dcrat | 91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d

Resubmissions

13/01/2025, 04:14

250113-etqtlaxqfm 10

12/01/2025, 14:01

250112-rbjc1svmhs 10

Analysis

max time kernel
896s
max time network
901s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
Size

4.2MB
MD5

d49f9a9a6f4d5c60ae2c35aafe7d105a
SHA1

8a192f01c06d2b67437c8789bdf564864d11eefc
SHA256

91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d
SHA512

fc90ac8848cbc7231bbe6d1c4e974f375d5af137a157d2553e516059270748f5162c1ea51f282850d4572eef6956fc8e6e9cead1a105286c712251ff43d1a440
SSDEEP

98304:hbE+vSZLE4Cj/L7gHNchtcv4zTk24eDeRRXcaiJ:hw+KL6fwscQTk24eWRXhY

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1904	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1904	schtasks.exe	35

UAC bypass 3 TTPs 51 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 26 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d69-9.dat	dcrat
behavioral1/memory/3040-13-0x0000000001280000-0x0000000001634000-memory.dmp	dcrat
behavioral1/memory/1756-71-0x0000000000210000-0x00000000005C4000-memory.dmp	dcrat
behavioral1/memory/1700-83-0x0000000000920000-0x0000000000CD4000-memory.dmp	dcrat
behavioral1/memory/2488-95-0x0000000000AA0000-0x0000000000E54000-memory.dmp	dcrat
behavioral1/memory/2884-107-0x0000000000D70000-0x0000000001124000-memory.dmp	dcrat
behavioral1/memory/1816-119-0x0000000000F00000-0x00000000012B4000-memory.dmp	dcrat
behavioral1/memory/1796-157-0x00000000000E0000-0x0000000000494000-memory.dmp	dcrat
behavioral1/memory/1592-176-0x0000000000080000-0x0000000000434000-memory.dmp	dcrat
behavioral1/memory/1664-178-0x0000000000D80000-0x0000000001134000-memory.dmp	dcrat
behavioral1/memory/2920-179-0x0000000000150000-0x0000000000504000-memory.dmp	dcrat
behavioral1/memory/2488-181-0x0000000000350000-0x0000000000704000-memory.dmp	dcrat
behavioral1/memory/2736-196-0x0000000000B40000-0x0000000000EF4000-memory.dmp	dcrat
behavioral1/memory/2828-198-0x0000000000C50000-0x0000000001004000-memory.dmp	dcrat
behavioral1/memory/2920-211-0x0000000000380000-0x0000000000734000-memory.dmp	dcrat
behavioral1/memory/1068-213-0x0000000000170000-0x0000000000524000-memory.dmp	dcrat
behavioral1/memory/2432-226-0x0000000000260000-0x0000000000614000-memory.dmp	dcrat
behavioral1/memory/1612-227-0x00000000008F0000-0x0000000000CA4000-memory.dmp	dcrat
behavioral1/memory/1796-228-0x0000000000B20000-0x0000000000ED4000-memory.dmp	dcrat
behavioral1/memory/2332-229-0x0000000000F20000-0x00000000012D4000-memory.dmp	dcrat
behavioral1/memory/2752-246-0x0000000001150000-0x0000000001504000-memory.dmp	dcrat
behavioral1/memory/2596-255-0x0000000000F50000-0x0000000001304000-memory.dmp	dcrat
behavioral1/memory/2904-256-0x00000000002D0000-0x0000000000684000-memory.dmp	dcrat
behavioral1/memory/1496-257-0x0000000000050000-0x0000000000404000-memory.dmp	dcrat
behavioral1/memory/1088-258-0x0000000000DE0000-0x0000000001194000-memory.dmp	dcrat
behavioral1/memory/988-266-0x00000000001F0000-0x00000000005A4000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 30 IoCs

