e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Size

1.9MB
MD5

b0d62cfc43b2177c97816f2c622001be
SHA1

f2b812fc94891c55de5c752bc3773036a8dc9825
SHA256

c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1
SHA512

4f29e098a812519506f1dea7ded26fe82f5fcffd0795e4d1d7c35d89db1ccd91fa39cf6df692eff0295c7522791051a6e726866ae30f6a525b37497d006214c1
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5680	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5420	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5180	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4728	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4728	schtasks.exe	88

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4776	powershell.exe
4716	powershell.exe
5144	powershell.exe
748	powershell.exe
3168	powershell.exe
2096	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 9 IoCs

pid	Process
4264	sysmon.exe
5628	sysmon.exe
456	sysmon.exe
2984	sysmon.exe
2820	sysmon.exe
2628	sysmon.exe
1764	sysmon.exe
5136	sysmon.exe
2608	sysmon.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\6cb0b6c459d5d3	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX864D.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows Sidebar\dwm.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows Security\RCX8A69.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows Security\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files\Windows Sidebar\dwm.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files\Windows Security\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files\Windows Security\9bfb2ebfef098c	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX864E.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows Security\RCX8A68.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\backgroundTaskHost.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Windows\Cursors\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Windows\Cursors\9bfb2ebfef098c	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Windows\Tasks\RCX8148.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Windows\Cursors\RCX83CA.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Windows\Tasks\backgroundTaskHost.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Windows\Tasks\eddb19405b7ce1	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Windows\Tasks\RCX81C6.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Windows\Cursors\RCX8448.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Windows\Cursors\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3632	schtasks.exe
5420	schtasks.exe
4712	schtasks.exe
4804	schtasks.exe
4636	schtasks.exe
4632	schtasks.exe
4784	schtasks.exe
3840	schtasks.exe
4644	schtasks.exe
4704	schtasks.exe
5180	schtasks.exe
3752	schtasks.exe
5680	schtasks.exe
1456	schtasks.exe
4208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
5144	powershell.exe
5144	powershell.exe
3168	powershell.exe
3168	powershell.exe
2096	powershell.exe
2096	powershell.exe
4716	powershell.exe
4716	powershell.exe
748	powershell.exe
748	powershell.exe
4716	powershell.exe
4776	powershell.exe
4776	powershell.exe
5144	powershell.exe
2096	powershell.exe
3168	powershell.exe
748	powershell.exe
4776	powershell.exe
4264	sysmon.exe
5628	sysmon.exe
456	sysmon.exe
456	sysmon.exe
2984	sysmon.exe
2820	sysmon.exe
2628	sysmon.exe
1764	sysmon.exe
5136	sysmon.exe
2608	sysmon.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4264	sysmon.exe
Token: SeDebugPrivilege	5628	sysmon.exe
Token: SeDebugPrivilege	456	sysmon.exe
Token: SeDebugPrivilege	2984	sysmon.exe
Token: SeDebugPrivilege	2820	sysmon.exe
Token: SeDebugPrivilege	2628	sysmon.exe
Token: SeDebugPrivilege	1764	sysmon.exe
Token: SeDebugPrivilege	5136	sysmon.exe
Token: SeDebugPrivilege	2608	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2096	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	107
