dcrat | c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/12/2024, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Size

2.8MB
MD5

2021a9779c45f35a46b1b28f2e9136fa
SHA1

76e03dfcc8732388fad4fd83b72b34cad50786ca
SHA256

c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a
SHA512

5fc1617b672c308df2116cbfcd08e6d6b1c4969c3399dd9eb4c6d12a08bac23ac897c76de20cb1730fe44b50cf2bb840b11332f01f016ca1d4d6ab1bbdd19116
SSDEEP

49152:7CFujkASUPVAIsINt8BCt3GSHBZTz0uBHTNS/lhv+8PUkYH4j:GFixPV9s4CqWQbzB+dc8BJj

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2712	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2288-1-0x0000000000190000-0x000000000045C000-memory.dmp	dcrat
behavioral1/files/0x000600000001752f-34.dat	dcrat
behavioral1/memory/2488-166-0x0000000001300000-0x00000000015CC000-memory.dmp	dcrat
behavioral1/memory/1904-234-0x0000000000340000-0x000000000060C000-memory.dmp	dcrat
behavioral1/memory/2784-246-0x0000000000120000-0x00000000003EC000-memory.dmp	dcrat
behavioral1/memory/2100-258-0x0000000000180000-0x000000000044C000-memory.dmp	dcrat
behavioral1/memory/1140-271-0x00000000001B0000-0x000000000047C000-memory.dmp	dcrat
behavioral1/memory/2156-284-0x0000000000F00000-0x00000000011CC000-memory.dmp	dcrat
behavioral1/memory/2128-297-0x0000000001100000-0x00000000013CC000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2840	powershell.exe
3048	powershell.exe
2828	powershell.exe
2764	powershell.exe
2012	powershell.exe
2668	powershell.exe
2780	powershell.exe
236	powershell.exe
2796	powershell.exe
2576	powershell.exe
2736	powershell.exe
2388	powershell.exe
2584	powershell.exe
2572	powershell.exe
2824	powershell.exe
2620	powershell.exe
332	powershell.exe
2564	powershell.exe
1988	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
808	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2720	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2592	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2208	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2244	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
1904	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2784	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2100	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
1140	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2156	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2128	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\it-IT\f3b6ecef712a24	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\f3b6ecef712a24	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Windows Sidebar\de-DE\Idle.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Windows Mail\fr-FR\886983d96e3d3e	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Windows Sidebar\de-DE\6ccacd8608530f	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\24dbde2999530e	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\Idle.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\6ccacd8608530f	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Google\5940a34987c991	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\886983d96e3d3e	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Windows Mail\fr-FR\csrss.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
File created	C:\Program Files\Google\dllhost.exe	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2332	schtasks.exe
1828	schtasks.exe
1232	schtasks.exe
1744	schtasks.exe
2328	schtasks.exe
2856	schtasks.exe
3008	schtasks.exe
2028	schtasks.exe
2228	schtasks.exe
2124	schtasks.exe
1464	schtasks.exe
1696	schtasks.exe
1492	schtasks.exe
264	schtasks.exe
2080	schtasks.exe
1736	schtasks.exe
2368	schtasks.exe
1472	schtasks.exe
1040	schtasks.exe
2240	schtasks.exe
1576	schtasks.exe
1676	schtasks.exe
1140	schtasks.exe
2172	schtasks.exe
1684	schtasks.exe
1728	schtasks.exe
1424	schtasks.exe
2460	schtasks.exe
2252	schtasks.exe
2444	schtasks.exe
2608	schtasks.exe
544	schtasks.exe
408	schtasks.exe
1796	schtasks.exe
2224	schtasks.exe
2464	schtasks.exe
1924	schtasks.exe
2560	schtasks.exe
3064	schtasks.exe
2384	schtasks.exe
2812	schtasks.exe
1308	schtasks.exe
888	schtasks.exe
680	schtasks.exe
1752	schtasks.exe
2516	schtasks.exe
2032	schtasks.exe
2000	schtasks.exe
576	schtasks.exe
1248	schtasks.exe
2244	schtasks.exe
1980	schtasks.exe
2876	schtasks.exe
348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
1988	powershell.exe
2824	powershell.exe
2736	powershell.exe
2796	powershell.exe
2388	powershell.exe
2564	powershell.exe
3048	powershell.exe
2840	powershell.exe
236	powershell.exe
2012	powershell.exe
2620	powershell.exe
332	powershell.exe
2764	powershell.exe
2576	powershell.exe
2668	powershell.exe
2584	powershell.exe
2828	powershell.exe
2780	powershell.exe
2572	powershell.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2488	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	808	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	2720	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	2592	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	2208	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	2244	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	1904	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	2784	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	2100	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	1140	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	2156	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Token: SeDebugPrivilege	2128	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2764	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	85