pid	Process
3040	ComProviderreview.exe
1756	lsass.exe
1700	lsass.exe
2488	lsass.exe
2884	lsass.exe
1816	lsass.exe
2684	lsass.exe
2332	lsass.exe
1796	Idle.exe
2868	lsass.exe
1592	csrss.exe
1664	wininit.exe
2920	dwm.exe
2488	lsass.exe
2736	services.exe
2828	lsass.exe
2920	taskhost.exe
1068	lsass.exe
2432	ComProviderreview.exe
1612	explorer.exe
1796	WmiPrvSE.exe
2332	lsass.exe
1080	lsass.exe
2752	lsass.exe
2596	winlogon.exe
1496	System.exe
1088	Idle.exe
2904	lsass.exe
772	lsass.exe
988	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
536	cmd.exe
536	cmd.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\taskhost.exe	ComProviderreview.exe
File created	C:\Program Files\7-Zip\b75386f1303e64	ComProviderreview.exe
File created	C:\Program Files\VideoLAN\VLC\skins\lsass.exe	ComProviderreview.exe
File created	C:\Program Files\VideoLAN\VLC\skins\6203df4a6bafc7	ComProviderreview.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\csrss.exe	ComProviderreview.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\886983d96e3d3e	ComProviderreview.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Panther\setup.exe\56085415360792	ComProviderreview.exe
File created	C:\Windows\inf\it-IT\ComProviderreview.exe	ComProviderreview.exe
File created	C:\Windows\inf\it-IT\ce5be687612851	ComProviderreview.exe
File created	C:\Windows\PCHEALTH\WmiPrvSE.exe	ComProviderreview.exe
File created	C:\Windows\PCHEALTH\24dbde2999530e	ComProviderreview.exe
File created	C:\Windows\Panther\setup.exe\wininit.exe	ComProviderreview.exe
File opened for modification	C:\Windows\Panther\setup.exe\wininit.exe	ComProviderreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2232	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2316	schtasks.exe
3028	schtasks.exe
2544	schtasks.exe
2388	schtasks.exe
692	schtasks.exe
1188	schtasks.exe
1988	schtasks.exe
108	schtasks.exe
1816	schtasks.exe
1912	schtasks.exe
2136	schtasks.exe
2028	schtasks.exe
2960	schtasks.exe
1696	schtasks.exe
1928	schtasks.exe
992	schtasks.exe
1088	schtasks.exe
2492	schtasks.exe
2284	schtasks.exe
2568	schtasks.exe
3016	schtasks.exe
820	schtasks.exe
2080	schtasks.exe
1644	schtasks.exe
2236	schtasks.exe
1344	schtasks.exe
1968	schtasks.exe
896	schtasks.exe
1760	schtasks.exe
1956	schtasks.exe
2020	schtasks.exe
2008	schtasks.exe
2988	schtasks.exe
612	schtasks.exe
960	schtasks.exe
2272	schtasks.exe
2508	schtasks.exe
2692	schtasks.exe
2724	schtasks.exe
1064	schtasks.exe
1784	schtasks.exe
1736	schtasks.exe
1432	schtasks.exe
2164	schtasks.exe
2264	schtasks.exe
2652	schtasks.exe
1192	schtasks.exe
1576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3040	ComProviderreview.exe
3040	ComProviderreview.exe
3040	ComProviderreview.exe
1756	lsass.exe
1700	lsass.exe
2488	lsass.exe
2884	lsass.exe
1816	lsass.exe
2684	lsass.exe
2332	lsass.exe
2868	lsass.exe
2488	lsass.exe
2828	lsass.exe
1068	lsass.exe
2332	lsass.exe
1080	lsass.exe
2752	lsass.exe
2596	winlogon.exe
988	winlogon.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	ComProviderreview.exe
Token: SeDebugPrivilege	1756	lsass.exe
Token: SeDebugPrivilege	1700	lsass.exe
Token: SeDebugPrivilege	2488	lsass.exe
Token: SeDebugPrivilege	2884	lsass.exe
Token: SeDebugPrivilege	1816	lsass.exe
Token: SeDebugPrivilege	2684	lsass.exe
Token: SeDebugPrivilege	2332	lsass.exe
Token: SeDebugPrivilege	1796	Idle.exe
Token: SeDebugPrivilege	2868	lsass.exe
Token: SeDebugPrivilege	2920	dwm.exe
Token: SeDebugPrivilege	1592	csrss.exe
Token: SeDebugPrivilege	1664	wininit.exe
Token: SeDebugPrivilege	2488	lsass.exe
Token: SeDebugPrivilege	2736	services.exe
Token: SeDebugPrivilege	2828	lsass.exe
Token: SeDebugPrivilege	2920	taskhost.exe
Token: SeDebugPrivilege	1068	lsass.exe
Token: SeDebugPrivilege	2432	ComProviderreview.exe
Token: SeDebugPrivilege	1612	explorer.exe
Token: SeDebugPrivilege	1796	WmiPrvSE.exe
