5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1

Analysis

max time kernel
99s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Size

1.9MB
MD5

8b90b02faca36074af1577d7195ee6a6
SHA1

58a84f82276f92154be4271244a6bc0d1837c33f
SHA256

e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c
SHA512

2a38045191bfb8b2bdce869181ea1d4bd8745dbd87e6ea062ecbe4e9b04ab5aac96a8428790fde989b26c41137b830c7b76efddd4361c60cee2c9203d31ad8f1
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5668	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4588	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4588	schtasks.exe	87

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6132	powershell.exe
4124	powershell.exe
752	powershell.exe
4444	powershell.exe
4532	powershell.exe
5700	powershell.exe
3752	powershell.exe
5596	powershell.exe
5548	powershell.exe
3592	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 6 IoCs

pid	Process
468	SearchApp.exe
5100	SearchApp.exe
1864	SearchApp.exe
736	SearchApp.exe
404	SearchApp.exe
2556	SearchApp.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\c5b4cb5e9653cc	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXAF45.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXAFC3.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files\ModifiableWindowsApps\unsecapp.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\38384e6a620884	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\RCXB99E.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\RCXBA1C.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3280	schtasks.exe
2152	schtasks.exe
2248	schtasks.exe
5056	schtasks.exe
4904	schtasks.exe
4944	schtasks.exe
4840	schtasks.exe
5804	schtasks.exe
4756	schtasks.exe
4716	schtasks.exe
4880	schtasks.exe
4552	schtasks.exe
2104	schtasks.exe
5048	schtasks.exe
4868	schtasks.exe
4908	schtasks.exe
4736	schtasks.exe
792	schtasks.exe
4976	schtasks.exe
5004	schtasks.exe
5896	schtasks.exe
4024	schtasks.exe
4700	schtasks.exe
2788	schtasks.exe
4804	schtasks.exe
5668	schtasks.exe
1580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
3752	powershell.exe
3752	powershell.exe
752	powershell.exe
752	powershell.exe
3592	powershell.exe
3592	powershell.exe
4532	powershell.exe
4532	powershell.exe
5548	powershell.exe
5548	powershell.exe
4124	powershell.exe
4124	powershell.exe
5700	powershell.exe
5700	powershell.exe
6132	powershell.exe
6132	powershell.exe
5596	powershell.exe
5596	powershell.exe
4444	powershell.exe
4444	powershell.exe
6132	powershell.exe
3752	powershell.exe
752	powershell.exe
3592	powershell.exe
5700	powershell.exe
5596	powershell.exe
4532	powershell.exe
5548	powershell.exe
4444	powershell.exe
4124	powershell.exe
468	SearchApp.exe
5100	SearchApp.exe
1864	SearchApp.exe
736	SearchApp.exe
404	SearchApp.exe
2556	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	5548	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	5700	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeDebugPrivilege	5596	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	468	SearchApp.exe
Token: SeDebugPrivilege	5100	SearchApp.exe
Token: SeDebugPrivilege	1864	SearchApp.exe
Token: SeDebugPrivilege	736	SearchApp.exe
Token: SeDebugPrivilege	404	SearchApp.exe
Token: SeDebugPrivilege	2556	SearchApp.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 6132	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	119
PID 2160 wrote to memory of 6132	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	119
PID 2160 wrote to memory of 4124	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	120
PID 2160 wrote to memory of 4124	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	120