PID 2288 wrote to memory of 2764	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	85
PID 2288 wrote to memory of 2764	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	85
PID 2288 wrote to memory of 2736	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	86
PID 2288 wrote to memory of 2736	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	86
PID 2288 wrote to memory of 2736	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	86
PID 2288 wrote to memory of 2012	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	87
PID 2288 wrote to memory of 2012	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	87
PID 2288 wrote to memory of 2012	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	87
PID 2288 wrote to memory of 2668	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	88
PID 2288 wrote to memory of 2668	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	88
PID 2288 wrote to memory of 2668	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	88
PID 2288 wrote to memory of 2840	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	89
PID 2288 wrote to memory of 2840	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	89
PID 2288 wrote to memory of 2840	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	89
PID 2288 wrote to memory of 2824	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	90
PID 2288 wrote to memory of 2824	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	90
PID 2288 wrote to memory of 2824	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	90
PID 2288 wrote to memory of 1988	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	91
PID 2288 wrote to memory of 1988	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	91
PID 2288 wrote to memory of 1988	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	91
PID 2288 wrote to memory of 2828	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	92
PID 2288 wrote to memory of 2828	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	92
PID 2288 wrote to memory of 2828	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	92
PID 2288 wrote to memory of 2576	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	93
PID 2288 wrote to memory of 2576	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	93
PID 2288 wrote to memory of 2576	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	93
PID 2288 wrote to memory of 2796	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	94
PID 2288 wrote to memory of 2796	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	94
PID 2288 wrote to memory of 2796	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	94
PID 2288 wrote to memory of 2564	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	95
PID 2288 wrote to memory of 2564	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	95
PID 2288 wrote to memory of 2564	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	95
PID 2288 wrote to memory of 2584	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	98
PID 2288 wrote to memory of 2584	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	98
PID 2288 wrote to memory of 2584	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	98
PID 2288 wrote to memory of 2620	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	99
PID 2288 wrote to memory of 2620	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	99
PID 2288 wrote to memory of 2620	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	99
PID 2288 wrote to memory of 2388	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	100
PID 2288 wrote to memory of 2388	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	100
PID 2288 wrote to memory of 2388	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	100
PID 2288 wrote to memory of 3048	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	101
PID 2288 wrote to memory of 3048	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	101
PID 2288 wrote to memory of 3048	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	101
PID 2288 wrote to memory of 2780	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	102
PID 2288 wrote to memory of 2780	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	102
PID 2288 wrote to memory of 2780	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	102
PID 2288 wrote to memory of 332	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	103
PID 2288 wrote to memory of 332	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	103
PID 2288 wrote to memory of 332	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	103
PID 2288 wrote to memory of 236	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	104
PID 2288 wrote to memory of 236	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	104
PID 2288 wrote to memory of 236	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	104
PID 2288 wrote to memory of 2572	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	106
PID 2288 wrote to memory of 2572	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	106
PID 2288 wrote to memory of 2572	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	106
PID 2288 wrote to memory of 1976	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	123
PID 2288 wrote to memory of 1976	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	123
PID 2288 wrote to memory of 1976	2288	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe	123
PID 1976 wrote to memory of 2020	1976	cmd.exe	125
PID 1976 wrote to memory of 2020	1976	cmd.exe	125
PID 1976 wrote to memory of 2020	1976	cmd.exe	125
PID 1976 wrote to memory of 2488	1976	cmd.exe	126

