dcrat | b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Size

4.9MB
MD5

a450c06717644483e3437db615ea4114
SHA1

93ece99062cee7344d7059986cc4727c92dbfca9
SHA256

b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a
SHA512

cb7d295f30fa69e98f52ac240e76ed9e776142a898a15c0a8911a693ccdcea441281a79c2b7f0e1e6567cc0bb73a9a6320c359a4a775b943fc84b78df6e42a24
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8+:e

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2392	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeb8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1064-3-0x000000001B7C0000-0x000000001B8EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2488	powershell.exe
1656	powershell.exe
600	powershell.exe
2972	powershell.exe
1352	powershell.exe
1860	powershell.exe
2156	powershell.exe
2484	powershell.exe
2856	powershell.exe
1852	powershell.exe
2244	powershell.exe
2476	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2796	spoolsv.exe
1736	spoolsv.exe
2364	spoolsv.exe
380	spoolsv.exe
2396	spoolsv.exe
2336	spoolsv.exe
2832	spoolsv.exe
1740	spoolsv.exe
2424	spoolsv.exe
444	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeb8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exespoolsv.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 40 IoCs

Processes:

b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\it-IT\WmiPrvSE.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\Reference Assemblies\Idle.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\Windows Media Player\en-US\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCXADB1.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXB051.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\RCXB860.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXBCD5.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXCED7.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Common Files\Services\System.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Common Files\Services\27d1bcfc3c54e0	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\Windows Media Player\it-IT\WmiPrvSE.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXAB7E.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\sppsvc.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXBF65.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXA96A.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\cc11b995f2a76d	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\f3b6ecef712a24	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\Windows Media Player\en-US\25c4039600c19f	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Common Files\Services\1610b97d3ab4a7	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\System.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\6203df4a6bafc7	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\0a1fd5f707cd16	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\Windows Media Player\it-IT\24dbde2999530e	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\Reference Assemblies\Idle.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCXB65C.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\25c4039600c19f	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\Reference Assemblies\6ccacd8608530f	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\sppsvc.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCXC457.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe

Drops file in Windows directory 9 IoCs

Processes:

b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe

description	ioc	process
File opened for modification	C:\Windows\Setup\State\RCXC85E.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Windows\Tasks\Idle.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Windows\Setup\State\5940a34987c991	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Windows\schemas\EAPMethods\taskhost.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Windows\Tasks\RCXBA64.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Windows\Tasks\Idle.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Windows\Setup\State\dllhost.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Windows\Tasks\6ccacd8608530f	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Windows\Setup\State\dllhost.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2968	schtasks.exe
2572	schtasks.exe
1968	schtasks.exe
1316	schtasks.exe
3024	schtasks.exe
1528	schtasks.exe
1600	schtasks.exe
2872	schtasks.exe
2704	schtasks.exe
2924	schtasks.exe
2920	schtasks.exe
1036	schtasks.exe
2688	schtasks.exe
1492	schtasks.exe
2776	schtasks.exe
1908	schtasks.exe
2904	schtasks.exe
2112	schtasks.exe
2984	schtasks.exe
1556	schtasks.exe
2812	schtasks.exe
1052	schtasks.exe
840	schtasks.exe
776	schtasks.exe
3032	schtasks.exe
2896	schtasks.exe
2832	schtasks.exe
1660	schtasks.exe
308	schtasks.exe
1612	schtasks.exe
2132	schtasks.exe
2288	schtasks.exe
2728	schtasks.exe
984	schtasks.exe
644	schtasks.exe
1596	schtasks.exe
3036	schtasks.exe
316	schtasks.exe
1644	schtasks.exe
2216	schtasks.exe
1964	schtasks.exe
3016	schtasks.exe
2668	schtasks.exe
1776	schtasks.exe
2600	schtasks.exe
2888	schtasks.exe
2156	schtasks.exe
2988	schtasks.exe
1728	schtasks.exe
1284	schtasks.exe
1128	schtasks.exe
2964	schtasks.exe
2772	schtasks.exe
1792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
2244	powershell.exe
2484	powershell.exe
2156	powershell.exe
1852	powershell.exe
2972	powershell.exe
2856	powershell.exe
1656	powershell.exe
1860	powershell.exe
1352	powershell.exe
2476	powershell.exe
600	powershell.exe
2488	powershell.exe
2796	spoolsv.exe
1736	spoolsv.exe
2364	spoolsv.exe
380	spoolsv.exe
2396	spoolsv.exe
2336	spoolsv.exe
2832	spoolsv.exe
1740	spoolsv.exe
2424	spoolsv.exe
444	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2796	spoolsv.exe
Token: SeDebugPrivilege	1736	spoolsv.exe
Token: SeDebugPrivilege	2364	spoolsv.exe
Token: SeDebugPrivilege	380	spoolsv.exe
Token: SeDebugPrivilege	2396	spoolsv.exe
Token: SeDebugPrivilege	2336	spoolsv.exe
Token: SeDebugPrivilege	2832	spoolsv.exe
Token: SeDebugPrivilege	1740	spoolsv.exe
Token: SeDebugPrivilege	2424	spoolsv.exe
Token: SeDebugPrivilege	444	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.execmd.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exe

