e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8

Analysis

max time kernel
130s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db547399adb1223b51dd04ca54bc0dcd.exe
Size

1.9MB
MD5

db547399adb1223b51dd04ca54bc0dcd
SHA1

5c5010b0c7d160d19aa37a981f28884c6fb753c5
SHA256

101ccc6b92cebfc2110fc59fe95374d2b7255103cd662a796513cc18f0c6022a
SHA512

6f000a5731877d84c56df1b3268f48b6346b5c5710e8044d7b0ecffc03b89f4a40a17049a9f929f9631bf6fbcec8cb35eadd521168d739085771fa8630e5f910
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2716	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	db547399adb1223b51dd04ca54bc0dcd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
888	powershell.exe
1156	powershell.exe
1740	powershell.exe
2176	powershell.exe
2448	powershell.exe
636	powershell.exe
2164	powershell.exe
2356	powershell.exe
2372	powershell.exe
2364	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	db547399adb1223b51dd04ca54bc0dcd.exe

Executes dropped EXE 9 IoCs

pid	Process
2208	spoolsv.exe
1668	spoolsv.exe
2752	spoolsv.exe
1268	spoolsv.exe
2236	spoolsv.exe
2520	spoolsv.exe
2396	spoolsv.exe
812	spoolsv.exe
2128	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\f3b6ecef712a24	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX3785.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX3786.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe	db547399adb1223b51dd04ca54bc0dcd.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\it-IT\winlogon.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Windows\AppPatch\it-IT\cc11b995f2a76d	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCX2E97.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCX2E98.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\Panther\actionqueue\spoolsv.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\AppPatch\it-IT\RCX330F.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Windows\schemas\TSWorkSpace\Idle.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Windows\Panther\actionqueue\spoolsv.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Windows\Panther\actionqueue\f3b6ecef712a24	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Windows\AppPatch\it-IT\winlogon.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\AppPatch\it-IT\RCX330E.tmp	db547399adb1223b51dd04ca54bc0dcd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1776	schtasks.exe
1084	schtasks.exe
2880	schtasks.exe
2664	schtasks.exe
3068	schtasks.exe
868	schtasks.exe
2504	schtasks.exe
2180	schtasks.exe
2024	schtasks.exe
1796	schtasks.exe
2660	schtasks.exe
1360	schtasks.exe
2228	schtasks.exe
2340	schtasks.exe
1292	schtasks.exe
1788	schtasks.exe
2612	schtasks.exe
464	schtasks.exe
1628	schtasks.exe
2596	schtasks.exe
2192	schtasks.exe
2872	schtasks.exe
2816	schtasks.exe
2856	schtasks.exe
2648	schtasks.exe
2568	schtasks.exe
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2388	db547399adb1223b51dd04ca54bc0dcd.exe
2372	powershell.exe
2356	powershell.exe
1740	powershell.exe
2364	powershell.exe
2164	powershell.exe
2176	powershell.exe
2208	spoolsv.exe
1156	powershell.exe
2448	powershell.exe
636	powershell.exe
888	powershell.exe
1668	spoolsv.exe
2752	spoolsv.exe
1268	spoolsv.exe
2236	spoolsv.exe
2520	spoolsv.exe
2396	spoolsv.exe
812	spoolsv.exe
2128	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	db547399adb1223b51dd04ca54bc0dcd.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2208	spoolsv.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1668	spoolsv.exe
Token: SeDebugPrivilege	2752	spoolsv.exe
Token: SeDebugPrivilege	1268	spoolsv.exe
Token: SeDebugPrivilege	2236	spoolsv.exe
Token: SeDebugPrivilege	2520	spoolsv.exe
Token: SeDebugPrivilege	2396	spoolsv.exe
Token: SeDebugPrivilege	812	spoolsv.exe
Token: SeDebugPrivilege	2128	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2364	2388	db547399adb1223b51dd04ca54bc0dcd.exe	58
PID 2388 wrote to memory of 2364	2388	db547399adb1223b51dd04ca54bc0dcd.exe	58
PID 2388 wrote to memory of 2364	2388	db547399adb1223b51dd04ca54bc0dcd.exe	58
