1444	sppsvc.exe
2208	sppsvc.exe
684	sppsvc.exe
2592	sppsvc.exe
2672	sppsvc.exe
2080	sppsvc.exe
1152	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 28 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

description	ioc	process
File created	C:\Program Files\7-Zip\6203df4a6bafc7	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\RCXC73.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Google\sppsvc.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Google\sppsvc.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Google\0a1fd5f707cd16	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\explorer.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Adobe\spoolsv.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\cc11b995f2a76d	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX1BD5.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\dwm.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\7a0fd90576e088	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\6cb0b6c459d5d3	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\7-Zip\lsass.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\winlogon.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\explorer.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Adobe\f3b6ecef712a24	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\7-Zip\lsass.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX2461.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\RCX85B.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\7-Zip\RCX1E46.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Google\RCX204A.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\0a1fd5f707cd16	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Adobe\spoolsv.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX2869.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\winlogon.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\dwm.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

Drops file in Windows directory 8 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

description	ioc	process
File opened for modification	C:\Windows\debug\WIA\explorer.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\RCX224E.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\smss.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\debug\WIA\explorer.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\debug\WIA\7a0fd90576e088	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\smss.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\69ddcba757bf72	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Windows\debug\WIA\RCX19D2.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1632	schtasks.exe
2960	schtasks.exe
1704	schtasks.exe
1712	schtasks.exe
2196	schtasks.exe
2948	schtasks.exe
1168	schtasks.exe
2188	schtasks.exe
1916	schtasks.exe
2376	schtasks.exe
1108	schtasks.exe
1468	schtasks.exe
2320	schtasks.exe
1716	schtasks.exe
2756	schtasks.exe
2540	schtasks.exe
1444	schtasks.exe
1356	schtasks.exe
2412	schtasks.exe
1612	schtasks.exe
2060	schtasks.exe
3056	schtasks.exe
356	schtasks.exe
2408	schtasks.exe
2280	schtasks.exe
1664	schtasks.exe
1636	schtasks.exe
992	schtasks.exe
2380	schtasks.exe
2584	schtasks.exe
2888	schtasks.exe
1060	schtasks.exe
1912	schtasks.exe
1780	schtasks.exe
2596	schtasks.exe
2640	schtasks.exe
1676	schtasks.exe
2384	schtasks.exe
1152	schtasks.exe
1736	schtasks.exe
1816	schtasks.exe
2012	schtasks.exe
2460	schtasks.exe
2448	schtasks.exe
1864	schtasks.exe
988	schtasks.exe
2892	schtasks.exe
536	schtasks.exe
2240	schtasks.exe
832	schtasks.exe
1460	schtasks.exe
3012	schtasks.exe
1392	schtasks.exe
2148	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid process

2508 sppsvc.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	process
2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
1952	powershell.exe
2848	powershell.exe
2412	powershell.exe
2156	powershell.exe
1972	powershell.exe
1284	powershell.exe
580	powershell.exe
608	powershell.exe
1724	powershell.exe
1740	powershell.exe
1772	powershell.exe
1396	powershell.exe
2508	sppsvc.exe
2748	sppsvc.exe
2556	sppsvc.exe
1972	sppsvc.exe
1444	sppsvc.exe
2208	sppsvc.exe
684	sppsvc.exe
2592	sppsvc.exe
2672	sppsvc.exe
2080	sppsvc.exe
1152	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2508	sppsvc.exe
Token: SeDebugPrivilege	2748	sppsvc.exe
Token: SeDebugPrivilege	2556	sppsvc.exe
Token: SeDebugPrivilege	1972	sppsvc.exe
Token: SeDebugPrivilege	1444	sppsvc.exe
Token: SeDebugPrivilege	2208	sppsvc.exe
Token: SeDebugPrivilege	684	sppsvc.exe
Token: SeDebugPrivilege	2592	sppsvc.exe
Token: SeDebugPrivilege	2672	sppsvc.exe
Token: SeDebugPrivilege	2080	sppsvc.exe
Token: SeDebugPrivilege	1152	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.execmd.exesppsvc.exeWScript.exesppsvc.exe

