dcrat | 3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Size

4.9MB
MD5

3da200a28718a69db8ab79214990ad7c
SHA1

b6ed723d194b8ac4b038a79ee1250881695de651
SHA256

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c
SHA512

536f668c2c1d006cc5053162d4d10ffd1d7af5728fc7c019c579ce002ebd5e10d3e7232cae85579bcb2078d30e2d0ae53ebf25115a69f42a718b011952c9d71e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2988	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2988	schtasks.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exe3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2408-2-0x000000001B7B0000-0x000000001B8DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2400	powershell.exe
2500	powershell.exe
2476	powershell.exe
1472	powershell.exe
1096	powershell.exe
2708	powershell.exe
2788	powershell.exe
3056	powershell.exe
2540	powershell.exe
408	powershell.exe
924	powershell.exe
1800	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	process
1248	taskhost.exe
2128	taskhost.exe
1940	taskhost.exe
2504	taskhost.exe
2644	taskhost.exe
1908	taskhost.exe
2628	taskhost.exe
1472	taskhost.exe
2344	taskhost.exe
2556	taskhost.exe
2744	taskhost.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe

Drops file in Program Files directory 28 IoCs

Processes:

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\1610b97d3ab4a7	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCXD8BD.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Windows Mail\de-DE\886983d96e3d3e	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files (x86)\Google\RCXD040.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\csrss.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\dwm.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\taskhost.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Windows Media Player\cc11b995f2a76d	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files (x86)\Google\6ccacd8608530f	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\RCXE5EC.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Windows Mail\de-DE\csrss.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXCA35.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Windows Media Player\winlogon.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXE7F0.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Windows Media Player\winlogon.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Google\Chrome\Application\taskhost.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\OSPPSVC.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\OSPPSVC.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\6cb0b6c459d5d3	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Google\Chrome\Application\b75386f1303e64	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files (x86)\Google\Idle.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXDAD0.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files (x86)\Google\Idle.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\dwm.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Program Files\VideoLAN\VLC\24dbde2999530e	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\RCXD2B1.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe

Drops file in Windows directory 16 IoCs

Processes:

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe

description	ioc	process
File opened for modification	C:\Windows\Help\OEM\taskhost.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\Speech\Engines\b75386f1303e64	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\tracing\csrss.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\Cursors\RCXDCD4.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\tracing\RCXDF64.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\Help\OEM\taskhost.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\Cursors\5940a34987c991	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\tracing\886983d96e3d3e	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\Help\OEM\b75386f1303e64	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\Speech\Engines\taskhost.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\Speech\Engines\RCXD6B9.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\Cursors\dllhost.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File created	C:\Windows\Cursors\dllhost.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\Help\OEM\RCXC830.tmp	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\Speech\Engines\taskhost.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
File opened for modification	C:\Windows\tracing\csrss.exe	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2740	schtasks.exe
2708	schtasks.exe
1292	schtasks.exe
1508	schtasks.exe
960	schtasks.exe
1656	schtasks.exe
2832	schtasks.exe
1820	schtasks.exe
2424	schtasks.exe
1032	schtasks.exe
1336	schtasks.exe
2900	schtasks.exe
1280	schtasks.exe
2904	schtasks.exe
1756	schtasks.exe
1520	schtasks.exe
2168	schtasks.exe
2564	schtasks.exe
1344	schtasks.exe
576	schtasks.exe
2236	schtasks.exe
1572	schtasks.exe
2436	schtasks.exe
996	schtasks.exe
2084	schtasks.exe
2156	schtasks.exe
1104	schtasks.exe
2024	schtasks.exe
2816	schtasks.exe
2548	schtasks.exe
2464	schtasks.exe
2960	schtasks.exe
2452	schtasks.exe
2540	schtasks.exe
840	schtasks.exe
1620	schtasks.exe
2728	schtasks.exe
1648	schtasks.exe
1296	schtasks.exe
1224	schtasks.exe
2676	schtasks.exe
2176	schtasks.exe
2300	schtasks.exe
2928	schtasks.exe
1268	schtasks.exe
3024	schtasks.exe
764	schtasks.exe
1048	schtasks.exe
1480	schtasks.exe
2192	schtasks.exe
3028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	process
2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
3056	powershell.exe
2540	powershell.exe
1800	powershell.exe
2400	powershell.exe
924	powershell.exe
2500	powershell.exe
1096	powershell.exe
408	powershell.exe
2708	powershell.exe
2476	powershell.exe
1472	powershell.exe
2788	powershell.exe
1248	taskhost.exe
2128	taskhost.exe
1940	taskhost.exe
2504	taskhost.exe
2644	taskhost.exe
1908	taskhost.exe
2628	taskhost.exe
1472	taskhost.exe
2344	taskhost.exe
2556	taskhost.exe
2744	taskhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1248	taskhost.exe
Token: SeDebugPrivilege	2128	taskhost.exe
Token: SeDebugPrivilege	1940	taskhost.exe
Token: SeDebugPrivilege	2504	taskhost.exe
Token: SeDebugPrivilege	2644	taskhost.exe
Token: SeDebugPrivilege	1908	taskhost.exe
Token: SeDebugPrivilege	2628	taskhost.exe
Token: SeDebugPrivilege	1472	taskhost.exe
Token: SeDebugPrivilege	2344	taskhost.exe
Token: SeDebugPrivilege	2556	taskhost.exe
Token: SeDebugPrivilege	2744	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.execmd.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exe