PID 2388 wrote to memory of 2372	2388	db547399adb1223b51dd04ca54bc0dcd.exe	59
PID 2388 wrote to memory of 2372	2388	db547399adb1223b51dd04ca54bc0dcd.exe	59
PID 2388 wrote to memory of 2372	2388	db547399adb1223b51dd04ca54bc0dcd.exe	59
PID 2388 wrote to memory of 2176	2388	db547399adb1223b51dd04ca54bc0dcd.exe	60
PID 2388 wrote to memory of 2176	2388	db547399adb1223b51dd04ca54bc0dcd.exe	60
PID 2388 wrote to memory of 2176	2388	db547399adb1223b51dd04ca54bc0dcd.exe	60
PID 2388 wrote to memory of 1740	2388	db547399adb1223b51dd04ca54bc0dcd.exe	61
PID 2388 wrote to memory of 1740	2388	db547399adb1223b51dd04ca54bc0dcd.exe	61
PID 2388 wrote to memory of 1740	2388	db547399adb1223b51dd04ca54bc0dcd.exe	61
PID 2388 wrote to memory of 2356	2388	db547399adb1223b51dd04ca54bc0dcd.exe	63
PID 2388 wrote to memory of 2356	2388	db547399adb1223b51dd04ca54bc0dcd.exe	63
PID 2388 wrote to memory of 2356	2388	db547399adb1223b51dd04ca54bc0dcd.exe	63
PID 2388 wrote to memory of 2164	2388	db547399adb1223b51dd04ca54bc0dcd.exe	64
PID 2388 wrote to memory of 2164	2388	db547399adb1223b51dd04ca54bc0dcd.exe	64
PID 2388 wrote to memory of 2164	2388	db547399adb1223b51dd04ca54bc0dcd.exe	64
PID 2388 wrote to memory of 636	2388	db547399adb1223b51dd04ca54bc0dcd.exe	65
PID 2388 wrote to memory of 636	2388	db547399adb1223b51dd04ca54bc0dcd.exe	65
PID 2388 wrote to memory of 636	2388	db547399adb1223b51dd04ca54bc0dcd.exe	65
PID 2388 wrote to memory of 1156	2388	db547399adb1223b51dd04ca54bc0dcd.exe	68
PID 2388 wrote to memory of 1156	2388	db547399adb1223b51dd04ca54bc0dcd.exe	68
PID 2388 wrote to memory of 1156	2388	db547399adb1223b51dd04ca54bc0dcd.exe	68
PID 2388 wrote to memory of 2448	2388	db547399adb1223b51dd04ca54bc0dcd.exe	70
PID 2388 wrote to memory of 2448	2388	db547399adb1223b51dd04ca54bc0dcd.exe	70
PID 2388 wrote to memory of 2448	2388	db547399adb1223b51dd04ca54bc0dcd.exe	70
PID 2388 wrote to memory of 888	2388	db547399adb1223b51dd04ca54bc0dcd.exe	71
PID 2388 wrote to memory of 888	2388	db547399adb1223b51dd04ca54bc0dcd.exe	71
PID 2388 wrote to memory of 888	2388	db547399adb1223b51dd04ca54bc0dcd.exe	71
PID 2388 wrote to memory of 2208	2388	db547399adb1223b51dd04ca54bc0dcd.exe	77
PID 2388 wrote to memory of 2208	2388	db547399adb1223b51dd04ca54bc0dcd.exe	77
PID 2388 wrote to memory of 2208	2388	db547399adb1223b51dd04ca54bc0dcd.exe	77
PID 2208 wrote to memory of 2692	2208	spoolsv.exe	79
PID 2208 wrote to memory of 2692	2208	spoolsv.exe	79
PID 2208 wrote to memory of 2692	2208	spoolsv.exe	79
PID 2208 wrote to memory of 1396	2208	spoolsv.exe	80
PID 2208 wrote to memory of 1396	2208	spoolsv.exe	80
PID 2208 wrote to memory of 1396	2208	spoolsv.exe	80
PID 2692 wrote to memory of 1668	2692	WScript.exe	81
PID 2692 wrote to memory of 1668	2692	WScript.exe	81
PID 2692 wrote to memory of 1668	2692	WScript.exe	81
PID 1668 wrote to memory of 1452	1668	spoolsv.exe	82
PID 1668 wrote to memory of 1452	1668	spoolsv.exe	82
PID 1668 wrote to memory of 1452	1668	spoolsv.exe	82
PID 1668 wrote to memory of 2172	1668	spoolsv.exe	83
PID 1668 wrote to memory of 2172	1668	spoolsv.exe	83
PID 1668 wrote to memory of 2172	1668	spoolsv.exe	83
PID 1452 wrote to memory of 2752	1452	WScript.exe	84
PID 1452 wrote to memory of 2752	1452	WScript.exe	84
PID 1452 wrote to memory of 2752	1452	WScript.exe	84
PID 2752 wrote to memory of 3048	2752	spoolsv.exe	85
PID 2752 wrote to memory of 3048	2752	spoolsv.exe	85
PID 2752 wrote to memory of 3048	2752	spoolsv.exe	85
PID 2752 wrote to memory of 2688	2752	spoolsv.exe	86
PID 2752 wrote to memory of 2688	2752	spoolsv.exe	86
PID 2752 wrote to memory of 2688	2752	spoolsv.exe	86
PID 3048 wrote to memory of 1268	3048	WScript.exe	87
PID 3048 wrote to memory of 1268	3048	WScript.exe	87
PID 3048 wrote to memory of 1268	3048	WScript.exe	87
PID 1268 wrote to memory of 2784	1268	spoolsv.exe	88
PID 1268 wrote to memory of 2784	1268	spoolsv.exe	88
PID 1268 wrote to memory of 2784	1268	spoolsv.exe	88
PID 1268 wrote to memory of 2512	1268	spoolsv.exe	89