PID 2160 wrote to memory of 752	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	121
PID 2160 wrote to memory of 752	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	121
PID 2160 wrote to memory of 5596	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	122
PID 2160 wrote to memory of 5596	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	122
PID 2160 wrote to memory of 3752	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	123
PID 2160 wrote to memory of 3752	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	123
PID 2160 wrote to memory of 3592	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	124
PID 2160 wrote to memory of 3592	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	124
PID 2160 wrote to memory of 5700	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	126
PID 2160 wrote to memory of 5700	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	126
PID 2160 wrote to memory of 4532	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	127
PID 2160 wrote to memory of 4532	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	127
PID 2160 wrote to memory of 5548	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	129
PID 2160 wrote to memory of 5548	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	129
PID 2160 wrote to memory of 4444	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	130
PID 2160 wrote to memory of 4444	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	130
PID 2160 wrote to memory of 1688	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	139
PID 2160 wrote to memory of 1688	2160	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	139
PID 1688 wrote to memory of 5620	1688	cmd.exe	141
PID 1688 wrote to memory of 5620	1688	cmd.exe	141
PID 1688 wrote to memory of 468	1688	cmd.exe	144
PID 1688 wrote to memory of 468	1688	cmd.exe	144
PID 468 wrote to memory of 5256	468	SearchApp.exe	145
PID 468 wrote to memory of 5256	468	SearchApp.exe	145
PID 468 wrote to memory of 5892	468	SearchApp.exe	146
PID 468 wrote to memory of 5892	468	SearchApp.exe	146
PID 5256 wrote to memory of 5100	5256	WScript.exe	147
PID 5256 wrote to memory of 5100	5256	WScript.exe	147
PID 5100 wrote to memory of 1656	5100	SearchApp.exe	148
PID 5100 wrote to memory of 1656	5100	SearchApp.exe	148
PID 5100 wrote to memory of 2628	5100	SearchApp.exe	149
PID 5100 wrote to memory of 2628	5100	SearchApp.exe	149
PID 1656 wrote to memory of 1864	1656	WScript.exe	156
PID 1656 wrote to memory of 1864	1656	WScript.exe	156
PID 1864 wrote to memory of 4976	1864	SearchApp.exe	158
PID 1864 wrote to memory of 4976	1864	SearchApp.exe	158
PID 1864 wrote to memory of 2508	1864	SearchApp.exe	159
PID 1864 wrote to memory of 2508	1864	SearchApp.exe	159
PID 4976 wrote to memory of 736	4976	WScript.exe	160
PID 4976 wrote to memory of 736	4976	WScript.exe	160
PID 736 wrote to memory of 3052	736	SearchApp.exe	161
PID 736 wrote to memory of 3052	736	SearchApp.exe	161
PID 736 wrote to memory of 4928	736	SearchApp.exe	162
PID 736 wrote to memory of 4928	736	SearchApp.exe	162
PID 3052 wrote to memory of 404	3052	WScript.exe	163
PID 3052 wrote to memory of 404	3052	WScript.exe	163
PID 404 wrote to memory of 4804	404	SearchApp.exe	164
PID 404 wrote to memory of 4804	404	SearchApp.exe	164
PID 404 wrote to memory of 5020	404	SearchApp.exe	165
PID 404 wrote to memory of 5020	404	SearchApp.exe	165
PID 4804 wrote to memory of 2556	4804	WScript.exe	167
PID 4804 wrote to memory of 2556	4804	WScript.exe	167
PID 2556 wrote to memory of 4376	2556	SearchApp.exe	168
PID 2556 wrote to memory of 4376	2556	SearchApp.exe	168
PID 2556 wrote to memory of 5264	2556	SearchApp.exe	169
PID 2556 wrote to memory of 5264	2556	SearchApp.exe	169