description	pid	process	target process
PID 2408 wrote to memory of 2708	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2708	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2708	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2400	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2400	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2400	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2500	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2500	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2500	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1800	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1800	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1800	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2788	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2788	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2788	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2476	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2476	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2476	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 3056	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 3056	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 3056	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2540	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2540	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2540	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1472	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1472	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1472	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1096	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1096	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 1096	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 924	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 924	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 924	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 408	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 408	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 408	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	powershell.exe
PID 2408 wrote to memory of 2360	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	cmd.exe
PID 2408 wrote to memory of 2360	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	cmd.exe
PID 2408 wrote to memory of 2360	2408	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe	cmd.exe
PID 2360 wrote to memory of 1224	2360	cmd.exe	w32tm.exe
PID 2360 wrote to memory of 1224	2360	cmd.exe	w32tm.exe
PID 2360 wrote to memory of 1224	2360	cmd.exe	w32tm.exe
PID 2360 wrote to memory of 1248	2360	cmd.exe	taskhost.exe
PID 2360 wrote to memory of 1248	2360	cmd.exe	taskhost.exe
PID 2360 wrote to memory of 1248	2360	cmd.exe	taskhost.exe
PID 1248 wrote to memory of 2720	1248	taskhost.exe	WScript.exe
PID 1248 wrote to memory of 2720	1248	taskhost.exe	WScript.exe
PID 1248 wrote to memory of 2720	1248	taskhost.exe	WScript.exe
PID 1248 wrote to memory of 1784	1248	taskhost.exe	WScript.exe
PID 1248 wrote to memory of 1784	1248	taskhost.exe	WScript.exe
PID 1248 wrote to memory of 1784	1248	taskhost.exe	WScript.exe
PID 2720 wrote to memory of 2128	2720	WScript.exe	taskhost.exe
PID 2720 wrote to memory of 2128	2720	WScript.exe	taskhost.exe
PID 2720 wrote to memory of 2128	2720	WScript.exe	taskhost.exe
PID 2128 wrote to memory of 548	2128	taskhost.exe	WScript.exe
PID 2128 wrote to memory of 548	2128	taskhost.exe	WScript.exe
PID 2128 wrote to memory of 548	2128	taskhost.exe	WScript.exe
PID 2128 wrote to memory of 2244	2128	taskhost.exe	WScript.exe
PID 2128 wrote to memory of 2244	2128	taskhost.exe	WScript.exe
PID 2128 wrote to memory of 2244	2128	taskhost.exe	WScript.exe
PID 548 wrote to memory of 1940	548	WScript.exe	taskhost.exe
PID 548 wrote to memory of 1940	548	WScript.exe	taskhost.exe
PID 548 wrote to memory of 1940	548	WScript.exe	taskhost.exe
PID 1940 wrote to memory of 2696	1940	taskhost.exe	WScript.exe

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe
"C:\Users\Admin\AppData\Local\Temp\3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MZYQImRpZ2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1224
- - C:\Windows\Help\OEM\taskhost.exe
    "C:\Windows\Help\OEM\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee3782e3-134a-43e4-b4fb-2dc93ff9b09c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2128
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d03be6e-0799-473e-bcf5-152b57b383e2.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cba2004-8d16-415b-b4f7-802a2f937f27.vbs"
        8⤵
        