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
"C:\Users\Admin\AppData\Local\Temp\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k0fexNOnTw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2020
- - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2488
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\435c4390-2c40-47ee-83f3-eee9ef5ae6c2.vbs"
      4⤵
      PID:2304
    - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:808
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca65cfd9-0282-417a-aa3a-ff35a57d8349.vbs"
        6⤵
        
        PID:1476
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e07afcb-8873-409b-bb71-f8aee7824cd8.vbs"
        8⤵
        
        PID:2604
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9f663b0-8673-4f0e-9e69-b5f2e951ee39.vbs"
        10⤵
        
        PID:700
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7657e16-b199-4f75-bd5b-a159496667a2.vbs"
        12⤵
        
        PID:976
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ba58e00-26df-4647-8607-1a6fc2456c4d.vbs"
        14⤵
        
        PID:408
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d037d95-507c-4a7e-85b8-2b1a9a7dc635.vbs"
        16⤵
        
        PID:2568
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70a382d7-7b0c-43f8-b964-f2623d7be12b.vbs"
        18⤵
        
        PID:1308
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f88f48-a7c8-4477-834f-18ea7109c959.vbs"
        20⤵
        
        PID:1548
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94148fd0-e32e-4fb9-b6cd-42d08ddb0b9c.vbs"
        22⤵
        
        PID:2452
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee2166ac-e0d0-40f2-a8dd-e5340852e3bf.vbs"
        24⤵
        
        PID:2860
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d69d1ef8-7145-4b0a-aecf-fcaf4bbbd250.vbs"
        26⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34bacdca-543a-4191-b911-efce30d63d1a.vbs"
        26⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8eeb440-1062-4375-85cf-1122c0b6b580.vbs"
        24⤵
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\909f31b0-a891-453c-958f-4526292b0e13.vbs"
        22⤵
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bee4624a-fc1a-473e-9c64-a27533b44535.vbs"
        20⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9475b6fb-6c50-4f97-a414-3ae2b420bec3.vbs"
        18⤵
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00381f04-325c-4d0c-adac-600623c84f11.vbs"
        16⤵
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9337f304-59fc-40eb-9b9f-ebc35d5a740c.vbs"
        14⤵
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c1a605-be5c-4b9d-801b-3ac278b0396c.vbs"
        12⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f24ff575-8928-403b-868b-1cdc2ed511e7.vbs"
        10⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa1aab4-2cf8-45b5-a591-4f667c408984.vbs"
        8⤵
        
        PID:1468
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4341a501-8a00-4ef4-a261-40a27df2ba63.vbs"
        6⤵
        
        PID:844
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25cece5e-3519-4ace-860a-56f194a6d1d4.vbs"
      4⤵
      PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01ac" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01ac" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Cookies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe

Filesize
2.8MB

MD5
2021a9779c45f35a46b1b28f2e9136fa

SHA1
76e03dfcc8732388fad4fd83b72b34cad50786ca

SHA256
c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a

SHA512
5fc1617b672c308df2116cbfcd08e6d6b1c4969c3399dd9eb4c6d12a08bac23ac897c76de20cb1730fe44b50cf2bb840b11332f01f016ca1d4d6ab1bbdd19116

Download Submit
C:\Users\Admin\AppData\Local\Temp\25cece5e-3519-4ace-860a-56f194a6d1d4.vbs

Filesize
596B

MD5
77084a557320973225129db17e84df97

SHA1
7d90a53bdd26828501c50fa8abd375c996f56f67

SHA256
4efcd3c38ff676f01a66c3bbc127887fa1b9a7c3f695538c906ee4bac2435b0a

SHA512
f0b93a8e29aa88ad821c2b03482cdd725ec6b03ef18e33a0c4f081b8504713716d022c06e701fb257dfe55a0d24139fa77f84a7adba0425b3be560d33e363cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\435c4390-2c40-47ee-83f3-eee9ef5ae6c2.vbs

Filesize
820B

MD5
35290067a44e0989d8d8b3cfbbd6fd9d

SHA1
03cb899b701f54c8d533faef9adc068f1361c190

SHA256
ec4c7873cc1325ef362dca974a78106dc889223a305238766f3bbd86eda41e36

SHA512
dc93acbac1864cee70b29969153ba3e0605e853924a207f0b56d3db20e59c68b08e54f5e79dc31639abbcdb22e2c6a073137efa0b60e6853546fb46e7026e4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e07afcb-8873-409b-bb71-f8aee7824cd8.vbs

Filesize
820B

MD5
023c6d8531278da7cb9191e018ca5d6e

SHA1
c881317e2198d398324b3e0318fd05d84f679b53

SHA256
3b90ecec0b61d1680ebda85a7fb7776da513c5ba61c6cf2e959bef229564dd57

SHA512
5add4d3c7136b83de685e0ee335365a3e0afdf3a4a746bdf986f3a3067f2531fb0399a134a770d282ced7861de0f1e7f81bdcb3ffe18163fab5065c7323268e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\70a382d7-7b0c-43f8-b964-f2623d7be12b.vbs

Filesize
820B

MD5
0acdfc5e96da54c66e58e422938c0da0

SHA1
61a9c981ce97b0d27667d21a815b05cbada7f604

SHA256
a4664a038c82297d3adcd7bf6c423c80a2eb7060eeac2548bd83d5d03a8c00f2

SHA512
fdc9681bffe1e31457eccf9162b6a73d6b35d4b42e79ee7c8cf2feeff559b97216d47383df8eed6e65ab3d87cdf92bc336fac2e0cf26df537d06befa65b78658

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d037d95-507c-4a7e-85b8-2b1a9a7dc635.vbs