Token: SeDebugPrivilege	2332	lsass.exe
Token: SeDebugPrivilege	1080	lsass.exe
Token: SeDebugPrivilege	2752	lsass.exe
Token: SeDebugPrivilege	2596	winlogon.exe
Token: SeDebugPrivilege	1496	System.exe
Token: SeDebugPrivilege	2904	lsass.exe
Token: SeDebugPrivilege	1088	Idle.exe
Token: SeDebugPrivilege	772	lsass.exe
Token: SeDebugPrivilege	988	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1756	2060	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	30
PID 2060 wrote to memory of 1756	2060	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	30
PID 2060 wrote to memory of 1756	2060	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	30
PID 2060 wrote to memory of 1756	2060	d49f9a9a6f4d5c60ae2c35aafe7d105a.exe	30
PID 1756 wrote to memory of 536	1756	WScript.exe	31
PID 1756 wrote to memory of 536	1756	WScript.exe	31
PID 1756 wrote to memory of 536	1756	WScript.exe	31
PID 1756 wrote to memory of 536	1756	WScript.exe	31
PID 536 wrote to memory of 3040	536	cmd.exe	33
PID 536 wrote to memory of 3040	536	cmd.exe	33
PID 536 wrote to memory of 3040	536	cmd.exe	33
PID 536 wrote to memory of 3040	536	cmd.exe	33
PID 3040 wrote to memory of 1756	3040	ComProviderreview.exe	84
PID 3040 wrote to memory of 1756	3040	ComProviderreview.exe	84
PID 3040 wrote to memory of 1756	3040	ComProviderreview.exe	84
PID 536 wrote to memory of 2232	536	cmd.exe	85
PID 536 wrote to memory of 2232	536	cmd.exe	85
PID 536 wrote to memory of 2232	536	cmd.exe	85
PID 536 wrote to memory of 2232	536	cmd.exe	85
PID 1756 wrote to memory of 2340	1756	lsass.exe	86
PID 1756 wrote to memory of 2340	1756	lsass.exe	86
PID 1756 wrote to memory of 2340	1756	lsass.exe	86
PID 1756 wrote to memory of 1888	1756	lsass.exe	87
PID 1756 wrote to memory of 1888	1756	lsass.exe	87
PID 1756 wrote to memory of 1888	1756	lsass.exe	87
PID 2340 wrote to memory of 1700	2340	WScript.exe	88
PID 2340 wrote to memory of 1700	2340	WScript.exe	88
PID 2340 wrote to memory of 1700	2340	WScript.exe	88
PID 1700 wrote to memory of 1312	1700	lsass.exe	89
PID 1700 wrote to memory of 1312	1700	lsass.exe	89
PID 1700 wrote to memory of 1312	1700	lsass.exe	89
PID 1700 wrote to memory of 1148	1700	lsass.exe	90
PID 1700 wrote to memory of 1148	1700	lsass.exe	90
PID 1700 wrote to memory of 1148	1700	lsass.exe	90
PID 1312 wrote to memory of 2488	1312	WScript.exe	91
PID 1312 wrote to memory of 2488	1312	WScript.exe	91
PID 1312 wrote to memory of 2488	1312	WScript.exe	91
PID 2488 wrote to memory of 1724	2488	lsass.exe	92
PID 2488 wrote to memory of 1724	2488	lsass.exe	92
PID 2488 wrote to memory of 1724	2488	lsass.exe	92
PID 2488 wrote to memory of 1912	2488	lsass.exe	93
PID 2488 wrote to memory of 1912	2488	lsass.exe	93
PID 2488 wrote to memory of 1912	2488	lsass.exe	93
PID 1724 wrote to memory of 2884	1724	WScript.exe	94
PID 1724 wrote to memory of 2884	1724	WScript.exe	94
PID 1724 wrote to memory of 2884	1724	WScript.exe	94
PID 2884 wrote to memory of 1196	2884	lsass.exe	95
PID 2884 wrote to memory of 1196	2884	lsass.exe	95
PID 2884 wrote to memory of 1196	2884	lsass.exe	95
PID 2884 wrote to memory of 2856	2884	lsass.exe	96
PID 2884 wrote to memory of 2856	2884	lsass.exe	96
PID 2884 wrote to memory of 2856	2884	lsass.exe	96
PID 1196 wrote to memory of 1816	1196	WScript.exe	97
PID 1196 wrote to memory of 1816	1196	WScript.exe	97
PID 1196 wrote to memory of 1816	1196	WScript.exe	97
PID 1816 wrote to memory of 2992	1816	lsass.exe	98
PID 1816 wrote to memory of 2992	1816	lsass.exe	98
PID 1816 wrote to memory of 2992	1816	lsass.exe	98
PID 1816 wrote to memory of 560	1816	lsass.exe	99
PID 1816 wrote to memory of 560	1816	lsass.exe	99
PID 1816 wrote to memory of 560	1816	lsass.exe	99
PID 2992 wrote to memory of 2684	2992	WScript.exe	100
PID 2992 wrote to memory of 2684	2992	WScript.exe	100
PID 2992 wrote to memory of 2684	2992	WScript.exe	100