        PID:2696
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63f58c0d-0272-49d0-a099-1965ec959c28.vbs"
        10⤵
        
        PID:1752
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60da3364-e17d-4b56-a2d3-b5121d64df45.vbs"
        12⤵
        
        PID:2928
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59a7c2d1-c440-4150-b098-1dcd0045be8b.vbs"
        14⤵
        
        PID:812
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e588a084-43a8-4662-899d-25ce426d67bf.vbs"
        16⤵
        
        PID:1912
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79f0717c-7a08-45fb-b76c-57c99e2ae0c1.vbs"
        18⤵
        
        PID:848
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df8fbc9c-57bf-4d6c-90d1-e5d27b520d14.vbs"
        20⤵
        
        PID:892
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9e011a9-b04e-4120-b31b-c3ae89808166.vbs"
        22⤵
        
        PID:1296
        
        C:\Windows\Help\OEM\taskhost.exe
        
        C:\Windows\Help\OEM\taskhost.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\592b7de6-0619-4846-ac64-b39aea6014ab.vbs"
        24⤵
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7631da49-8035-4bcd-9fc5-bc4af1f6f651.vbs"
        24⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f34e751-544d-4df1-9e9c-7315c5f1bdc0.vbs"
        22⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b4e1962-864e-453c-a478-f5b299aa14e9.vbs"
        20⤵
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c972ab0-f210-4595-81ba-73a81a507519.vbs"
        18⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27ea35c8-6f59-4ddd-86eb-e7a4ac6ab74f.vbs"
        16⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bda67a2-319f-448f-8baa-e6c070f2e93c.vbs"
        14⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\129ce743-dfe1-458e-b6bd-b4acfaab878c.vbs"
        12⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2c3f70c-6e5a-49a8-b5fa-6e7648b6cfcd.vbs"
        10⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e4e7923-22ee-4f63-8811-5ef9858c05ed.vbs"
        8⤵
        
        PID:2400
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d998db23-f0fe-4851-ad94-3b8a1dc1dbd8.vbs"
        6⤵
        
        PID:2244
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b5be25-ce79-4fbc-a318-e32ebfaf3ea3.vbs"
      4⤵
      PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\OEM\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Help\OEM\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\OEM\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\Engines\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Idle.exe

Filesize
4.9MB

MD5
3da200a28718a69db8ab79214990ad7c

SHA1
b6ed723d194b8ac4b038a79ee1250881695de651

SHA256
3854c9ebd49d0c236145f2311fa56bfa5798d227bc73538fc535a9fd3f496e4c

SHA512
536f668c2c1d006cc5053162d4d10ffd1d7af5728fc7c019c579ce002ebd5e10d3e7232cae85579bcb2078d30e2d0ae53ebf25115a69f42a718b011952c9d71e

Download Submit
C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe

Filesize
4.9MB

MD5
588bbab3426a0632c251c2a019588c67

SHA1
fa97103eb5346543874cc883f3bcf58b7efab1e2

SHA256
818311c6cbc9740277b470bf519b9460316acc2521f6c0f8b334770cbdf42180

SHA512
4e8a545e1adf36ea5a1dc316188acf52ebd5d43d37286ce0f15ad043c52e63405030614caafd1876d3cbd14529e983f7d703cf9292bffc5b569d0774686b0afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d03be6e-0799-473e-bcf5-152b57b383e2.vbs

Filesize
708B

MD5
0096c30b7ffbb8d2b1bd194c388154ea

SHA1
aefc8a4f7b208d6cbd06dd743e02282255a20d92

SHA256
04f7430b36bff954795a1891586e90a7b9ab65e4707b94431c6dc35fadbbeed4

SHA512
908a134e1a227335dd0c93c964a65b05cc81d85ac970b1285362c4d66e5995a4c0a9289898e15d556b7174f2e7b992e8e9d8f87ff51fc83d25db05ee99dfdcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\592b7de6-0619-4846-ac64-b39aea6014ab.vbs

Filesize
708B

MD5
76a2164c0071bd8a08d14c423369b83e

SHA1
7753b0840cb35ebbc742dbc817398595d3cacd70

SHA256
8f73dff34caf1a64cdb4143482efa69c6a0fd7b3be728e36663532f89c803244

SHA512
c1dd81fc6864b1f4554ea82a5e32ac84f61ccae0a7069c46eb82c92c08c6b083e7f32f75c23cb295d8cbb13d100f714e3876a7a4dd94c121a275a687aa30b3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\59a7c2d1-c440-4150-b098-1dcd0045be8b.vbs