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
"C:\Users\Admin\AppData\Local\Temp\e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5MD6wKU2UC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5620
- - C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
    "C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:468
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e4db0b-39ac-4d29-9065-0859bff8db06.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5256
    - - C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5100
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba90cd6c-dc92-4477-b765-4d5bceb81c6f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a10800f1-dc95-414e-8209-fefce50af8cd.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38abea96-73d9-4049-835a-beaa6ea10cae.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f7be4eb-8ea4-487e-95b8-7f0a1a1727f1.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c5796e0-80e0-498c-ab2d-6f317e6b148e.vbs"
        14⤵
        
        PID:4376
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        15⤵
        
        PID:6024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0815dfee-c08b-4055-af1e-65dd35df7507.vbs"
        16⤵
        
        PID:3784
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        17⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e908273a-69da-4af9-92b0-7b70d98ae560.vbs"
        18⤵
        
        PID:3936
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        19⤵
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0df82ac6-e292-4c32-aab3-f3d5826f3329.vbs"
        20⤵
        
        PID:5380
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        
        C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe
        21⤵
        
        PID:5028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9608ded3-d63b-4094-8090-231f20f49534.vbs"
        22⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ddd7d26-ba52-4d0b-b985-a5627c17b329.vbs"
        22⤵
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\311440b1-a3ba-47cb-a3c6-4a9f504bb638.vbs"
        20⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72327295-0424-449c-8253-8ad546b74093.vbs"
        18⤵
        
        PID:5552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c196b98-bd49-4f27-a35a-e646d6001838.vbs"
        16⤵
        
        PID:4016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d92869fc-3921-4aa2-88a1-33c2d263c06d.vbs"
        14⤵
        
        PID:5264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9baef09f-fdbd-4cd5-a68d-8ac7229b8a18.vbs"
        12⤵
        
        PID:5020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d2b6ce7-e114-4f9e-9898-9838df8e2868.vbs"
        10⤵
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6b30ed-f15b-4be1-825e-775367b45f70.vbs"
        8⤵
        
        PID:2508
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e42edd-2af6-4977-97d8-d36e6ccc7546.vbs"
        6⤵
        
        PID:2628
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5644edd-9886-4e76-acc2-714ecf4ca034.vbs"
      4⤵
      PID:5892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe

Filesize
1.9MB

MD5
8b90b02faca36074af1577d7195ee6a6

SHA1
58a84f82276f92154be4271244a6bc0d1837c33f

SHA256
e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c

SHA512
2a38045191bfb8b2bdce869181ea1d4bd8745dbd87e6ea062ecbe4e9b04ab5aac96a8428790fde989b26c41137b830c7b76efddd4361c60cee2c9203d31ad8f1

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe

Filesize
1.9MB

MD5
4f1115054f34867a2514fc477e23df06

SHA1
8522664406dbb6d596c7f2f6dad6d91c288891d0

SHA256
e0ab78dc068d308eabf7a82cf4bfaa590e112af711b88836bd6edebfe7ee8bf8

SHA512
05e6b1c1cd0969e97aa79072b1eaf58d2a8f76ea3defa5bc5ee47f6d5d232eacb3f0eff12757b01c19435b22835c6bbea1533a670386b09797765826db150719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d7d84a994df407b45490027d1612f49

SHA1
9f22036fe3c9358da3eabd190a220bfa08f62718

SHA256
e607522b5d77da294a31952705d11b5695fea11106565684616582659d8af895

SHA512
d04684f622730856b67800acf437ad16db02505f0c42f8d7439cf2855a7a294160a7b77691582eb22971bf286041d869eda3fe7d0f3aca3d40fa29be8b6046b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ceb796de20c8360e1e53623d78696e8a

SHA1
52e20d1bb718b5e04290816c3c740d8f89265bcb

SHA256
cdf217f7e76215d14186a36614f8d2bd6f911869af5c12d98827ec42734ce321

SHA512
2d9f010240f49f4ea4537ece426edeccf8f6b1f2013bfb5e5e8412bc54993043e101f205ed5ca93f26d77de3cce1ab7620b7f97792df06d6c803695f9baaf869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f54d7d7262a9974f53a194eebd80d0a7

SHA1
19505c65eade0d55fff9914caff301111241f936

SHA256
db41b7bfa6b08e8d30dae5a32580d8c14a54f637e56e25c6a00433411332d7c0

SHA512
b51d51c50d8b50d19095a38332895069dfa10a2fddca1c63cc47bd0e379491566d12e2e48ec6bfa03580c2d9b0a5a61adb06d659f9cc37e5be8b14b214b9b395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76c4d3c87da7e0fe580b97f942028fe6

SHA1
d182259b34f7c96471edd28e97470888ffe150d1

SHA256
d9f1c9c92ee57bbb51767eeba0cdab1c3b11d4cd735f07fc206b6f2014f15439

SHA512
23466bc0414638ac0d90ecf79e47c21fbe7a0308acb69d64b4cc72ae6cf045b66147c54ae7488ca76391b0fffd7c7ca39d093789b25af720b8a0e62f3e0841ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\0815dfee-c08b-4055-af1e-65dd35df7507.vbs