PID 4676 wrote to memory of 2096	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	107
PID 4676 wrote to memory of 3168	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	108
PID 4676 wrote to memory of 3168	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	108
PID 4676 wrote to memory of 748	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	110
PID 4676 wrote to memory of 748	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	110
PID 4676 wrote to memory of 5144	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	111
PID 4676 wrote to memory of 5144	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	111
PID 4676 wrote to memory of 4716	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	113
PID 4676 wrote to memory of 4716	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	113
PID 4676 wrote to memory of 4776	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	114
PID 4676 wrote to memory of 4776	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	114
PID 4676 wrote to memory of 2116	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	119
PID 4676 wrote to memory of 2116	4676	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	119
PID 2116 wrote to memory of 5588	2116	cmd.exe	121
PID 2116 wrote to memory of 5588	2116	cmd.exe	121
PID 2116 wrote to memory of 4264	2116	cmd.exe	127
PID 2116 wrote to memory of 4264	2116	cmd.exe	127
PID 4264 wrote to memory of 5300	4264	sysmon.exe	129
PID 4264 wrote to memory of 5300	4264	sysmon.exe	129
PID 4264 wrote to memory of 5636	4264	sysmon.exe	130
PID 4264 wrote to memory of 5636	4264	sysmon.exe	130
PID 5300 wrote to memory of 5628	5300	WScript.exe	133
PID 5300 wrote to memory of 5628	5300	WScript.exe	133
PID 5628 wrote to memory of 5796	5628	sysmon.exe	135
PID 5628 wrote to memory of 5796	5628	sysmon.exe	135
PID 5628 wrote to memory of 952	5628	sysmon.exe	136
PID 5628 wrote to memory of 952	5628	sysmon.exe	136
PID 5796 wrote to memory of 456	5796	WScript.exe	148
PID 5796 wrote to memory of 456	5796	WScript.exe	148
PID 456 wrote to memory of 5812	456	sysmon.exe	150
PID 456 wrote to memory of 5812	456	sysmon.exe	150
PID 456 wrote to memory of 868	456	sysmon.exe	151
PID 456 wrote to memory of 868	456	sysmon.exe	151
PID 5812 wrote to memory of 2984	5812	WScript.exe	152
PID 5812 wrote to memory of 2984	5812	WScript.exe	152
PID 2984 wrote to memory of 1176	2984	sysmon.exe	154
PID 2984 wrote to memory of 1176	2984	sysmon.exe	154
PID 2984 wrote to memory of 4488	2984	sysmon.exe	155
PID 2984 wrote to memory of 4488	2984	sysmon.exe	155
PID 1176 wrote to memory of 2820	1176	WScript.exe	157
PID 1176 wrote to memory of 2820	1176	WScript.exe	157
PID 2820 wrote to memory of 4628	2820	sysmon.exe	159
PID 2820 wrote to memory of 4628	2820	sysmon.exe	159
PID 2820 wrote to memory of 5424	2820	sysmon.exe	160
PID 2820 wrote to memory of 5424	2820	sysmon.exe	160
PID 4628 wrote to memory of 2628	4628	WScript.exe	162
PID 4628 wrote to memory of 2628	4628	WScript.exe	162
PID 2628 wrote to memory of 3708	2628	sysmon.exe	164
PID 2628 wrote to memory of 3708	2628	sysmon.exe	164
PID 2628 wrote to memory of 4844	2628	sysmon.exe	165
PID 2628 wrote to memory of 4844	2628	sysmon.exe	165
PID 3708 wrote to memory of 1764	3708	WScript.exe	166
PID 3708 wrote to memory of 1764	3708	WScript.exe	166
PID 1764 wrote to memory of 1516	1764	sysmon.exe	168
PID 1764 wrote to memory of 1516	1764	sysmon.exe	168
PID 1764 wrote to memory of 3892	1764	sysmon.exe	169
PID 1764 wrote to memory of 3892	1764	sysmon.exe	169
PID 1516 wrote to memory of 5136	1516	WScript.exe	170
PID 1516 wrote to memory of 5136	1516	WScript.exe	170
PID 5136 wrote to memory of 3228	5136	sysmon.exe	172
PID 5136 wrote to memory of 3228	5136	sysmon.exe	172
PID 5136 wrote to memory of 6068	5136	sysmon.exe	173
PID 5136 wrote to memory of 6068	5136	sysmon.exe	173