Filesize
820B

MD5
9eeeee631943d5b6755ee1a96227bfb4

SHA1
5757dd23de01306e4e7f460d4640b30ebc764388

SHA256
c882f5c5606d047832a462a292da0f1d8a43cc30406e50b8c269fbef5ef4067d

SHA512
637cfd4012fc2d1a9b52e25282c6a0983e00e0dba9ceed28ccd8b1792bfea40be9b23dec645ddcac9ccb7d0a97251ceb8313337f66284796e84646f061bdd7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ba58e00-26df-4647-8607-1a6fc2456c4d.vbs

Filesize
820B

MD5
a79ad99d7504f1448e532d542431e963

SHA1
6596b3447792884f43034aa45e1a77522727144a

SHA256
8aa3b0f72785db4d67047cfa15ee87ffab7d39c5adaee18d9634624c9c1c26d4

SHA512
5216453acd54f13ac0b8215f7e6133628c1e17706f39103740cda47f2a3252974f889b4b85adf52708da8e30e34d1c86a0d07b1a79a2d2d1573b786a7e06564e

Download Submit
C:\Users\Admin\AppData\Local\Temp\94148fd0-e32e-4fb9-b6cd-42d08ddb0b9c.vbs

Filesize
820B

MD5
02a176c19dc968376e5b71e1cf3c28a1

SHA1
481f22e14f0e0715e60cbd6b948d24864286431f

SHA256
cc27cae82d856b2be58b9493d3265ca016b67062a5f4adc58ed65f86598d7b02

SHA512
81cf03e2e6568446d76f7fcc02011684825f9ded9b802bdcb7bc9236992ea1f952aa2e38fb521e43f045cf61eba5eec556a34829772d3f4c05dc859068e2a07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7657e16-b199-4f75-bd5b-a159496667a2.vbs

Filesize
820B

MD5
3c9d8916a985a32783e406a56d5e2843

SHA1
dc39ac349a2c93c21131aeb87b9ad437e29d6fbb

SHA256
9570994ed2009faaa552a271190c1377d3e046eef62f6e0c70d85fc86c085665

SHA512
5f6cbe8a2055f5373b2cb96756f47ab21c8d3dc5eb9cf16e6a7e11714bf7ca7b8d1691c8538705072d28512221dfbc9d74eb370850499f60514237250e8363db

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9f663b0-8673-4f0e-9e69-b5f2e951ee39.vbs

Filesize
820B

MD5
442c9c8a734fbaa883d1a6480abbb4cb

SHA1
f7f0c16fff88cf9de3c6b36cd397aef73bdd22ce

SHA256
c5b464fc1942f46b6ac35d2eaab558aed312bd95457e9ecd65ff8b77a9bca641

SHA512
7278d5209435c0f55505d17bc346cfb06b10f879653b6071e6eb8052283ab74f4080f385d753ce151a929b795e89743859edd5b5d2169a64b14ea7f0f01f0642

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca65cfd9-0282-417a-aa3a-ff35a57d8349.vbs

Filesize
819B

MD5
5790ade09d676e8438e0daa47428aaef

SHA1
492455e6a6fba33b7c6d3327156cd7cdd15c5aa3

SHA256
d11ab03f1c94a4208bb0062c0600d37113bbf88a182e08969dcd6d30a513aebd

SHA512
2fc7a967a5a5b167a7cfb7c5b08cffdb29c903b91adec2d1e2691f8ec593d23051b8fba0861880ace042c820c179a9328640b77e35a2a2a4131951e5f43de9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d69d1ef8-7145-4b0a-aecf-fcaf4bbbd250.vbs

Filesize
820B

MD5
49a0b805d03ad5f4c29e663916103e5d

SHA1
df47031a56359d5d2a555743ae83da2b647e800b

SHA256
bfa74ddd7e3600e819dc74de6c42ab2b8d52001b6c8dbf1874693139784e2465

SHA512
07bcc3488d09355b7ec390d9d15554822947090a5f0830e67dc255620e525cf334fe07782034136d32f473da01e05e8be8cf6ed8c833a95aea249a8cce5e9058

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee2166ac-e0d0-40f2-a8dd-e5340852e3bf.vbs

Filesize
820B

MD5
14528e35b0ea5cd0f0a642f4bc187034

SHA1
7bdb7105908cd085ad71b6a73f82055ffdeb23fd

SHA256
2ad7db19daed29d92fe3535a2641ffa49b1027d1d7cca1b453edf01d5f440826

SHA512
68a521d3e270d3a6c6cfa72cfaa254d276e570c342d0f3023c74e2bc5f7bfdb8de37baf920e99846ecfc48a54dcbdafd6d781017f23d6af39702c2ec2b64db30