Filesize
764B

MD5
833818845678065163f3767cd917b991

SHA1
94a27bfb4e7ea63ce816a387bc20678cb88985d9

SHA256
59890954ee889e723181b4d9b51d4d967b8c146d75eba2c63c3bbc45246b49cf

SHA512
e30e9faaac52e52f9eb929bcb89910013a889a309f28cb875cc65f953daf33b754e4b54fb87234f8ab0d5c168eacbcf76ac1c7b9723949d52f03f458ae1a8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\0df82ac6-e292-4c32-aab3-f3d5826f3329.vbs

Filesize
764B

MD5
8bd5acca94be81569cc5cd6c09a44fa0

SHA1
590b29c1415e08c3e1253898be4494aa889cde10

SHA256
962ea20c3f4466284a2d14a947fe969406f989a478829501e53142404228a76b

SHA512
b0b3c4c63a3b4553d724af559562b85fc66aab60969a15a235ce3f08804af889369e25d8503f9fd5f0f3a10d88cc9b22cdffe14d9bdab594cf0cfed00b365bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\38abea96-73d9-4049-835a-beaa6ea10cae.vbs

Filesize
763B

MD5
20f879017e10c79583f8da7cd8f6af7e

SHA1
d71ebbdc2ff79a4a5916c3705087664dfa77ed12

SHA256
0e73fa62cfb98a7c06b0e491422ab1db71cf70a256deaea8823f7cdfff64bc93

SHA512
eb38b67eee0300b47a4c316e0e30713c366fb21b17bbad58884cea3c01088cbc9f61a815090013e15442385919c6d8dac3a69ca007a2bd8e449abe03402d4c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\5MD6wKU2UC.bat

Filesize
253B

MD5
a35844b470361dd9b450f24490ae7365

SHA1
5aa24bb853fdeb634d64f25971d4510f966882e4

SHA256
0d88097e1c575ddf919cfffcf1b41a7ce7d10e40c371653cc3cc4fa892d87923

SHA512
c50d90928e9aae9372bd2442f8e1b0309803962da07a7e4365632c7e0f486b7b3bc3c562e20a8affa507a8b743c64678688c8729213eef9c78c279261315a336

Download Submit
C:\Users\Admin\AppData\Local\Temp\8499234c4caf13bb1dea353e8c8040441e0baf33.exe

Filesize
1.4MB

MD5
fcf3093b6f87187787968d12c5788dec

SHA1
f97e0702b66c0be29ba8af1b3379aac99721c6d1

SHA256
12ef74dff5dfc745921ac9711ea35a818a695c738cf39efb589d0d1838cf2f6c

SHA512
df5f9c65c46a53f5c2e08deb8895ac5a53d832904971239b80422e904b7b829fafd1b86bbad126dc9b2e29028fbfdf580dff301c5d95873b895d9ee64fd6fd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c5796e0-80e0-498c-ab2d-6f317e6b148e.vbs

Filesize
764B

MD5
bdd11d394609e7ac649d2ea2f559504e

SHA1
433eb29795af89a365355a1a7aba303726adcda4

SHA256
3f2519d0e4f9a6608f0f5a0c3fa604cb6be7f8b341dcb0573efdbfe041d30ce8

SHA512
ba917a1352cf2aadc9be0a45a5a06776c91fd86d6f1bdc2230142c9086b38e5f3edf81b32dbd6854ddcb807377002234ebff55f50ab4cf79484f8eababcf61f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f7be4eb-8ea4-487e-95b8-7f0a1a1727f1.vbs

Filesize
763B

MD5
fdbba90524bd71ed8f855d6d7a75edcb

SHA1
e3dbc1588c8f2b78684399d3ee9a89c34c06339a

SHA256
b8086f1d1a67a6571fa689cb0b62f1c9e477d411ae0637b8f1a886447f2c85b2

SHA512
f7cab813ed2adffd9ff6a1f5a1376b3021af3c34ed2aad9ac7c3afb40ab695d9c24eb28515861c3b160c8af9d124b471814c84888164aac388c84de72ade0cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\9608ded3-d63b-4094-8090-231f20f49534.vbs