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
"C:\Users\Admin\AppData\Local\Temp\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s7oJICMNfU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5588
- - C:\Users\Public\Downloads\sysmon.exe
    "C:\Users\Public\Downloads\sysmon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4264
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f43b39e-9fd6-43ee-be99-c0e940b7aceb.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5300
    - - C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5628
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\530cce82-9387-48c3-bbe7-75b3a4f29a88.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5796
        
        C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b47c3dd8-3088-4360-af68-f42b79cd1f00.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5812
        
        C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12d83a3c-d527-4133-ac60-6414699b0ec6.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae129e3c-3bd1-488d-a57d-a8623b2c870a.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fd42a6e-8298-453d-b259-b2e065ba8aa6.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfdf12d6-a5ca-47cc-a255-7b93b0ce217d.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\853ce71b-ff2a-4d7e-8651-49d90b12f0d2.vbs"
        18⤵
        
        PID:3228
        
        C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2811557c-b826-4ee8-9ebc-1df9d4960a69.vbs"
        20⤵
        
        PID:4716
        
        C:\Users\Public\Downloads\sysmon.exe
        
        C:\Users\Public\Downloads\sysmon.exe
        21⤵
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89ca7c1f-45aa-4927-ac26-6a9ef7619cf1.vbs"
        22⤵
        
        PID:6056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b4ff063-e680-4650-967c-15eb8cac05c5.vbs"
        22⤵
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5483f7c6-41e7-4e50-97ac-78d68dbac814.vbs"
        20⤵
        
        PID:5436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f45a47c-b701-4cbb-ac42-b086c041bea9.vbs"
        18⤵
        
        PID:6068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64f61128-c70d-4917-9bd3-6b54eb3360d1.vbs"
        16⤵
        
        PID:3892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a50f33-64cd-4d54-b24f-d421d2c2a1d1.vbs"
        14⤵
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70e5f79f-9bb4-456e-a7ff-eb7dc8853ce2.vbs"
        12⤵
        
        PID:5424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\562e4fb0-e6fa-4a82-95aa-85c291eca12e.vbs"
        10⤵
        
        PID:4488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ef77be1-d153-4f60-84ea-525ff19b0c0f.vbs"
        8⤵
        
        PID:868
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\435bc06d-84a1-4bac-91d9-acffd435531f.vbs"
        6⤵
        
        PID:952
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\203701e9-c2ef-4665-ab60-787672d85b6e.vbs"
      4⤵
      PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Tasks\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1c" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1" /sc ONLOGON /tr "'C:\Windows\Cursors\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1c" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1c" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1" /sc ONLOGON /tr "'C:\Program Files\Windows Security\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1c" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Security\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Filesize
1.9MB

MD5
b0d62cfc43b2177c97816f2c622001be

SHA1
f2b812fc94891c55de5c752bc3773036a8dc9825

SHA256
c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1

SHA512
4f29e098a812519506f1dea7ded26fe82f5fcffd0795e4d1d7c35d89db1ccd91fa39cf6df692eff0295c7522791051a6e726866ae30f6a525b37497d006214c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d670b8afc1f95fa27664d1d5e1aedbd9

SHA1
812b6782aaaae476d0fc15084109ab1b353db9b1

SHA256
f51a65f1321a8bf64493baf04ab9d3c3eaa2643f007947cca51c8be012765cf4

SHA512
8d05512ae3a77e4c4caf8cc4e19e22e0a4a646bffd3cec3518e45bdb7aeb9feac44837b12e03a60046f5558e91729aa646b2c8ac8192d9e6e98feecdbe6eaa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c99ea4e015d0033c75a3c50304499b1

SHA1
594e0bedf19484deec3202fd44225ea7d52cd888

SHA256
c695bd38b90537e2862d2f2e90f3401b9dc14af0792251ee897df2d0b0dc9467

SHA512
4b0c1d820db21868ec5885f11b6c5986d6ae691f5fda350b8004f8e8972da7b404b9a4cbcb4ed6bb5cf9a03829c99879cb484f7a857339d0c9fb4f9fffb2d46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9f629d2038fddc716e498f0fe618081e