Filesize
708B

MD5
362de413e2c7868fbfc87220ebf9146c

SHA1
1384b0c88023f6d1eef55ceb70c83c3db8a24409

SHA256
17558802aff058c43b91a0279ce9f96d49340ef8531f3ddcf66466b72c72f371

SHA512
99cbe306f48735c34b29e96d4bab0bef1aa5469ae1a790a620670999d7d27f90a39662e24120c86903ad0e1648754db26c216662726713cdac864cc963d7ea17

Download Submit
C:\Users\Admin\AppData\Local\Temp\60da3364-e17d-4b56-a2d3-b5121d64df45.vbs

Filesize
708B

MD5
796ae7274a8e9df6bfe9a6e0835de50a

SHA1
f45b6f1750d230d79f4a700acc4514fa3cc97f66

SHA256
3a155f529ea4816317ed39328aed8373aed27ff6ce1084b7d5e82d2ecbafcd98

SHA512
fc3545a2cfb6b3647cb096ac60b625496f363a51e3013fd451cd6a2a10420c3d0db76970b14360c4dd508709e4fd1977aa6f48aabe55d6f44b247f1dbcf15f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\63f58c0d-0272-49d0-a099-1965ec959c28.vbs

Filesize
708B

MD5
02bf06e98021ab8e037577a9145b543f

SHA1
d5eaa52536c5788a9521fe3493931d2c49f9fcb6

SHA256
19aaa09da15e86cf79d4b2361742750ddac0b871663e4f5faf96d2394cc6c7b5

SHA512
1b6b1475f60f6e9d09e39f8763595c4e07de5420c84f3afc090e6b83a41c5b7b6cfb82dd9f03dd0aa8b6f05c1f7a44971e8de7f818818ffd24d50b56ced03def

Download Submit
C:\Users\Admin\AppData\Local\Temp\79f0717c-7a08-45fb-b76c-57c99e2ae0c1.vbs

Filesize
708B

MD5
c391b34fabe24d92fa10a2f42b77ea08

SHA1
3493a70d453d4ff48fb309734110ab29c2bd694e

SHA256
c06a5bbd236638b206a553ea788158376a0dda970733a0bd601c9ce401340fb2

SHA512
d12d312660d7954808da0d94408c58295c04a6f9521f0043900db06280b32a5eefcb658ba5d72a9f116eed522961ba6ed2e4dfe9bd851ee242bc3c670164a41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cba2004-8d16-415b-b4f7-802a2f937f27.vbs

Filesize
708B

MD5
a7c5d4b32b331289406b8b2ecf5de7ee

SHA1
ce2949dfe48537e2e90b3262efc1e35aec8d3010

SHA256
4befccc90b9a38496c37834fbe5be7ae6bb784cad3ed385e027f84e32345c184

SHA512
64d2da5a462a0ac87b43ee13fd8c84ee91599a828f638abc395f7d4b6c896c226a5a92493e9dc1b559fe9257155f28a95dde05d6fd549ea2d914255c74d40eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZYQImRpZ2.bat

Filesize
197B

MD5
e09a513c1d9064606bea7dba5cc2b35f

SHA1
8d16d99d59f1a3d4b32b7cda857bbeb2f3fe2c8e

SHA256
d9297c8a403f3ac88b71ac5c888e25aa9dfe9e6e8cd0744c000cff3206826d39

SHA512
4b69a8be9ef08377b49b5a886e0f66e9a327cb1e36f1189c90c6c3ff858c1eb4fe5656ea852a952e4dcdbdde9854b84a7801701401ce736d67528cbecf1feb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0b5be25-ce79-4fbc-a318-e32ebfaf3ea3.vbs

Filesize
484B

MD5
1576070208ced637e494abcc93cc4f4b

SHA1
79e459154a6bf3f72f311e9e89811a03073302a3

SHA256
f8adc8d2ed13bd4dcac22988e64577aad2f3d8810f1da84bab6ce56aaa86f533

SHA512
108a2ef3533b0ee645185bc221bc9b006a432ab2b90fab3fa94b87b98fe51d556ae2f225b3d22ed0b4f5adfd5495337140ea675054840295c2d483e4d08281ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\df8fbc9c-57bf-4d6c-90d1-e5d27b520d14.vbs