System policy modification 1 TTPs 51 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComProviderreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d49f9a9a6f4d5c60ae2c35aafe7d105a.exe
C:\Users\Admin\AppData\Local\Temp\d49f9a9a6f4d5c60ae2c35aafe7d105a.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Bridgebrowserdriversession\8Q1TNfuIkORrb6IwpocDiochN.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Bridgebrowserdriversession\7RIlKJCBYDYjVU5Wl3rLZ.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Bridgebrowserdriversession\ComProviderreview.exe
      "C:\Bridgebrowserdriversession\ComProviderreview.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3040
    - - C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1756
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c409f90-6229-4a5b-9268-8137e8984850.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bbbc495-f677-4802-8d00-e40203b72682.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3954d3cb-ca36-42f5-83c5-86eb0ae711e4.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee131dba-c08a-4448-9803-5d48ec8a3a85.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a0d11c1-067d-4a14-b9a8-45d490c43fa2.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14a650aa-2d7d-45a5-a4c9-4ae9f1bd9b03.vbs"
        16⤵
        
        PID:1704
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5951ea2f-cbf3-450d-a1a9-79afe1484ade.vbs"
        18⤵
        
        PID:2020
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a53d5c3b-4eca-4044-9c4b-2c3101a8fbf3.vbs"
        20⤵
        
        PID:772
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e5afd7e-5736-4693-91a8-065db5b5195d.vbs"
        22⤵
        
        PID:1064
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19ee0ee5-df7b-47fd-83fa-8fdeae7bde96.vbs"
        24⤵
        
        PID:2824
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f4feed6-a377-421b-a1a2-5afd44df93bb.vbs"
        26⤵
        
        PID:3044
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\386db9bd-0dc7-4b16-8e61-aa7745f8201a.vbs"
        28⤵
        
        PID:2256
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        29⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0283cc6c-8d2e-4fbe-b54c-ab7d85690554.vbs"
        30⤵
        
        PID:2584
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        31⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\558112e2-28ee-4e5a-b86c-973be6a1715d.vbs"
        32⤵
        