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\db547399adb1223b51dd04ca54bc0dcd.exe
"C:\Users\Admin\AppData\Local\Temp\db547399adb1223b51dd04ca54bc0dcd.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\db547399adb1223b51dd04ca54bc0dcd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\db547399adb1223b51dd04ca54bc0dcd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\it-IT\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\Panther\actionqueue\spoolsv.exe
  "C:\Windows\Panther\actionqueue\spoolsv.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2208
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e9e8c98-8d39-4f13-8f67-dbfb8e6e40fa.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\Panther\actionqueue\spoolsv.exe
      C:\Windows\Panther\actionqueue\spoolsv.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f062044b-2d3d-4612-96cb-4aac4cb76651.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a853bc0a-ea41-4f7f-84ca-7c454ad4c496.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00392b43-8741-407b-8402-3999410ae740.vbs"
        9⤵
        
        PID:2784
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17962914-bbdd-4185-ae78-c3da9a5a683d.vbs"
        11⤵
        
        PID:1724
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ba0821-809e-4213-afae-4ad284055e5e.vbs"
        13⤵
        
        PID:2204
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c7ab9d1-2a19-4119-9825-94acb3022ce1.vbs"
        15⤵
        
        PID:1820
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\238716a6-972f-42fd-b331-a0a9adce0987.vbs"
        17⤵
        
        PID:1508
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f97b8005-91e8-4373-bf5b-d5e15296b6da.vbs"
        19⤵
        
        PID:2828
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        20⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59fb927f-8527-469a-9f7f-27b1edd3581b.vbs"
        21⤵
        
        PID:676
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        
        C:\Windows\Panther\actionqueue\spoolsv.exe
        22⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9efc27be-97ba-44f8-85fb-d3b2cb39ccc0.vbs"
        21⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\418c0afa-0522-4ac2-9b32-0dc0713be715.vbs"
        19⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f6c371a-007a-4728-96b3-e7f95a2a1c0c.vbs"
        17⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91e02a21-4191-4466-bc08-a22addea5b64.vbs"
        15⤵
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\876e5d59-a1aa-4d28-9936-182cc6dff0f1.vbs"
        13⤵
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6538a9f5-1847-40e0-971b-8e11ddbcd526.vbs"
        11⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\806917a1-1ede-43c9-8d52-9f52f7c095d6.vbs"
        9⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6f90d4e-2303-4b1b-984a-9353f5d7fd36.vbs"
        7⤵
        
        PID:2688
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e30a6015-af88-498a-9fc5-061be68baeda.vbs"
        5⤵
        
        PID:2172
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\751c4308-9dbb-4846-852d-4415dd423cb5.vbs"
    3⤵
    PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "db547399adb1223b51dd04ca54bc0dcdd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\db547399adb1223b51dd04ca54bc0dcd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "db547399adb1223b51dd04ca54bc0dcd" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\db547399adb1223b51dd04ca54bc0dcd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "db547399adb1223b51dd04ca54bc0dcdd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\db547399adb1223b51dd04ca54bc0dcd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe

Filesize
1.9MB

MD5
49ff6e48d5dce441ac143859e3aa449f

SHA1
b227f6a8a3f6ef2724cb4229a9d2e753e8d189e1

SHA256
b3c94894a45486e2a5f4c6f8863bc325757a1e93cfe096b6ab11f3e4ac4d47e5

SHA512
bef6e9bb68171004f014bdd356747e048235a70b6172869869efbbbb8aa27179c65d61359630545e88e20a942412219197600f174c35798cb4f995a0236f9f34

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe

Filesize
1.9MB

MD5
db547399adb1223b51dd04ca54bc0dcd

SHA1
5c5010b0c7d160d19aa37a981f28884c6fb753c5

SHA256
101ccc6b92cebfc2110fc59fe95374d2b7255103cd662a796513cc18f0c6022a

SHA512
6f000a5731877d84c56df1b3268f48b6346b5c5710e8044d7b0ecffc03b89f4a40a17049a9f929f9631bf6fbcec8cb35eadd521168d739085771fa8630e5f910

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe

Filesize
1.9MB

MD5
62c3f43779272579a2c4273d7f58d77d

SHA1
7015f94369b81f2a05c6898b40436c5380efccd7

SHA256
8361540c35ece9318d72907e2b6977add8e101f9e025c88f78a4a66f0b8ea427

SHA512
1db30ca77b378e1c8b4a34e8b05bb510122ec75388719bc03bc1739492140c7afe2e0cddadf5a19ffe1edc2d9677d714d90d1bf15d1ec55178e4b6e0204a840a

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\db547399adb1223b51dd04ca54bc0dcd.exe

Filesize
1.9MB

MD5
53af430b953792a95ddd9effd74a0293

SHA1
51fb91eb1288309ab56bf122aaebc5817189facf

SHA256
7a2c355a94d9ec6e57d98a05ade5e5ebdc1b3f8b005c7fd47517df4dba254cd4

SHA512
8023a57c0ba6303da151dded8e9e2c48e284e61b4c1ed3403f0e3c13a70c66fe0fa24014fe5c494a8643334934db6a109d1fce860907c06f3374eafe7e65d8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\00392b43-8741-407b-8402-3999410ae740.vbs

Filesize
718B

MD5
b1729fac67c1178a96af2a5d9380232c

SHA1
98300169c584c010b97b51b24068cd3a94dcbefe

SHA256
70c1183d1fc60d26a30c0abb37e75289df60f364c49fd3e30951f87b012d6ace

SHA512
314846adab4262226c747cddce31ee5aa8586570c3bc67bf0dce06da771b8454797d248f13076832738af63c75f0d2cce800a89be996787c6fddf763f9232e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\17962914-bbdd-4185-ae78-c3da9a5a683d.vbs

Filesize
718B

MD5
828c34a427ee9d9fcf84baecb47f2b6e

SHA1
e5d8da4a9e71e3f460cb3f6a654a08153d047521

SHA256
bc1ee1d2d05186f94c82d6a96343a70432740c3e14a7aeda5d5ce1ad10acd971

SHA512
b7a2c2bf2c0b718196219af0cbac4df655669c32aba1958b739811172e0f18a65e63a75f8012e3745799ad687251a31321c4917af3be2c0a6571140a7c826824

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e9e8c98-8d39-4f13-8f67-dbfb8e6e40fa.vbs

Filesize
718B

MD5
beff8b25f20aabdb77a08688073ac1a4

SHA1
f784353edd2d9c207019d89d99629b5e19ef7a7f

SHA256
7526fd49978b0ece8f2962547711a1d9baf5eb56daf2d3f80e9133d3afd2b3bb

SHA512
40b557faef16287d575be78128976ec60ec59779351cf433b0d4533dedcee5f541a4b1bccfe03646d26789e3aa8f1afd330fe5235879ecbb59b43c0a0fb4e2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\238716a6-972f-42fd-b331-a0a9adce0987.vbs

Filesize
717B

MD5
90c9edba64899c881527770c01bc751c

SHA1
c1242de13e2497f864580fbc42d69326473721bf

SHA256
eda85a750afa078961c1603cc977d4beacd06dad6b318a16dc29dbfcdf91eda1

SHA512
c72a8182eaf8d5e279bd550a24ef2fa0c90617e15dde1a80ff8b0ab12e013f3424d444a4f09cf761de3ee5241fd8abccaac5cd34ecedad56275fa416b3328e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c7ab9d1-2a19-4119-9825-94acb3022ce1.vbs