SHA1
58857b3b683f8a34553f0a683ef366baf7b37907

SHA256
4cffd53a4c1299c817c7f9de80ff3bb68e5d7c7c692e93d6ec39d19c1b1998fe

SHA512
bf6455d0553453acd66ec56eef63ea0ac96f0137d8906f162ee2353b3194041c9775f62af5b82cf72c7564549b47abd35db664cbca579c62b565721f84a63ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\12d83a3c-d527-4133-ac60-6414699b0ec6.vbs

Filesize
712B

MD5
0f9723fb9dc95df01be76a23f2edc4da

SHA1
f87a0688f143ca7f9d50b68a45b89ba5c96f3050

SHA256
efb76f6148654b94f43f1d05161156b63d930a6c04c2df9c063704eaf8e3fa5a

SHA512
b38f60baf67c03af9a61238664e029f1e36b6618b9e6b64ee90d1da3bed6755726017754884212482bf1af0d23c31e45f21051c65dde3b7b705c1216bc05d71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\203701e9-c2ef-4665-ab60-787672d85b6e.vbs

Filesize
488B

MD5
b26756ca4bc6524f47793d975157347a

SHA1
18e88fbc96be692e93cd6d64873d9a5f1e881e4b

SHA256
f1a8313014abafce2de57a330193f7d15e89445b4931d25f2978718f92da7168

SHA512
06e016dcc9de5ad8a6c7e7b1a4bcaa6c55034b893b80f54f256a72dcc0d7f94295b710c16b0a874c96a4d6580c8f1501d7a1db1e487492cf978a2a7283857957

Download Submit
C:\Users\Admin\AppData\Local\Temp\2811557c-b826-4ee8-9ebc-1df9d4960a69.vbs

Filesize
712B

MD5
15cc1bb6ecf897a11841e2b9b8106756

SHA1
09cfba1e8dc0fe60f02c3b4773e2b536effc124e

SHA256
962c0eb20d88111505702f6d6375929c982f5ecf4035b2fe8e2481d218bc6aa4

SHA512
a6599bea68bfd37f977e5fcde851bad41aab92d2acc395c9b9be411582e188c0c8018282d109393c200864e3a478f3318959e3c000f8774468e81e83845f8880

Download Submit
C:\Users\Admin\AppData\Local\Temp\530cce82-9387-48c3-bbe7-75b3a4f29a88.vbs

Filesize
712B

MD5
f0bfb0eee765509eda7e5069aaa0b848

SHA1
64acddcf73f9e3fe242ff4826a9cd5109ab8ad58

SHA256
04b72fd6b8c53dde083e41d843d7a8d3cccf1cbdec55d9e38b23d18e377d6526

SHA512
f44d27f5091fa12283d435517a137ef55028904ad8b2d3fea08e131a6e45f8b11412d01bba196d28db462989f14956f25b828307f69e2dec218c7210e2061be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fd42a6e-8298-453d-b259-b2e065ba8aa6.vbs

Filesize
712B

MD5
c62f0f048f38df374cba35957435c20b

SHA1
7b165d590c4e109717303ccee8c052bb21390adc

SHA256
2285a591005bc831b41356144903e8ba698bce8d512c9c0165d72d943ac6e2b0

SHA512
b88eace94943f9a26af9dc8bc8f02272c63247fa40833b5e8b697d2b7250bdfbd81c966cb3ef1dff617186de4a1f30cb3a1c3c0e83be69bfc8abc4702ba4d061

Download Submit
C:\Users\Admin\AppData\Local\Temp\853ce71b-ff2a-4d7e-8651-49d90b12f0d2.vbs