description	pid	process	target process
PID 1064 wrote to memory of 2244	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2244	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2244	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2476	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2476	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2476	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2156	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2156	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2156	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1352	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1352	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1352	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2488	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2488	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2488	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1860	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1860	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1860	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2972	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2972	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2972	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 600	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 600	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 600	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1852	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1852	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1852	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2484	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2484	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2484	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2856	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2856	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 2856	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1656	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1656	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1656	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	powershell.exe
PID 1064 wrote to memory of 1516	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	cmd.exe
PID 1516 wrote to memory of 1768	1516	cmd.exe	w32tm.exe
PID 1516 wrote to memory of 1768	1516	cmd.exe	w32tm.exe
PID 1516 wrote to memory of 1768	1516	cmd.exe	w32tm.exe
PID 1516 wrote to memory of 2796	1516	cmd.exe	spoolsv.exe
PID 1516 wrote to memory of 2796	1516	cmd.exe	spoolsv.exe
PID 1516 wrote to memory of 2796	1516	cmd.exe	spoolsv.exe
PID 2796 wrote to memory of 112	2796	spoolsv.exe	WScript.exe
PID 2796 wrote to memory of 112	2796	spoolsv.exe	WScript.exe
PID 2796 wrote to memory of 112	2796	spoolsv.exe	WScript.exe
PID 2796 wrote to memory of 2556	2796	spoolsv.exe	WScript.exe
PID 2796 wrote to memory of 2556	2796	spoolsv.exe	WScript.exe
PID 2796 wrote to memory of 2556	2796	spoolsv.exe	WScript.exe
PID 112 wrote to memory of 1736	112	WScript.exe	spoolsv.exe
PID 112 wrote to memory of 1736	112	WScript.exe	spoolsv.exe
PID 112 wrote to memory of 1736	112	WScript.exe	spoolsv.exe
PID 1736 wrote to memory of 1700	1736	spoolsv.exe	WScript.exe
PID 1736 wrote to memory of 1700	1736	spoolsv.exe	WScript.exe
PID 1736 wrote to memory of 1700	1736	spoolsv.exe	WScript.exe
PID 1736 wrote to memory of 2656	1736	spoolsv.exe	WScript.exe
PID 1736 wrote to memory of 2656	1736	spoolsv.exe	WScript.exe
PID 1736 wrote to memory of 2656	1736	spoolsv.exe	WScript.exe
PID 1700 wrote to memory of 2364	1700	WScript.exe	spoolsv.exe
PID 1700 wrote to memory of 2364	1700	WScript.exe	spoolsv.exe
PID 1700 wrote to memory of 2364	1700	WScript.exe	spoolsv.exe
PID 2364 wrote to memory of 2756	2364	spoolsv.exe	WScript.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeb8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
"C:\Users\Admin\AppData\Local\Temp\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsfnqqPpMo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1768
- - C:\MSOCache\All Users\spoolsv.exe
    "C:\MSOCache\All Users\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7ec87e5-ec70-40fb-b25d-4f11c4fd7773.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1736
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30229edf-29ee-4ed3-bbb1-533e792a3dcd.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45910305-6e4f-4b36-99ee-4c222d8a094c.vbs"
        8⤵
        