description	pid	process	target process
PID 2644 wrote to memory of 1740	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1740	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1740	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2156	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2156	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2156	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1284	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1284	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1284	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 580	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 580	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 580	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2412	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2412	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2412	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1772	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1772	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1772	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1724	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1724	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1724	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1396	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1396	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1396	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1952	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1952	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1952	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1972	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1972	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1972	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2848	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2848	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 2848	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 608	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 608	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 608	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2644 wrote to memory of 1464	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	cmd.exe
PID 2644 wrote to memory of 1464	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	cmd.exe
PID 2644 wrote to memory of 1464	2644	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	cmd.exe
PID 1464 wrote to memory of 2304	1464	cmd.exe	w32tm.exe
PID 1464 wrote to memory of 2304	1464	cmd.exe	w32tm.exe
PID 1464 wrote to memory of 2304	1464	cmd.exe	w32tm.exe
PID 1464 wrote to memory of 2508	1464	cmd.exe	sppsvc.exe
PID 1464 wrote to memory of 2508	1464	cmd.exe	sppsvc.exe
PID 1464 wrote to memory of 2508	1464	cmd.exe	sppsvc.exe
PID 1464 wrote to memory of 2508	1464	cmd.exe	sppsvc.exe
PID 1464 wrote to memory of 2508	1464	cmd.exe	sppsvc.exe
PID 2508 wrote to memory of 2064	2508	sppsvc.exe	WScript.exe
PID 2508 wrote to memory of 2064	2508	sppsvc.exe	WScript.exe
PID 2508 wrote to memory of 2064	2508	sppsvc.exe	WScript.exe
PID 2508 wrote to memory of 2832	2508	sppsvc.exe	WScript.exe
PID 2508 wrote to memory of 2832	2508	sppsvc.exe	WScript.exe
PID 2508 wrote to memory of 2832	2508	sppsvc.exe	WScript.exe
PID 2064 wrote to memory of 2748	2064	WScript.exe	sppsvc.exe
PID 2064 wrote to memory of 2748	2064	WScript.exe	sppsvc.exe
PID 2064 wrote to memory of 2748	2064	WScript.exe	sppsvc.exe
PID 2064 wrote to memory of 2748	2064	WScript.exe	sppsvc.exe
PID 2064 wrote to memory of 2748	2064	WScript.exe	sppsvc.exe
PID 2748 wrote to memory of 1704	2748	sppsvc.exe	WScript.exe
PID 2748 wrote to memory of 1704	2748	sppsvc.exe	WScript.exe
PID 2748 wrote to memory of 1704	2748	sppsvc.exe	WScript.exe
PID 2748 wrote to memory of 876	2748	sppsvc.exe	WScript.exe
PID 2748 wrote to memory of 876	2748	sppsvc.exe	WScript.exe
PID 2748 wrote to memory of 876	2748	sppsvc.exe	WScript.exe

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
"C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pIS9nw5fyr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2304
- - C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
    "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2508
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d81e5da5-341a-4a78-bc68-9e170faf6127.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2748
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b8fe50-8374-46ed-a0c1-8b0ca6c2cea1.vbs"
        6⤵
        
        PID:1704
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7e41240-61f4-41b6-9b2a-a5ea3f6c55f9.vbs"
        8⤵
        
        PID:296
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2aaf296-a9eb-4ab6-92d2-2cdcaea71607.vbs"
        10⤵
        
        PID:1284
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f72520-0b75-4c85-9b46-ff5b195fab03.vbs"
        12⤵
        
        PID:408
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add5e0b7-9080-4054-962f-6fbdfc43f3f7.vbs"
        14⤵
        
        PID:1532
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6369f5c5-001a-412d-8a9c-168e588431f2.vbs"
        16⤵
        
        PID:2392
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31bd90c0-e937-4460-b240-11aa3c3b0b87.vbs"
        18⤵
        
        PID:2720
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06747bf0-d96e-45d7-a4f5-99760f55dff3.vbs"
        20⤵
        
        PID:2544
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25557167-25d4-4d4a-a308-2a7b4e845c23.vbs"
        22⤵
        