Filesize
764B

MD5
e3549ef3d928dab8be241852ffc04ff1

SHA1
081566f2ea5060254259e04d2a2c4c3761d6573f

SHA256
24fa7c3cb74a27fb2311529030c746381f2f2339c28ed0a963fa4d85ac48c32c

SHA512
6f70b698968b6572947d43867aef28234c3d67c8f2f43247b8dc693210c472ff72dad1e0386ebbb3222676bfef4a4fff2e720090344f2a72290d08792606217b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4uowuxr.5ez.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a10800f1-dc95-414e-8209-fefce50af8cd.vbs

Filesize
764B

MD5
c41b49f2e9a1b7009c97498214e8741b

SHA1
0f86e973c112e5bc520bf09c01ef8ad9761ce31f

SHA256
a159f87818393fc804b06e79e3ad098e8686e311d41fdded6bd1b9b98a185d6a

SHA512
343e3718a9753b6a04f15a5e49883809edf654d2fae01039b7ebf50e6d4d42635f3b882b961260bcbf5099d7e11bc55c3a1fe4b0b7735821d862694babe767f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5644edd-9886-4e76-acc2-714ecf4ca034.vbs

Filesize
540B

MD5
8003ba0e46e09df64baffc76b1fe201d

SHA1
eb0b4022d3908ae8e66e3b8cfef31c599a3d028a

SHA256
1590d6270426826149550797e5ecbef4f3276b40755165e2627ad73ccea764aa

SHA512
a7cd6a95f8fde152decd841f0383aac1211688d166837fb4b9fa28d64c50b94b92329ddb80febeb3dc89ca08617c50ace80befd11475226de35c6ad04dc4070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba90cd6c-dc92-4477-b765-4d5bceb81c6f.vbs

Filesize
764B

MD5
6cc64d30820ea4fbb74ea9cd47edef1e

SHA1
69a11a7f19f07c9e178da1ce65f1c408660a0ee7

SHA256
2db62068b4488320c0643fd35d44bc4fa7934f179d304175513509c43c2906ea

SHA512
2a38ff087e28074aef56f3704a4961b965ec256d887e64423085c6c9ba12221d6a6d9b7d55687f7ff0e3e9e0c69a8801e2e6bc8a8c0bdb684e53d3c356e42285

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5e4db0b-39ac-4d29-9065-0859bff8db06.vbs

Filesize
763B

MD5
24f97e1556e66d7c88113e1d8e643482

SHA1
64a9d06313df956bd39f45aa51e7b3f014ac0dce

SHA256
0edcfbf42c01facf9822d1c66dd77db4403f11074299552860644e4cc86d6141

SHA512
ef98c4ed7fc4ea56be12fd82b7c18876ecc1547b0d5fba3c51989385c45f2c838935abb498ea40dcc9e0aec4c9d4cb1e7c7e6a348691ba94d29b2f5d112611b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e908273a-69da-4af9-92b0-7b70d98ae560.vbs

Filesize
764B

MD5
78fb390387a1a946332f4ba49eb907bd

SHA1
dfa84a1124ee71817180b180e43586d2f509ba11

SHA256
764d0c2aa28d3837b16d5bd80078fd154c8d31c0728bde415e4573aa654230f2

SHA512
bfa2b01cd591b29313d45a6108104ccef4d65dcd026d72df8033b17289281017d652aacbb6ef2ce1d471ed88bdcbb01f6f6726d5e2544290f984ee4b135e58d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\fontdrvhost.exe

Filesize
1.9MB

MD5
4c40a71d3f26e6ccb76ab2763a7623a0

SHA1
f2f8987a67f6700e852ed116cec4f6971ff60ea4

SHA256
b2d246978a5e5795b367cf1989ca8739b52e8dd391e2bf3dd6e59367e843047c

SHA512
0f55330cbc06597c21adbb835bf18e8734ec38e4350c9d3fd5a967810be0485094fcf099c4e08bab6c507fed0595ce8618f0b500045c8a8a3050da30f884f500

Download Submit
C:\Users\Default\lsass.exe

Filesize
1.9MB

MD5
3992f9c7406b872c419653c727c5f937

SHA1
0728ad01aeedb134a68bd867eba20cd3723973df

SHA256
ecb070a54acf20ee04f6ed4047d5ccbcaac43e8bc53c6ae1690d11f6a640c4fc

SHA512
48341e621094084118426c3902c0285ed9a541e78193b05360d25c79894cb346bf013b9f9983a2014606e981a8ac63dc31fcd331b769538b87267455f3f64fd1