        PID:2756
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c37df5e-1ffa-46e9-b084-3424214b3f36.vbs"
        10⤵
        
        PID:1976
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75e56775-b5ad-446a-ba24-7b63648f53de.vbs"
        12⤵
        
        PID:2080
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de9bd052-b1f4-4706-a94a-bab1b36cc5f6.vbs"
        14⤵
        
        PID:1556
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fa490b4-06c0-43f7-9d7c-734a9b0e87c8.vbs"
        16⤵
        
        PID:2364
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc2a0e75-20f5-42b7-94ea-ac3bfb3689d2.vbs"
        18⤵
        
        PID:1652
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a78755e-abdc-487c-b69e-3887b4d22f58.vbs"
        20⤵
        
        PID:1620
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e41a6c0-16bc-49d6-add9-01247433e16c.vbs"
        22⤵
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f771086-f72e-4e45-8b4c-d86360c57519.vbs"
        22⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e6f7a95-270a-4f1f-86c3-e5233065d00b.vbs"
        20⤵
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ee2287c-ae45-4c5a-8d56-9c883bd3f24a.vbs"
        18⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f18071d-9def-4638-91ef-490bc930963a.vbs"
        16⤵
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\387565fa-24d7-4d85-9231-f236b7c6bab1.vbs"
        14⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb146828-7f40-4ddc-a5d9-72bacfa5ab26.vbs"
        12⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b216732f-7413-495c-a85d-eb6f82eb56ae.vbs"
        10⤵
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9c2e2a1-49bf-4a52-b00c-44f2cf4964dd.vbs"
        8⤵
        
        PID:2856
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60023090-8dce-42b2-a645-da956a880335.vbs"
        6⤵
        
        PID:2656
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27058ce3-524a-4eab-afdb-51f29b5427bf.vbs"
      4⤵
      PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94ab" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94ab" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Tasks\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Cookies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94ab" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\en-US\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94ab" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\en-US\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe

Filesize
4.9MB

MD5
a450c06717644483e3437db615ea4114

SHA1
93ece99062cee7344d7059986cc4727c92dbfca9

SHA256
b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a

SHA512
cb7d295f30fa69e98f52ac240e76ed9e776142a898a15c0a8911a693ccdcea441281a79c2b7f0e1e6567cc0bb73a9a6320c359a4a775b943fc84b78df6e42a24

Download Submit
C:\Program Files\Windows Media Player\it-IT\RCXCED7.tmp

Filesize
4.9MB

MD5
6c59b2c2c2e06437b2c8595e6e26df1d

SHA1
5a3b16d0b4a3e541a4a99fb8ced54b1aa16a9779

SHA256
08a8c1e22e7be4338ff0cfe98114c2e75351b81d6409a43687b91fc74d0a5ffb

SHA512
ff417525137fc2ab5d541c5ddcfc861b10b4733ff78778eab83f190a0c6add4e65e041bc8599b20b9b66deeebbe559745bed739adaa63d722e6a3ad91a2aa8ba

Download Submit
C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe

Filesize
4.9MB

MD5
153f8fadaf93eb3887b50693ea8df395

SHA1
accf5c91442fc4dcea2c81218249afb47a82a631

SHA256
0aba0d838a204695e77132095eedd18882733d839ead64b0d685e97267beaeac

SHA512
e01751c1a226cdb769149da602aba8860890cacd8b3fe69725084358521ba938c8889b1301a3eca21e725e3c43c4c3ee49aa7c232ef4d9f38b07da535f7ffe8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c37df5e-1ffa-46e9-b084-3424214b3f36.vbs

Filesize
708B

MD5
72dd0e12a4e06f9192fec56b36e9bc7e

SHA1
63d68d06a1d20e7bdc17a5aa3a46aa76101592e3

SHA256
572aacd3df1680cfb30d1342168b64246ff4d6920ad383013c353e71dfd14138

SHA512
4ee16f43739b8f49a81a1ea4289c148acaf0f476fe667fcf680d061de53506de6a79ac855bde23fa317f1aa6ac3409de2eaac072a2ebb96172171239393b1ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fa490b4-06c0-43f7-9d7c-734a9b0e87c8.vbs