        PID:2636
        
        C:\Program Files\VideoLAN\VLC\skins\lsass.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e6ed0dd-acc2-4e65-9635-6062ac516d30.vbs"
        32⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50217020-7ce8-4dba-b906-d18a671a29df.vbs"
        30⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d0f7784-2db3-4fb4-aebb-e7e5d6d7bb97.vbs"
        28⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dfd3ef5-5e28-433f-b251-c01ea6589469.vbs"
        26⤵
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\669463a4-2d1f-4d5d-bb1c-096f323e73dd.vbs"
        24⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2692a289-a036-454e-a40f-4d8a0986b897.vbs"
        22⤵
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\779d6387-f0e6-4caa-aa79-aafa407d7205.vbs"
        20⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\905c0d95-2931-4abe-ab5a-8f967316e92d.vbs"
        18⤵
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d49bb112-f8d3-404b-9571-c8b4f796cbb1.vbs"
        16⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a123ccc8-ec6c-49d1-ae2b-53069626e303.vbs"
        14⤵
        
        PID:560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd537a05-f9f8-4802-955a-dd5b324ff3fa.vbs"
        12⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6d27720-706b-4b08-8153-e2120d4219fe.vbs"
        10⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f259f789-de00-4e5c-bd33-3be1ab328d8f.vbs"
        8⤵
        
        PID:1148
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\904ab456-32ef-4384-ae35-6116f775ee22.vbs"
        6⤵
        
        PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\setup.exe\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\setup.exe\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Bridgebrowserdriversession\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Bridgebrowserdriversession\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Bridgebrowserdriversession\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComProviderreviewC" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\it-IT\ComProviderreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComProviderreview" /sc ONLOGON /tr "'C:\Windows\inf\it-IT\ComProviderreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComProviderreviewC" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\it-IT\ComProviderreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\taskeng.exe
taskeng.exe {6614827C-1A13-470B-A7CE-9FA5DBFFD4B6} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:1672
- C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
  C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
  "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\MSOCache\All Users\dwm.exe
  "C:\MSOCache\All Users\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\Panther\setup.exe\wininit.exe
  C:\Windows\Panther\setup.exe\wininit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
  C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\inf\it-IT\ComProviderreview.exe
  C:\Windows\inf\it-IT\ComProviderreview.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\PCHEALTH\WmiPrvSE.exe
  C:\Windows\PCHEALTH\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
  C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\MSOCache\All Users\winlogon.exe
  "C:\MSOCache\All Users\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2596
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e5f3cf-9a57-4e11-8c02-f103e15b7ba4.vbs"
    3⤵
    PID:1768
  - - C:\MSOCache\All Users\winlogon.exe
      "C:\MSOCache\All Users\winlogon.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5de37d0-a5db-44af-80eb-d13ad3693fcf.vbs"
        5⤵
        
        PID:2992
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f826ebb-0931-40a1-9e09-7e5bca0a3f78.vbs"
        5⤵
        
        PID:2480
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5640cc7f-f090-4268-a131-32b8251ccdbc.vbs"
    3⤵
    PID:1240
- C:\Program Files\VideoLAN\VLC\skins\lsass.exe
  "C:\Program Files\VideoLAN\VLC\skins\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Bridgebrowserdriversession\System.exe
  C:\Bridgebrowserdriversession\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Bridgebrowserdriversession\7RIlKJCBYDYjVU5Wl3rLZ.bat

Filesize
165B

MD5
03feb686475df3981ff89eaf94c01678

SHA1
d03d6234af5825c397755fd67e32606bab6e7050

SHA256
38e603daba57e1db61b78fbca014e86b0273b43ec6a439d3c5b905679e949862

SHA512
5f277d8988d502373d1b6b723153dd6681f20cbde9d68165bd559a954f60406a1c06a0f583a52c568738becf843236f09b47d3500433bad7fe8363e58846659b

Download Submit
C:\Bridgebrowserdriversession\8Q1TNfuIkORrb6IwpocDiochN.vbe

Filesize
224B

MD5
1382f3e3f9f3a531c081f9216e1f3165

SHA1
63bb2176b3b553f2182fedc1b3e2bcdc33a4691b

SHA256
9f7893fd255de70e98053c1ce04106912a686d110b3ba1034c6690ba7870253d

SHA512
41ad75c7a21967f6463ae5b553088c82097f41aa0ba3ad19f0a65e25a1916e8dd2323e8b9e140170b55b025193d7d670a40b32b6b22ab83d0da4e058c11d9568