Filesize
708B

MD5
b3b7d82ce69b82cb70a507418abb13d4

SHA1
4d876892c70dff1b4d0efb0b76540c9d4a3e5d03

SHA256
d114f7f1e057f28f938e4cecbe78dc393a43de1d1a172c352e39c3ebfc536471

SHA512
6086635f2e34efb6ba9f8f5c1abb5728060faf56d4e4829ed1ddd8283f0d6a6e16f04240d3e07d1587e843a0b208c8607376c15f7d3c2d62aefa09c37e957958

Download Submit
C:\Users\Admin\AppData\Local\Temp\e588a084-43a8-4662-899d-25ce426d67bf.vbs

Filesize
708B

MD5
b1665d5d1f25c25b56a2d1f9468d6996

SHA1
fbb8d0180945bca21ba95353185a89fd657d3b72

SHA256
f478819ff63622bffd822a17b624879d0f76a06f76f606f833ac3826f51d37b0

SHA512
4eb8cdc0df450b90e38998a3da9ae4a285aca364157a033e6435a8f65eebab2aa1a5342c0c8139b13bec84cce20ddb99596099cc99208f6239990a0ac9c1674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee3782e3-134a-43e4-b4fb-2dc93ff9b09c.vbs

Filesize
708B

MD5
fa1a3808e05e05b99064798d2d3aa471

SHA1
3811bb9b50d5b45f804dccfe5d55cc76f1a1375e

SHA256
e4bbe0ca7d9c1924bb2a77f09de131a8e03400d8e2bd54d2b17617c56d0878fa

SHA512
e997749d6d51c045d11904e29f74e793ac47470b8121b273dce3b9be7a57507a09edab23572b545baf010f26a17e354758915464bb34bbd355b65e7330979058

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9e011a9-b04e-4120-b31b-c3ae89808166.vbs

Filesize
708B

MD5
df0c7a868af8b7b77239fb182f9293cc

SHA1
a1e0185c271e48e951c955bcc799e65ca9f6fb1e

SHA256
2fc08c2406817ea75807c1d51bdb01951b58afe139827197dc6cdd532c927fa5

SHA512
44d201cff6b5220506cf8e0c483f3714746937603337dee93690a545b11bc1370c17930046a727a746fb631f5d5a61ead9c2490e69452859f772bdf013b30cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1323.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3b97b3e3d9cfcb92b683af26511133b

SHA1
7a12b2968ceba0e7888410e321a58cbecdc29fc9

SHA256
e40f4f00e42daa86082e289cac4ad91852335c5b239964612a13454ddb5d979d

SHA512
109a331e5574c4a6776b5c45f904e768f7b6c5f7cc699f0f0926aa26a4ab06ef2292311015e3e0270da7d9a21eecde54fdf86ee4c4d50abb58b544d2967ef03e

Download Submit
C:\Windows\Cursors\dllhost.exe

Filesize
4.9MB

MD5
7b65de4ac5daa87fa31eb38d90324859

SHA1
38c20334aacd3e266929638a26696547dfcfe851

SHA256
bb567c0da7e1c0c5102ae5a645316e170219f93f0ac63b31994865d5ab145e13

SHA512
5eca18d0c016b80aa9d5a77a90958f48390a4a207ca12edfd7ef49b4400d0736e2dd0f9b86d5283b1ed00c07a57c5d71749a03f0b66b73f8b1dec3a9b87c0d78

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1248-246-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1248-245-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download
memory/1908-318-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2128-260-0x00000000012F0000-0x00000000017E4000-memory.dmp

Filesize
5.0MB

Download
memory/2344-361-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2408-12-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2408-10-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2408-1-0x0000000001000000-0x00000000014F4000-memory.dmp

Filesize
5.0MB

Download
memory/2408-2-0x000000001B7B0000-0x000000001B8DE000-memory.dmp

Filesize
1.2MB

Download
memory/2408-152-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-145-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/2408-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2408-15-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2408-14-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2408-13-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/2408-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/2408-11-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/2408-3-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-200-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-9-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/2408-8-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2408-7-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2408-6-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2408-5-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2408-4-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/2504-289-0x0000000001320000-0x0000000001814000-memory.dmp

Filesize
5.0MB

Download
memory/2540-195-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2556-376-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/2556-377-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2744-392-0x0000000000D90000-0x0000000001284000-memory.dmp

Filesize
5.0MB

Download
memory/3056-197-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download