Filesize
709B

MD5
f77a211eb50c6efa1fbd8fe0a723a6ae

SHA1
a4df0329a4db3370f4bfc2fc3d53d50c39102718

SHA256
ef44a5c87753b3e7ab06275d1389bf8728908a849f7f6dedb6575b6b7137ceeb

SHA512
2bccce978c56159835d15fe10bdfe743f80652a73e8679c9416fa1e3d6349226049fbe3490345b221f2818b07bce79195354e0cf9408fa8b1d8bb7f61d488dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\27058ce3-524a-4eab-afdb-51f29b5427bf.vbs

Filesize
485B

MD5
66abb12887086ce9f0e26eb4d1b79405

SHA1
4597ce7d1114ea6e8ff5ec9c16f0a7e21917b1ee

SHA256
c9619d1a3df2e63607d6a499f0e25716e31585a2afcf05d4877074842638c1ae

SHA512
3105336da8c9ac320441b518d53e17c920f936a66c892bed2eb04a57ac3504240ca767e884e70d95d201d92d2adcd94699bb34eed23dc74d558768b5e080ab62

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a78755e-abdc-487c-b69e-3887b4d22f58.vbs

Filesize
709B

MD5
78cf1e195673d67713ae2161268af491

SHA1
1bde05fe1da3f6648a5841cf891467de5cc22807

SHA256
2c7f190343339bb4b678231716a1820e9a9031e9946eea33c144eda4c03c2ceb

SHA512
03521d7f9fa4be7c9cea45951d6ddb79e9bdf890753d133b3033b2b066bb9dd68d2cc7095b1149cb3ee2421bfae71fe4fe38dcb7cde0887f42595476ddbb064e

Download Submit
C:\Users\Admin\AppData\Local\Temp\30229edf-29ee-4ed3-bbb1-533e792a3dcd.vbs

Filesize
709B

MD5
09cb5092ddd078e6e1ef337e5b7a6f5c

SHA1
a359f2b684055b3f1d8a8f6178ec2a9ccff295a3

SHA256
aa45d1ba71ed8c1f9b212b1a528adce84c31689472b8a55fda42af5d207c9199

SHA512
dedd567c8c7cb548beb9acde51c7b975bddb02a67729d21b107cee0748ae85589c93d5257bfd202655b07aed06065180c08e3cfeeb6fc783f70522f05c40e7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\45910305-6e4f-4b36-99ee-4c222d8a094c.vbs

Filesize
709B

MD5
4718d203a1cf18403dc53f1a10cab709

SHA1
88b50860515db03cfaaf07e69c625fddc5a6b618

SHA256
5c1d7fa412487b0eb43218df62c81205cc712e191f4568bba7d1165676b6b3fd

SHA512
8c13153a37d4786b39408718a51b2f7b46780b38cefd572e3c579c827b5ac4b5945e15a57ac35ed1242ca54619292444647d3f2c4dbe72d02c801c93088509d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e41a6c0-16bc-49d6-add9-01247433e16c.vbs

Filesize
708B

MD5
18ccdac31f91b15e8bced37197ac79d6

SHA1
1bbb34833af6efc99c226f5e3fb4315780327db4

SHA256
870d8233736b17ae893fe9aa3e8cc85cb90fd879ebe5b32e866377910654020a

SHA512
400b0dfc95ff0eeb42f32846b8bf25418962a97e59f57f5093ec650a0275af49ea1fe05b113da68b110143cafa7e785654d596d88544e3d7d4cd66778525c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\75e56775-b5ad-446a-ba24-7b63648f53de.vbs

Filesize
709B

MD5
d16af835426bdbe79f92d5e6714bc953

SHA1
269f653906ab1e4a1c63b97a80bb6f8d9c66326a

SHA256
f6a6c196e11bf933acae864498638525111f6ccf2ef075a1d73bd89149df5a28

SHA512
9b62dea00ed4b1a115b4713ae8fbd2afd4340dc0df97a8f314f4ac75973308547181aa40aad960c7a0ee20df2ef015c352a1a35d5bff4690dba46a7c22547ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7ec87e5-ec70-40fb-b25d-4f11c4fd7773.vbs