        PID:1232
        
        C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0424a85-7465-4f05-a31d-1c48ba9b7b3c.vbs"
        24⤵
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69bd9513-7281-41ab-82d2-02ead1538870.vbs"
        24⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\225023ab-8dc5-431a-aa0b-5c9762971cb4.vbs"
        22⤵
        
        PID:620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38eb5c31-b0ab-407e-a9d9-1cec0a1343c5.vbs"
        20⤵
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\147cd6ef-4321-4db2-818b-b26a12fddf13.vbs"
        18⤵
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e95ebd72-7cbe-4a6e-a039-b60d0318eef8.vbs"
        16⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fe9b23f-d509-4d0b-a838-ed43418917c2.vbs"
        14⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dd7e3d0-8d5a-4de1-b4ea-29d08f5bbf6c.vbs"
        12⤵
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e53b93ac-34f8-4e0c-b6c3-67dbdb81e21a.vbs"
        10⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59f2d634-5ec6-4e0c-9a29-b7f5a3b2e25d.vbs"
        8⤵
        
        PID:2452
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3ca6c4a-3fc9-4665-a92b-fd9113202623.vbs"
        6⤵
        
        PID:876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d20393-eafd-48ea-8482-181d37e8b7bb.vbs"
      4⤵
      PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\debug\WIA\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\taskhost.exe

Filesize
4.9MB

MD5
b0c64863dfe1c27d05e33c6ec6295974

SHA1
9a69610c3173e5ebc1a64cb4870ddfb6910ba078

SHA256
de73a094a3566eb9da3c4500e0cb039bc2410d7e81bb5f2b5a6c2b64a1cc2071

SHA512
994e50d4fe6753b5f397aea33521e3745c11b9eec36dc0a6a0f63aee7d86ed7407c7f314afefda587f6ed821e5d61720949327e94b9450e5ea0542b4ee6bcb65

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\RCX1359.tmp

Filesize
4.9MB

MD5
7ce0541236aad2c9539cab6051a23fa8

SHA1
0de96a23b41dade91498a129f8c06ecb7a896fca

SHA256
bd693c7c44cb957b0799574198da8567ae712f02731e95fb6e483805c027834a

SHA512
f2c39213fea9f541e6c94a6ade684e2a10a84a3da9ba377db5ffda601be1eaddfbcd60deef3e03dadaf9ab8ee227aebf678114c6d1add5d1a62b67dbb7ad54ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\04b8fe50-8374-46ed-a0c1-8b0ca6c2cea1.vbs

Filesize
733B

MD5
e9d7e9b3a848ee3705ec5429db3057aa

SHA1
d8129a81c6888f01302fe78f8a619983151ae508

SHA256
e75e899defab66d4f1151a9f14d42d06a5cb32ea7472ca4077292c91c6b18880

SHA512
aeb24565d561d0e906f0519f89cc559bcdfb3fa4b28d6f888cf8cd532cecd95232fc6bb9046a4c587da265d1e682d086cf9a800d2eead6affc0dba70ec10c68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\06747bf0-d96e-45d7-a4f5-99760f55dff3.vbs

Filesize
733B

MD5
0ecea007aa030304ca461f8d15dc3d14

SHA1
fea5a6ef914bc158e916eeea54c73674a64cafe9

SHA256
062cfc3c588525467d47866e8cd3c23407b2191d665c0f8bc14fe93093ce18ed

SHA512
4329ac6d8b26fa66076f06312c05c4d1affb5ca3c8218536ca31a406a4bfcf60a3e04a38b7352c60447d7c89a87abc0fa6fd23deb11bab217d0735537f897010

Download Submit
C:\Users\Admin\AppData\Local\Temp\25557167-25d4-4d4a-a308-2a7b4e845c23.vbs

Filesize
733B

MD5
81661569a905c2294f61747b37a208c4

SHA1
9be54815f87ab6e7b770dbfd29389dd47b5efc62

SHA256
9e800ee98630d0d1f1b7ddb59c8472607b1c0011ac14cbee2b797eac498fb48c

SHA512
b1a0196bc514eaa761cd5ef016c03350d64ce222ce18a62fda29305b3bda1126199371f66bc80782f62fb9791aaf2374efbf21063bf190fb322eb8d71a85ac02