Filesize
712B

MD5
35f9f79c072fd6967ccd55fce600d4d1

SHA1
bc66786a9a9b0c2509b2c13b36f1f4ebf05c2a76

SHA256
bc3e8f28cbf3291e1f5e09240b994dbc92ae056bebd13d94b299353ffa5b2189

SHA512
b998296b1a0ad9c04843205f8be0622d941c87ac04fdc90bdc02371843316d5ff7ec7c897e24605a8b7db6bc3ed338e4ea146b45999947b6fa5b807e23523552

Download Submit
C:\Users\Admin\AppData\Local\Temp\89ca7c1f-45aa-4927-ac26-6a9ef7619cf1.vbs

Filesize
712B

MD5
4198d0123771f3fe8f22b4a9b81249ca

SHA1
2aacf162ea06d593f5a74e3990878337e9adca1a

SHA256
7a803d78538d2ca0baec90019485157a074bed1c8db53eedfdddbf8e367f406e

SHA512
de51773d6e1865640e6d68e653921b64d12f1a2dfaf7391ac5e714f1218c43aa01dcd224ff46643afe1d9e54c366d4aef854b432c85c9236a8e394616aab59e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f43b39e-9fd6-43ee-be99-c0e940b7aceb.vbs

Filesize
712B

MD5
7ae5ef9d88bf17b3bfc2d5940ae89d1c

SHA1
082804205665efb6d0f4d893c274d53bb11f0c99

SHA256
40c19e560f267228b06d230170661d6694498090acfd215e2f5736c5cb3318ea

SHA512
d5aee2fcecf3c51bbac75cc403e4e83ea972137e33074dfd6e513e7a7142bd3ef25ef34825af41b42f6fabfd2a0f12a4d17c7dab3fe8f634f02cfd654656a979

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2mpewioa.daf.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae129e3c-3bd1-488d-a57d-a8623b2c870a.vbs

Filesize
712B

MD5
c5a3f3edb0e1fcc64c2c137872260154

SHA1
e0c3b19e8a8bcc0b1e7820a326137a58260962f1

SHA256
daa67012edf9bdf58df2de6f103b7cbd9882aa37e55d3f159743624130c40345

SHA512
c678bb0d46594ea66eb6a9509fe48031448e875d36b37d04dadea8acb1bba9c2fc19dbc1febcdde2bd28ddc6a875389fa2547b9fd3ce80f42135c23a9937df82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b47c3dd8-3088-4360-af68-f42b79cd1f00.vbs

Filesize
711B

MD5
fccbb33a20b9dbe45d4825d695735881

SHA1
d898d887a8eb96866a19e04809f762f6f5a6bbf7

SHA256
1370233fa2d71350f66289255759b9db807636506a0d57b6293bf6c7bd66e638

SHA512
964de3e8762b13134044af3cc7efe79228f166ca8d98499b40b0116b777005477f663981479cd1151bdb827ce2c0f43a983b1e93783974e76a7f09baada31ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfdf12d6-a5ca-47cc-a255-7b93b0ce217d.vbs

Filesize
712B

MD5
84f2f26b10b282f804740656ebea13b5

SHA1
a4025f09da39ff66fd7e77306c090a425601a405

SHA256
aac9b8d75508637f9c80af34b38ca6944cca6148c06182f12ff2221b6ab26fb1

SHA512
9da3dfe3703a3849a78b22fa4ca58d20e1e9616dd3573d4a6512d417f96645c9568c050946dcadba15ed1b076349114cb35f810caaf944356487cd75d4f2d5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s7oJICMNfU.bat

Filesize
201B

MD5
bfbbd3be4d3af29e07206ecc8c9aff1d

SHA1
209e085e525f9075512f54a2cd7b6ab4fb7686cd

SHA256
8935decae889a60c232234e400b810adb3d4b71b088b73063eb9271f199faf82

SHA512
ae60deb07a2c626d4fcab19f0167c0674b8d291fc94edd62cddae9a782084358ceb537cdac1d7f3f214cde3ed986bf61e92a257cb8df5d037bf9e241b519cf37