Filesize
709B

MD5
e6a411c15faeffb0496ea758a6a163cc

SHA1
c89e1084c11742a8b7a55b047986dd02c4c61204

SHA256
119986cffeacfca76ba22b81fe31751515438c1752b67c5b06f28f6bdbb4eb2d

SHA512
518fdde5550665aac3672f5314b82776d8b5a943b0ea525d92fc30be547862cf9c53bfcf6536d5848f5f8c3238fe9582f583d6ae46da3e7dbde979f68de9d9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc2a0e75-20f5-42b7-94ea-ac3bfb3689d2.vbs

Filesize
709B

MD5
1d0d9531395ea1d37a89d2b9c8244f74

SHA1
f553f863d6b036a0b3f611fc66acca71f0a69cc2

SHA256
64e21515e510735d2c1d9b7145928be9b83d886d0c68f38a9b9e8fda9e9ece61

SHA512
4e5ef7d200ad0a3cda84f7f2d8779c9353d7707e31962fc75b5f7a0ff5e98731210e037739d57bdc3915f5974e8b6c9febb0123cfaa65ac25a3c5bee2203ef2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\de9bd052-b1f4-4706-a94a-bab1b36cc5f6.vbs

Filesize
709B

MD5
e5fc3c2f5fbdac3e5fbd6f30ef60120c

SHA1
dbe4933edbd7dde198736c79319390b4d75185d4

SHA256
08120e4726d17f5307b2820a652803c4cafeff503741c94dc099258ed729a976

SHA512
3bba63aad5977d3229613863eea923a7c835f78578a77cc424ba936d13ee14e98b746a652a0d6bc4bcbb13ac015fa2d7981b4a2402dad66de70e0a4ea803c303

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsfnqqPpMo.bat

Filesize
198B

MD5
df95c45a7e2d7e30edfc345467c2313e

SHA1
ae95eef47e967f23c92d83ddd463002504144c4b

SHA256
aa191098c20d7af77e28442b63cb6551f3b162b37247dad506a0bab0fcbd561b

SHA512
6ab625d57729ac9fcef94196fcf515e5dfa25cb79da796ef5705f8ca4eb7d584c247f1f424b9cc4f15a1d5c21e4581f2e616aba7b2cf6fcc76c054cca1b10cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFC2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8a275367ef33294e20b59b4250859492

SHA1
f6dc33319037259ef3737b85f3f0c13ea24ab8f7

SHA256
311b10937ad974e5a3f882d2cfd2f450ff1ba691189a5b59b3c01c6215de8bdc

SHA512
81c394f0b6d28477f944ecd0562f6a2538a4bc93296609e1d68da941c16b4c3026cdbbc543388218bbb71b4c0531f4d2ca87a2f3f54c2fbf211adcf82870f90c

Download Submit
memory/380-297-0x0000000000170000-0x0000000000664000-memory.dmp

Filesize
5.0MB

Download
memory/444-385-0x0000000001310000-0x0000000001322000-memory.dmp

Filesize
72KB

Download
memory/1064-12-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/1064-0-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1064-15-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1064-186-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1064-14-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1064-13-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/1064-1-0x0000000000C00000-0x00000000010F4000-memory.dmp

Filesize
5.0MB

Download
memory/1064-11-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/1064-5-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/1064-146-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1064-138-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1064-10-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1064-3-0x000000001B7C0000-0x000000001B8EE000-memory.dmp

Filesize
1.2MB

Download
memory/1064-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/1064-9-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/1064-4-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/1064-8-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1064-6-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/1064-7-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1064-2-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1736-267-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/1736-266-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download
memory/2244-216-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2244-222-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2336-327-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2364-282-0x00000000012D0000-0x00000000017C4000-memory.dmp

Filesize
5.0MB

Download
memory/2396-312-0x0000000001320000-0x0000000001814000-memory.dmp

Filesize
5.0MB

Download
memory/2424-370-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2796-252-0x0000000000810000-0x0000000000D04000-memory.dmp

Filesize
5.0MB

Download