Download Submit
C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe

Filesize
1.9MB

MD5
6edecf248ac9d5333f14d9a20b4c0bed

SHA1
e06f23c2fe334881d18bb5f3bc0ef689c3cf908a

SHA256
1abb77efe7a03e30298035fb3974971dee261948acd2268f99e1d7e23b1ffd83

SHA512
fe7f545b4da8bcd853074da01a5022df765e73a53839753c1a27bc5f45ccacf85c4b5e065248a47b8acc5ba94544c4532061d9a07b479a555a78feb6120736bb

Download Submit
C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\SearchApp.exe

Filesize
1.6MB

MD5
922d767dd8c384ce721306682ae1fce6

SHA1
1d858382e4925daa8d1e1857e3a5aaaefd843e4b

SHA256
b771137199b73b21eda7a56adfad3d4211647062e24069e9764874bfa8cea958

SHA512
c8ded27953190b677050cdf81fb30d785b3d63f0f201c2fdf7db2b02e3f872295916a4a2c3ec2eda5640524ec984c4397382733195840a4a493d659893095e8e

Download Submit
memory/468-269-0x0000000000F80000-0x000000000116A000-memory.dmp

Filesize
1.9MB

Download
memory/1864-294-0x000000001AEC0000-0x000000001AED2000-memory.dmp

Filesize
72KB

Download
memory/2160-14-0x000000001C980000-0x000000001CEA8000-memory.dmp

Filesize
5.2MB

Download
memory/2160-13-0x000000001BA10000-0x000000001BA22000-memory.dmp

Filesize
72KB

Download
memory/2160-172-0x00007FFC464A0000-0x00007FFC46F61000-memory.dmp

Filesize
10.8MB

Download
memory/2160-16-0x000000001C060000-0x000000001C06A000-memory.dmp

Filesize
40KB

Download
memory/2160-17-0x000000001C070000-0x000000001C07E000-memory.dmp

Filesize
56KB

Download
memory/2160-18-0x000000001C080000-0x000000001C088000-memory.dmp

Filesize
32KB

Download
memory/2160-20-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

Filesize
48KB

Download
memory/2160-19-0x000000001C090000-0x000000001C09C000-memory.dmp

Filesize
48KB

Download
memory/2160-15-0x000000001BA20000-0x000000001BA2C000-memory.dmp

Filesize
48KB

Download
memory/2160-0-0x00007FFC464A3000-0x00007FFC464A5000-memory.dmp

Filesize
8KB

Download
memory/2160-1-0x0000000000A50000-0x0000000000C3A000-memory.dmp

Filesize
1.9MB

Download
memory/2160-2-0x00007FFC464A0000-0x00007FFC46F61000-memory.dmp

Filesize
10.8MB

Download
memory/2160-11-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

Filesize
32KB

Download
memory/2160-10-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

Filesize
48KB

Download
memory/2160-9-0x000000001BE40000-0x000000001BE96000-memory.dmp

Filesize
344KB

Download
memory/2160-7-0x000000001B970000-0x000000001B986000-memory.dmp

Filesize
88KB

Download
memory/2160-8-0x000000001B990000-0x000000001B99A000-memory.dmp

Filesize
40KB

Download
memory/2160-5-0x0000000003070000-0x0000000003078000-memory.dmp

Filesize
32KB

Download
memory/2160-6-0x000000001B850000-0x000000001B860000-memory.dmp

Filesize
64KB

Download
memory/2160-3-0x0000000003050000-0x000000000306C000-memory.dmp

Filesize
112KB

Download
memory/2160-4-0x000000001B9C0000-0x000000001BA10000-memory.dmp

Filesize
320KB

Download
memory/2788-361-0x000000001B440000-0x000000001B452000-memory.dmp

Filesize
72KB

Download
memory/3752-160-0x00000245370E0000-0x0000024537102000-memory.dmp

Filesize
136KB

Download
memory/5100-282-0x000000001B340000-0x000000001B352000-memory.dmp

Filesize
72KB

Download