Filesize
718B

MD5
eda5aa53e1c9659f5abcb1e1fe930b81

SHA1
d78c90b1fb637928aeed88f25019a6b4f76c26f9

SHA256
fb7ebbdddd502d95aec7e4282fbed6639afc80fb013c3d55688e8f6bef4da065

SHA512
fa34db35f8951337de0568ca9c7feae20291945646964105a74e3d999665b54146a299f9430bd6a5efbdb00b85c777684c9f7bea8244ca3b4b66550a1d496f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\59fb927f-8527-469a-9f7f-27b1edd3581b.vbs

Filesize
718B

MD5
8a527e3b306d8df5a14935ed0e73d92a

SHA1
932ad168234b005173c7100f5200fb4803119fa7

SHA256
99269edf4d168bbbcb031b034a755e349b01af5ba92b638823f79420d6439de5

SHA512
fe4ee44b0c46e9f0533d446af5ed8c298687b636ddb4a0a4b736480e0517e27e99be6a5f373a04c0c1d831dc3d6262cea7ed4dadc5e18c64db190c83639b77e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\751c4308-9dbb-4846-852d-4415dd423cb5.vbs

Filesize
494B

MD5
4cd9fa9723366a444edef18d920776a2

SHA1
4648cad264d59ecd29b5fb90d8323e5ee9efd819

SHA256
de588c858da888873f76699ba303df15bf6b86dc7c1aefaefef64c756443573f

SHA512
fbdc15c237ac69b0a0a6df2d5fc22651d70ec1d93f343f053bb9375c53dfb8532124fdc12fe078d088198c3c5e21ba58813781fdb4d6ee943ee101072db507cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\978f684442467354e28821397045b9780ba3154c.exe

Filesize
1.6MB

MD5
c1cfe5f2d40808689dc1420bb6a0a4a7

SHA1
32a1566317081561a35dc04523e1934ef9783388

SHA256
dd2eaa653c31ae0cf3406b83eb610c224f3ede369fc19aac4b24ee6adfbba8d2

SHA512
ddb3cd1a0510d9a4616f4fff2a735bfb41425132c99b9b2f506ba51a187acf5724d222c304ea78ab2800b751a1b9aa6eec25480085f7a0129e264dd6a6f9cdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3ba0821-809e-4213-afae-4ad284055e5e.vbs

Filesize
718B

MD5
664b11141138971d4aa35575a735118c

SHA1
22f72570e85f9771dff9e148bce937d7eb8fc8b0

SHA256
26adac5845ca4f1d4814ec7ebb892e6a358d8dfde8eca31e7c31a8a6cefbe140

SHA512
a34c0658486045c3e8bb08ad5d7a623c59a4b1fcab500fb4eaacb0e903b88cd2339d5c7705971ca15c52c9f2c3fa5ff140b54d0fb30106bbbc7ad1cda4aafe39

Download Submit
C:\Users\Admin\AppData\Local\Temp\a853bc0a-ea41-4f7f-84ca-7c454ad4c496.vbs

Filesize
718B

MD5
4e0403e5f270d8a2708ebcd0f662c5b3

SHA1
240d91e210293b7d2c538cc00e3a26d3496a5475

SHA256
2a0ff4724cad503703fc46013fb2bcc81ed0534b06d2f29a785d2e6ee6e151a1

SHA512
3a149febfddb98c669f1fbf59a37b0f8df4692f67fcdc66a049f20ab434195667f104892b26a5e8a1850ef7758afad20cef6b6e4b07d1fa3384b430e35e39bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f062044b-2d3d-4612-96cb-4aac4cb76651.vbs

Filesize
718B

MD5
ccfbdd2a28f8b11b1aca81ebe679bebc

SHA1
312a952876b463719245531812a91ed3f258b774

SHA256
fd74b6e35b57c1cbcdcc01c73b32e742fdc874d5568bcd873cc3f36e153d5bac

SHA512
242b627f68394546d42b79e6925f7d20675de8eb5c007d56c3a183af4eb1728940d60c134c8ce0bbd19f34cc42ca54ace2d0a8a619f75d1a385caf4648c0f4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f97b8005-91e8-4373-bf5b-d5e15296b6da.vbs