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2f88f48-a7c8-4477-834f-18ea7109c959.vbs

Filesize
820B

MD5
e9c09afa444cf18c22e9609c2bd58696

SHA1
61ef3b50a46235feb49ae65d0bde8736033796f7

SHA256
9a5616d6c1facfbf185a060f96627b21d530ea3c61accc12f36177d2267fa35c

SHA512
41d3e2a348b2212f624b9f2655cec8f63156b7646e486a8198f20dde9f574d3f2d569407d06f82725077c4ed5add0a18dbcd0ceda58a1ffd8a6a6954b30c68ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0fexNOnTw.bat

Filesize
309B

MD5
a9327de762d61fbbfbcc230b8623d0f7

SHA1
81bae1aa0b262e7fb09b9f2d84f7fdbcae10cb3a

SHA256
d8de8785527cb53f01817b1becc706284168874ed538f61a01d8d43e505ea77d

SHA512
25f8b3ec4d307d57de24d9ef4ece67ac93002d316fbe28134d586aae5ee50bd4c26200423f0a9365d213281aeeee374f901ce68f2e9be93b553289ca9b335565

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e325e974cfa55639da53358cb26488a9

SHA1
ad30e5f255365dbbdfa352a2f7a9296f24a1fade

SHA256
e08c3e84670bd2fdd24280571bee210800b3f30095a7f1704a1577aef5dcd8a7

SHA512
2f1f8c14174288192bf8017b48df7164c893e4aeff3ddbf05caef8e273dca9251cdbebe937866aa9fa496687df8781d48a0eeaec615eb8f8745b7219b7d4b5db

Download Submit
memory/808-178-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/1140-271-0x00000000001B0000-0x000000000047C000-memory.dmp

Filesize
2.8MB

Download
memory/1140-272-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1904-234-0x0000000000340000-0x000000000060C000-memory.dmp

Filesize
2.8MB

Download
memory/1988-71-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1988-72-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2100-259-0x000000001AE70000-0x000000001AEC6000-memory.dmp

Filesize
344KB

Download
memory/2100-258-0x0000000000180000-0x000000000044C000-memory.dmp

Filesize
2.8MB

Download
memory/2128-297-0x0000000001100000-0x00000000013CC000-memory.dmp

Filesize
2.8MB

Download
memory/2156-285-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2156-284-0x0000000000F00000-0x00000000011CC000-memory.dmp

Filesize
2.8MB

Download
memory/2288-12-0x0000000002600000-0x000000000260C000-memory.dmp

Filesize
48KB

Download
memory/2288-9-0x0000000002400000-0x000000000240A000-memory.dmp

Filesize
40KB

Download
memory/2288-20-0x0000000002690000-0x000000000269A000-memory.dmp

Filesize
40KB

Download
memory/2288-18-0x0000000002680000-0x000000000268C000-memory.dmp

Filesize
48KB

Download
memory/2288-154-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-1-0x0000000000190000-0x000000000045C000-memory.dmp

Filesize
2.8MB

Download
memory/2288-23-0x000000001AAD0000-0x000000001AADA000-memory.dmp

Filesize
40KB

Download
memory/2288-16-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2288-17-0x0000000002670000-0x000000000267C000-memory.dmp

Filesize
48KB

Download
memory/2288-15-0x0000000002650000-0x000000000265C000-memory.dmp

Filesize
48KB

Download
memory/2288-14-0x0000000002620000-0x0000000002632000-memory.dmp

Filesize
72KB

Download
memory/2288-13-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/2288-19-0x000000001AAA0000-0x000000001AAA8000-memory.dmp

Filesize
32KB

Download
memory/2288-11-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2288-10-0x0000000002410000-0x0000000002466000-memory.dmp

Filesize
344KB

Download
memory/2288-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/2288-8-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/2288-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-7-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/2288-21-0x000000001AAB0000-0x000000001AABE000-memory.dmp

Filesize
56KB

Download
memory/2288-27-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-5-0x00000000009E0000-0x00000000009F6000-memory.dmp

Filesize
88KB

Download
memory/2288-6-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/2288-4-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/2288-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2288-24-0x000000001AAE0000-0x000000001AAEC000-memory.dmp

Filesize
48KB

Download
memory/2288-22-0x000000001AAC0000-0x000000001AAC8000-memory.dmp

Filesize
32KB

Download
memory/2488-167-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/2488-166-0x0000000001300000-0x00000000015CC000-memory.dmp

Filesize
2.8MB

Download
memory/2784-246-0x0000000000120000-0x00000000003EC000-memory.dmp

Filesize
2.8MB

Download