Download Submit
C:\Users\Admin\AppData\Local\Temp\31bd90c0-e937-4460-b240-11aa3c3b0b87.vbs

Filesize
733B

MD5
983cd7782903a78c2d148105af041827

SHA1
b03d2a8608a1686725ec3440c1ea21389ef6cec9

SHA256
7c765a088f03c58a619dc27e3c17590666ec8acf01903add6378d82b6537cdf3

SHA512
6a8d71c2bb775daebc4c5be94d028839eb3b1f95f72cb448054bb3e57c85b41db50d556c5e1d82ca7738f7535b7350c57810ed4350bf26acdb95c667c6e6016c

Download Submit
C:\Users\Admin\AppData\Local\Temp\60d20393-eafd-48ea-8482-181d37e8b7bb.vbs

Filesize
509B

MD5
61c097d694cdfe08991844076614ef88

SHA1
6974f300427f0ba15cb2c4cf6a83eae49797258a

SHA256
3f66b2d24a4eb7f6ed5888fbbef7d874b04d61833f607a061759d77802ee3b71

SHA512
a3fdc7b428e1b154a157de63dc2ab61f727f5bd6a0edf6bf0e14286545ef5eaaed4c7e148438515b4a96ee89fb866b0ceeb28e798e785840c9ce23d72277d0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\6369f5c5-001a-412d-8a9c-168e588431f2.vbs

Filesize
732B

MD5
7e16df0c031649c3ba8cc19ccdb97ba8

SHA1
4048b1dbde96620a24f1794425d90b1c7552eb5a

SHA256
ccac6694c989e57adeea70ab20e80d910de2ab964079ad4e6956d2a2b9d3545e

SHA512
55e09fb53cd94c7aa19bdd551de1212401d672415d2c2365a5d3a8bb2df3100669827f6655d794275fe5bcb676cfc47d0c475ebccb37a5244d02071ad18ef9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\add5e0b7-9080-4054-962f-6fbdfc43f3f7.vbs

Filesize
733B

MD5
c8db9108d532d378980b62863cf84c6f

SHA1
5ee175de49ac2fc8158e02d1d24ba5048a7f6207

SHA256
455d85be2e3443c2fb109e80790eda1626479a7644f0f4e2c1d7240b3b04a04c

SHA512
44882ae628305d84c597408bc2cd105642ee2d2cccbf86427a49a7e25116b954f09da97916d14a5a212f870139d31f88c35e875702348ed7dcbda549de26910b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0424a85-7465-4f05-a31d-1c48ba9b7b3c.vbs

Filesize
733B

MD5
0372f1c2afe0d7fddda1c69beb2e5bbf

SHA1
1157abc08674a3888aaf131ec75973c730661083

SHA256
e1acf6bd101784fe0cdf317c1cc7e71aa86b4e4b819e22949deca75375dc33c2

SHA512
5517b7fdc8e8cb19fcf91b98b1b4b5671946fb244e9b9015c46505b273b751fbdea10424b1cd47355635adf7121561491128f1933b14c8da4127f5147e0e031b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7e41240-61f4-41b6-9b2a-a5ea3f6c55f9.vbs

Filesize
733B

MD5
81793a092f0be161161d912ab24ab618

SHA1
f1781a2d3f3ddc9f0879fcf8fcdc43407f0cf818

SHA256
71e043886c5026ee75c71b59c736c4f44eeecc735b851579a21d705e84950579

SHA512
0b46cefc135a110ec6b1e2bd8f308d662eff91b8051eaa5cb636eb2a97df239027a3a0c9159bf2a9a6f84141e1f2606a08e091da5d22cf0a3586e5a831f019ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2aaf296-a9eb-4ab6-92d2-2cdcaea71607.vbs

Filesize
733B

MD5
4a669de59783ae77da9b23960076e8d4

SHA1
72be27ba4fb6308ba46a5972df51ba8f3e3f8e28

SHA256
b6934a1b9ffe87cb4c3f5c931499049ed4b422ddc760960d0f23671ce05b22c1

SHA512
6d8086623a1b6a128636c67b786ecbd82a4827e69bf3c23d629a2c9c9f46bab3636c4c9358f0ec90f5e4fecea48b5058d0eb762c1f308ee2535692ddf1135631