Download Submit
C:\Users\Admin\AppData\Local\Temp\14a650aa-2d7d-45a5-a4c9-4ae9f1bd9b03.vbs

Filesize
721B

MD5
5ac8833b466d7493b10aa37397510efc

SHA1
5a75544ed5ca5dc285177c6ee816e9aa93787ad9

SHA256
7c4a0a87104486aacf62e7926e54f136b62c7ca731152f318a059226f0ed5b58

SHA512
0c0f66707ed979f0de24b1bda104a5faaae6646294eaa6c0352973fa5d8041b1251d401cbf2f49afab21b5fbdae5596e1fdfa02703e8e87ad7299edab37aa09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19ee0ee5-df7b-47fd-83fa-8fdeae7bde96.vbs

Filesize
721B

MD5
327e00ea77d18e4cda697e7b237d9259

SHA1
335231dfc3e09f51fd185b65da71b1eaa30b4ccf

SHA256
72fb2a8054291c8861ea54ac26c4e6977bb6418c972164ee63624880ecfc9f23

SHA512
7c092aeb52c26bd0c6f8d19d8e86cb03e1cdbbb28a393ae6b2e820bbdc2d4cf476b433f5b96a586f8081fcf4d4b698cc64fce9fb1df4b4a3abb9dee8e30f3971

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a0d11c1-067d-4a14-b9a8-45d490c43fa2.vbs

Filesize
721B

MD5
ebf62bb095fde86a166b1f20f23f1cd1

SHA1
c6bdf50d53542dc10c5e011316eaf77546b0dc3b

SHA256
296f251873b4afb6537061472ab8b3720ece13536ce3c96f613a9ff00b630e0a

SHA512
2c56d52ce54f1721caccd122a195874193b6c009fc06142f26d1322ac693a814575507fca73609f9a6109a36a7efef04720b268a2a55d15330205dfef0cb636b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3954d3cb-ca36-42f5-83c5-86eb0ae711e4.vbs

Filesize
721B

MD5
6312beb11d1dfbb71f1dfaaedbdcd15d

SHA1
57fdfad2c5337b3c0c3173887f78f8f14821fed9

SHA256
823ef6908b591774e50cafb66514d3624015677422ffb53b33f618a99b574c2d

SHA512
3e2c14fb17a1ad67631cf5ec6470020450b2b71df91e8fc02d82a3208442d4ea7554d7e2d73bde96871c7dd1500a46144e30e126338ec89033d79a19d3a93c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c409f90-6229-4a5b-9268-8137e8984850.vbs

Filesize
721B

MD5
6b641f7de099f351d8844ac1a2feff6f

SHA1
c5d958a4a5cca76a47ce0a67733b1d866c8da5c4

SHA256
3361af75124810e37237e5e04fa72908327842279fe90655b3f56e1b9f345e56

SHA512
730348205d4e194a74b68d0802f05011072d881c2782f0ee1a1bef02eb8935fdb306b753f6e049aa1e289dba7a7a964fb2bd6f4975dc6ea8af005c7469f718d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5951ea2f-cbf3-450d-a1a9-79afe1484ade.vbs

Filesize
721B

MD5
5306fe037eed0056d374aaa805eaa19b

SHA1
86d0d677623848d6a2cc10ae14128989971a109b

SHA256
71d9c8e22b127bb094a95e323655eb45fde635e3db8e8b46b6edcf068ddde322

SHA512
5ff9e1cca1ebade11cbf64e224d5b640dd3be601e69996dcb023b12033d647683f03b211fe44966c74d3cff93a94495ce9695f558982efacf51e1a47de29f428

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f826ebb-0931-40a1-9e09-7e5bca0a3f78.vbs

Filesize
486B

MD5
17da78bfb6c62e0c6ca73c1b35c91e8a

SHA1
eba1ac52435eefd8c962e437b63743dbdc2a05b2

SHA256
ebb2d4f525377ce4daa757e3314f8bebb475a17edc392d2a8bf82e98a560b0ff

SHA512
11358333120722a7ff50d98fbeeef50346bd65bb9b40bce5fc4c9421ae21f52b6a734e09861e6111274bff5fdffa6e9ce73e7287a05e77f9f7ac3ab7f2119418