Filesize
718B

MD5
0f7f7af4f0d809477eda81b3ae79ca4d

SHA1
2eaae15c3f8c8951eabfe11992b18e63b0d999ae

SHA256
8c16f200f77c7e5dc4f099049a08ac7176325b81c3731fb9f411a83d85b7c18a

SHA512
5cf1a3533f0355d2b8d788e8550a92a4debe38ec4868a295debccbdb220ad8d65c6e71ca3307053456b0a96daa2d3bf583fdf51796d70f7876de8cfe09835b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
10aaadefbaa31968c358bd1773c3e46d

SHA1
c160adbc0fa15e8b900de039515ad625785d0c56

SHA256
c25da17aacd5eba232a443f4d9749839b0ad258ad26a1b4103d9c0e5dcb2c6b1

SHA512
40af3d0a879e0bb1d5de20a419a14541d104801fd084e3bd9516e320551d31f5522f242d7204a3bce5ff0dcf03a6c99ed9c8ddd9a7252338469918e2ac6366b2

Download Submit
C:\Windows\Panther\actionqueue\spoolsv.exe

Filesize
1.6MB

MD5
deb7df41e8aa5a8ff25f0e6d72fbca7c

SHA1
4d4888faaf7634fe34f7b8bccac27bccd8d9f4fd

SHA256
883343878fd66d87febc3756f0cbbb96954603b669c8ba3e0d2c81e4d9c82676

SHA512
53043674ac4c7835aa3f1609678390c1ed925a875cdd5ff985c263c794373c706de2ba92d101bf0814b835a29bd89ad3e7656367616d8f4f10a5a65af2b271b7

Download Submit
C:\Windows\Panther\actionqueue\spoolsv.exe

Filesize
92KB

MD5
2d0613b759e85bdb077fc4754ac2d2db

SHA1
0f085a04dd92ffe413b305153af961669380f21a

SHA256
326c05dcf07c61810a0e327aa1f2353f88117e6b15a3264a5647f7436f19c7d9

SHA512
f38a09deadcd5a4207040c7c6f36c24696ebb5e925c4919c0588253b6b83510eb1ce8bd57f25241c40afab758480045ff42bd61d3af1b59e47610f4707156db7

Download Submit
memory/812-290-0x0000000000070000-0x000000000025A000-memory.dmp

Filesize
1.9MB

Download
memory/812-292-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/812-291-0x0000000002220000-0x0000000002276000-memory.dmp

Filesize
344KB

Download
memory/1268-240-0x00000000012D0000-0x00000000014BA000-memory.dmp

Filesize
1.9MB

Download
memory/1668-217-0x00000000008F0000-0x0000000000ADA000-memory.dmp

Filesize
1.9MB

Download
memory/2128-304-0x0000000000E80000-0x000000000106A000-memory.dmp

Filesize
1.9MB

Download
memory/2208-157-0x0000000000100000-0x00000000002EA000-memory.dmp

Filesize
1.9MB

Download
memory/2208-185-0x00000000021F0000-0x0000000002246000-memory.dmp

Filesize
344KB

Download
memory/2208-186-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/2236-252-0x0000000000020000-0x000000000020A000-memory.dmp

Filesize
1.9MB

Download
memory/2372-163-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2372-156-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2388-16-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/2388-6-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2388-13-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2388-14-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/2388-17-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

Filesize
48KB

Download
memory/2388-18-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/2388-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

Filesize
4KB

Download
memory/2388-1-0x0000000000F40000-0x000000000112A000-memory.dmp

Filesize
1.9MB

Download
memory/2388-2-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-15-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

Filesize
56KB

Download
memory/2388-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2388-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2388-9-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2388-12-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2388-10-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2388-8-0x0000000000B10000-0x0000000000B66000-memory.dmp

Filesize
344KB

Download
memory/2388-184-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-7-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2388-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2396-278-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2396-277-0x0000000000220000-0x000000000040A000-memory.dmp

Filesize
1.9MB

Download
memory/2520-265-0x00000000008C0000-0x0000000000916000-memory.dmp

Filesize
344KB

Download
memory/2520-264-0x0000000000910000-0x0000000000AFA000-memory.dmp

Filesize
1.9MB

Download
memory/2632-327-0x0000000000040000-0x000000000022A000-memory.dmp

Filesize
1.9MB

Download