Download Submit
C:\Users\Admin\AppData\Local\Temp\d81e5da5-341a-4a78-bc68-9e170faf6127.vbs

Filesize
733B

MD5
31f7a68c5cc41de457dbc643525d5e4d

SHA1
52c94f129ce6f7025ef91ccc07eb3a60677a53e3

SHA256
98ff1ce8764b85f0229391e5e610edb53892e87ddff9518b82fb537d746adf64

SHA512
2a9d3994402eba26fc407b3bf1d893997c5880a18198f9f5a5eb2fe2ada6756dad835fc426464bf7ee785acdb830b35671bd8cfdeda5ee4f0e70409e69afb747

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9f72520-0b75-4c85-9b46-ff5b195fab03.vbs

Filesize
733B

MD5
89581492ec884c9dbd556f5ca40fc604

SHA1
6e8e18fa239155b8cb658fe9a255cde833142137

SHA256
60abf8c47e12b59a34033858b2519c9d23af42b92170012934e186027a46c840

SHA512
a58843464a0a4996eeea61d0edc53cd2dbd7a01492b9c91bba9b7e5b75c7265ad25b1a87f8abfc50826c9336f736276c5f01815e835c1d13d7102b11eb02b84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIS9nw5fyr.bat

Filesize
222B

MD5
101b3e4e22f90a9ca88a4c10cb496cbb

SHA1
0c34b6a3faa5035fa2cef52570d68f42c3da0af5

SHA256
f8104827ac8d0643122613053084a86d3aec8dd269094f4293ccddd75e7c1bc9

SHA512
56199a1102c72f83a6b26aa31c2fad25312d23b79df7baf69f2fe017bbc95aea91d7c79f2335f6bbd8b3cd7b84db512059cd1210e682d8973ef636ab54861094

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T2Y0WPSIAOVQAP9H5T1Z.temp

Filesize
7KB

MD5
8d33f9112b81d97d63e972df06675460

SHA1
35c3f40e87223789e83e740c17006ed0baeb32dd

SHA256
82acc67bb1fd09861f1bf4d64b02f1bd46780b9023d981cab03e639133fe8472

SHA512
2a7c001b60577d2155e121d984509e3fd7b54298939a8723b67d39cec2dea9368b565f9a5c8cd8420344a55a24b6230ecbf2920075eb9f396d4ab5d4b8f00c3f

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\lsass.exe

Filesize
4.9MB

MD5
6980bcd5d7d665f70f434120a1d20549

SHA1
8104f0c2f92ecb1ab9c6700f14d56059a93a9465

SHA256
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16

SHA512
2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3

Download Submit
memory/1152-396-0x0000000001290000-0x0000000001784000-memory.dmp

Filesize
5.0MB

Download
memory/1952-213-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1952-219-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/1972-294-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/2080-381-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2080-380-0x0000000000C70000-0x0000000001164000-memory.dmp

Filesize
5.0MB

Download
memory/2508-252-0x0000000000CE0000-0x00000000011D4000-memory.dmp

Filesize
5.0MB

Download
memory/2644-11-0x0000000002450000-0x000000000245A000-memory.dmp

Filesize
40KB

Download
memory/2644-9-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/2644-153-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-138-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2644-14-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/2644-16-0x00000000024A0000-0x00000000024AC000-memory.dmp

Filesize
48KB

Download
memory/2644-15-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2644-13-0x0000000002470000-0x000000000247E000-memory.dmp

Filesize
56KB

Download
memory/2644-12-0x0000000002460000-0x000000000246E000-memory.dmp

Filesize
56KB

Download
memory/2644-0-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2644-10-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/2644-186-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-7-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/2644-8-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2644-1-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/2644-6-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2644-5-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/2644-4-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2644-3-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-2-0x000000001B2F0000-0x000000001B41E000-memory.dmp

Filesize
1.2MB

Download
memory/2672-365-0x00000000000E0000-0x00000000005D4000-memory.dmp

Filesize
5.0MB

Download