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bbbc495-f677-4802-8d00-e40203b72682.vbs

Filesize
721B

MD5
628126440e9176ca1c9bb1ce38116335

SHA1
67cbd8bc22e8f3a92692f0adb9b00c1dd1d36079

SHA256
8ce8fc3bf5fcce2b2f37c29f1f14e48aeda453d3951cc2cdb2aaf9ec5dabb23b

SHA512
b33b9e2c5e3df23abf7bbf546d43c2bd743cddf2a9261c27b7e3c607f89fb6b4fd5ede7ea2eaa4a661e22f1a6c9cba8cbbd3373acb77ad586bc1ce4963e3c81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\904ab456-32ef-4384-ae35-6116f775ee22.vbs

Filesize
497B

MD5
1b5bd0083a79a1a63ccd0b88abecbc53

SHA1
906d001a5bc23768ae7832862221459be71859e5

SHA256
f0f1dccad838dc0f8349a778dcfe36add2934f33b19921dc345af1d43a9df7de

SHA512
353ccc41f7b0ba5409cf6815e048cd985d06f15cb531913ac6ef0ab80e8fbec0b3afb2531f7d881f179f51a033f218546963caa9f5d39921fa7bf79530b2b7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f4feed6-a377-421b-a1a2-5afd44df93bb.vbs

Filesize
721B

MD5
9ac8b26c8032296acdd9dea4e8ca8c56

SHA1
821892b95b5598151c457848e6f6798b56025029

SHA256
59a5baf83f3dc605c3ef728fd028b30927afec18f7c5ff89389d0eac8ad522f3

SHA512
7b96fa3e19ee1718bd9f85a2df78367cee905a94a5e589ad0f23f0630b16c3eb18cbc6eff47ee9927ef7b7da9dada5e7ad7b3f477798e0ff5d74e58f2720aa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\a53d5c3b-4eca-4044-9c4b-2c3101a8fbf3.vbs

Filesize
721B

MD5
dbcdc7f7bd19611bff4aa8bd9b07acdb

SHA1
f1375394cdd5f0fb5bec8cab88f03b84a264c2b3

SHA256
0c2ff5d20fab2a72f9e7294acb4d836191d14a2747f9fa23d2823cf710fa9b75

SHA512
86f11af917030411db8220dd4a8be82d06c7c10082b27da1ae3c87d7cb8c1f23b800107013633627c15a13e52ae45a9f6d5d2cad4805ad7e4c484bd9803f963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee131dba-c08a-4448-9803-5d48ec8a3a85.vbs

Filesize
721B

MD5
a9ac1049963a61e3c7826d724a1a2434

SHA1
2c5d7b6537f3f254d2fd74b527fdbf4e12d94864

SHA256
5c8939aa19ab54a6c79a211e2f7d23bb76f9bf651f510fbdd76e95e0f52c2c86

SHA512
2251ae053ce2c2bd1e4f18d6982f097f87186ee87fed1d1a21400970e3a5a735903a8ac39b959790007a945180af6788ae1ca9d417c8673b8bbadcba4e5319a3

Download Submit
\Bridgebrowserdriversession\ComProviderreview.exe

Filesize
3.7MB

MD5
8ba0bad0eb7bd09fde9fe57a8c63c884

SHA1
45a00cb30db1dbf2d6548e1a37cb88a304f46649

SHA256
c050c1d626edf24ea41da7f4b74e20e39a3ae6a66f6a4bff685d6a1c308b600c

SHA512
1c3fa87086fb385d753c5ba49245ddba87a343795b049444d9f21d1cd29adc9dc545f5ef3f92c7d89b9b0289af557524fe88411fefadedcfcd94069845b95041

Download Submit
memory/988-266-0x00000000001F0000-0x00000000005A4000-memory.dmp

Filesize
3.7MB

Download
memory/988-267-0x0000000002230000-0x0000000002242000-memory.dmp

Filesize
72KB

Download
memory/1068-213-0x0000000000170000-0x0000000000524000-memory.dmp

Filesize
3.7MB

Download
memory/1080-238-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1088-258-0x0000000000DE0000-0x0000000001194000-memory.dmp