Download Submit
C:\Windows\Cursors\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Filesize
1.9MB

MD5
01e5058242529eed787af51f4e9f12e8

SHA1
66068d6da721cdc0a4dd170075cd5bd3ad52490f

SHA256
04ec1fe1c4ca84e89bd3fd3a2ada9e314a9d85800ddecccb2ed384d034ddde1f

SHA512
8236711ca5b66b039c9761c70e63f57b86ad89f32c91e6b43818d04dc6619ddc77865860557d51ce09021dc60879c3fc2ab973fdee858d66772f4eac6e9854f8

Download Submit
C:\Windows\Tasks\backgroundTaskHost.exe

Filesize
1.9MB

MD5
6c1062c7a5252c2f8142a2c458550041

SHA1
76fa0b18e73623884e06f691a1992c93a64394d6

SHA256
174c7a0624dc807cbfddb9348b4e2e1881f48414670ed45e8f99f6c61cd5d096

SHA512
aef33187c5e7663e4ad312016319baf30198d2104efc96eca0184f7708d48057ef5449f6452b858aac10ef223c032be4056400a2a927a8eefdeba29298215997

Download Submit
memory/456-199-0x000000001B5C0000-0x000000001B5D2000-memory.dmp

Filesize
72KB

Download
memory/2608-267-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download
memory/2820-222-0x00000000026C0000-0x0000000002716000-memory.dmp

Filesize
344KB

Download
memory/4264-175-0x000000001B6A0000-0x000000001B6B2000-memory.dmp

Filesize
72KB

Download
memory/4264-174-0x000000001B040000-0x000000001B096000-memory.dmp

Filesize
344KB

Download
memory/4676-4-0x0000000002A10000-0x0000000002A60000-memory.dmp

Filesize
320KB

Download
memory/4676-14-0x000000001C5F0000-0x000000001CB18000-memory.dmp

Filesize
5.2MB

Download
memory/4676-1-0x0000000000690000-0x000000000087A000-memory.dmp

Filesize
1.9MB

Download
memory/4676-16-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

Filesize
40KB

Download
memory/4676-17-0x000000001BCC0000-0x000000001BCCE000-memory.dmp

Filesize
56KB

Download
memory/4676-18-0x000000001BCD0000-0x000000001BCD8000-memory.dmp

Filesize
32KB

Download
memory/4676-19-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/4676-20-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

Filesize
48KB

Download
memory/4676-3-0x0000000002990000-0x00000000029AC000-memory.dmp

Filesize
112KB

Download
memory/4676-15-0x000000001B590000-0x000000001B59C000-memory.dmp

Filesize
48KB

Download
memory/4676-0-0x00007FFDEA683000-0x00007FFDEA685000-memory.dmp

Filesize
8KB

Download
memory/4676-147-0x00007FFDEA680000-0x00007FFDEB141000-memory.dmp

Filesize
10.8MB

Download
memory/4676-5-0x00000000029C0000-0x00000000029C8000-memory.dmp

Filesize
32KB

Download
memory/4676-6-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/4676-7-0x00000000029E0000-0x00000000029F6000-memory.dmp

Filesize
88KB

Download
memory/4676-10-0x0000000002A60000-0x0000000002A6C000-memory.dmp

Filesize
48KB

Download
memory/4676-11-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/4676-13-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/4676-9-0x000000001BAB0000-0x000000001BB06000-memory.dmp

Filesize
344KB

Download
memory/4676-8-0x0000000002A00000-0x0000000002A0A000-memory.dmp

Filesize
40KB

Download
memory/4676-2-0x00007FFDEA680000-0x00007FFDEB141000-memory.dmp

Filesize
10.8MB

Download
memory/4756-279-0x000000001B670000-0x000000001B682000-memory.dmp

Filesize
72KB

Download
memory/5144-117-0x000001ACF9230000-0x000001ACF9252000-memory.dmp

Filesize
136KB

Download