Filesize
3.7MB

Download
memory/1496-257-0x0000000000050000-0x0000000000404000-memory.dmp

Filesize
3.7MB

Download
memory/1592-176-0x0000000000080000-0x0000000000434000-memory.dmp

Filesize
3.7MB

Download
memory/1612-227-0x00000000008F0000-0x0000000000CA4000-memory.dmp

Filesize
3.7MB

Download
memory/1664-178-0x0000000000D80000-0x0000000001134000-memory.dmp

Filesize
3.7MB

Download
memory/1700-83-0x0000000000920000-0x0000000000CD4000-memory.dmp

Filesize
3.7MB

Download
memory/1756-71-0x0000000000210000-0x00000000005C4000-memory.dmp

Filesize
3.7MB

Download
memory/1756-72-0x0000000000A40000-0x0000000000A96000-memory.dmp

Filesize
344KB

Download
memory/1796-228-0x0000000000B20000-0x0000000000ED4000-memory.dmp

Filesize
3.7MB

Download
memory/1796-157-0x00000000000E0000-0x0000000000494000-memory.dmp

Filesize
3.7MB

Download
memory/1816-119-0x0000000000F00000-0x00000000012B4000-memory.dmp

Filesize
3.7MB

Download
memory/1816-120-0x0000000000540000-0x0000000000596000-memory.dmp

Filesize
344KB

Download
memory/2332-230-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/2332-144-0x00000000007E0000-0x0000000000836000-memory.dmp

Filesize
344KB

Download
memory/2332-229-0x0000000000F20000-0x00000000012D4000-memory.dmp

Filesize
3.7MB

Download
memory/2432-226-0x0000000000260000-0x0000000000614000-memory.dmp

Filesize
3.7MB

Download
memory/2488-95-0x0000000000AA0000-0x0000000000E54000-memory.dmp

Filesize
3.7MB

Download
memory/2488-181-0x0000000000350000-0x0000000000704000-memory.dmp

Filesize
3.7MB

Download
memory/2488-182-0x0000000000810000-0x0000000000866000-memory.dmp

Filesize
344KB

Download
memory/2488-183-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2596-255-0x0000000000F50000-0x0000000001304000-memory.dmp

Filesize
3.7MB

Download
memory/2684-132-0x0000000000EB0000-0x0000000000F06000-memory.dmp

Filesize
344KB

Download
memory/2736-196-0x0000000000B40000-0x0000000000EF4000-memory.dmp

Filesize
3.7MB

Download
memory/2752-247-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2752-246-0x0000000001150000-0x0000000001504000-memory.dmp

Filesize
3.7MB

Download
memory/2828-198-0x0000000000C50000-0x0000000001004000-memory.dmp

Filesize
3.7MB

Download
memory/2868-159-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2868-160-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/2884-107-0x0000000000D70000-0x0000000001124000-memory.dmp

Filesize
3.7MB

Download
memory/2904-256-0x00000000002D0000-0x0000000000684000-memory.dmp

Filesize
3.7MB

Download
memory/2920-179-0x0000000000150000-0x0000000000504000-memory.dmp

Filesize
3.7MB

Download
memory/2920-211-0x0000000000380000-0x0000000000734000-memory.dmp

Filesize
3.7MB

Download
memory/3040-29-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/3040-20-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/3040-28-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/3040-26-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/3040-25-0x0000000000E50000-0x0000000000EA6000-memory.dmp

Filesize
344KB

Download
memory/3040-24-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/3040-23-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/3040-22-0x0000000000900000-0x0000000000908000-memory.dmp

Filesize
32KB

Download
memory/3040-21-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/3040-27-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/3040-19-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/3040-30-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/3040-31-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download
memory/3040-18-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/3040-32-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

Filesize
48KB

Download
memory/3040-17-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/3040-16-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/3040-15-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/3040-14-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/3040-13-0x0000000001280000-0x0000000001634000-memory.dmp

Filesize
3.7MB

Download