189c456c653e587b81b4f3950b102a94c4570c2a7057c50b138b511162a2c46a

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Size

1.9MB
MD5

9f30385fab69f24df7f2e9403fb5465e
SHA1

1f9027f32b0ad3b0783679096649f9941bc7e802
SHA256

896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17
SHA512

3be52680b247764f555ea23382d05b1e08f955aa2e89378fcb6e41dfdede63af8e0510e2adc848ba0cb7e9eae362996421fba880110f3167ade8400beedabadc
SSDEEP

24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2928	schtasks.exe	31

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
2112	powershell.exe
2472	powershell.exe
2208	powershell.exe
1580	powershell.exe
2768	powershell.exe
2460	powershell.exe
1952	powershell.exe
1544	powershell.exe
1964	powershell.exe
2556	powershell.exe
2636	powershell.exe
2456	powershell.exe
1860	powershell.exe
1044	powershell.exe
1936	powershell.exe
2612	powershell.exe
680	powershell.exe
2304	powershell.exe
2088	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Executes dropped EXE 7 IoCs

pid	Process
3004	OSPPSVC.exe
1720	OSPPSVC.exe
2452	OSPPSVC.exe
1544	OSPPSVC.exe
2716	OSPPSVC.exe
2932	OSPPSVC.exe
2472	OSPPSVC.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXE880.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Java\lsass.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCXDA9E.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXF73B.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFE25.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Windows Portable Devices\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\cc11b995f2a76d	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Java\RCXDCA3.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\Idle.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Windows Mail\ja-JP\wininit.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXF248.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXF73C.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXFB45.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXFBB3.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\csrss.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Internet Explorer\es-ES\886983d96e3d3e	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Windows Mail\ja-JP\56085415360792	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Windows Portable Devices\7bdb82b19b001b	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Java\lsass.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXE12A.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCXE40A.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCXE60F.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\wininit.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXDEB9.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXE8EE.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXF2C5.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFDB7.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\886983d96e3d3e	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Internet Explorer\es-ES\csrss.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Windows Portable Devices\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCXDA9F.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Java\RCXDCA4.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\winlogon.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Java\6203df4a6bafc7	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Google\CrashReports\1610b97d3ab4a7	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Windows Mail\ja-JP\Idle.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Windows Mail\ja-JP\6ccacd8608530f	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\winlogon.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\explorer.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXDEB8.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXE198.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCXE39C.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCXE60E.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\csrss.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppCompat\Programs\RCXD696.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\AppCompat\Programs\WmiPrvSE.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\Media\Savanna\RCXF940.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\Media\Savanna\RCXF941.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\AppCompat\Programs\24dbde2999530e	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\Media\Savanna\5940a34987c991	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXD618.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\Media\Savanna\dllhost.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\AppCompat\Programs\WmiPrvSE.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\Media\Savanna\dllhost.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe
1084	schtasks.exe
532	schtasks.exe
1160	schtasks.exe
3016	schtasks.exe
2332	schtasks.exe
548	schtasks.exe
2712	schtasks.exe
2276	schtasks.exe
2756	schtasks.exe
2076	schtasks.exe
1576	schtasks.exe
2704	schtasks.exe
1684	schtasks.exe
1376	schtasks.exe
544	schtasks.exe
2472	schtasks.exe
664	schtasks.exe
776	schtasks.exe
1384	schtasks.exe
3044	schtasks.exe
1812	schtasks.exe
2532	schtasks.exe
680	schtasks.exe
2232	schtasks.exe
1848	schtasks.exe
2536	schtasks.exe
2824	schtasks.exe
2684	schtasks.exe
2016	schtasks.exe
2796	schtasks.exe
2096	schtasks.exe
336	schtasks.exe
2244	schtasks.exe
1948	schtasks.exe
1728	schtasks.exe
2092	schtasks.exe
2976	schtasks.exe
2720	schtasks.exe
2744	schtasks.exe
2924	schtasks.exe
2688	schtasks.exe
1636	schtasks.exe
2456	schtasks.exe
2612	schtasks.exe
1860	schtasks.exe
1748	schtasks.exe
2400	schtasks.exe
1604	schtasks.exe
2792	schtasks.exe
2524	schtasks.exe
872	schtasks.exe
1792	schtasks.exe
1480	schtasks.exe
2372	schtasks.exe
2360	schtasks.exe
2520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
2636	powershell.exe
1936	powershell.exe
2340	powershell.exe
2112	powershell.exe
1964	powershell.exe
2556	powershell.exe
680	powershell.exe
1044	powershell.exe
2460	powershell.exe
2208	powershell.exe
2612	powershell.exe
2456	powershell.exe
1544	powershell.exe
1860	powershell.exe
2088	powershell.exe
2768	powershell.exe
1952	powershell.exe
2472	powershell.exe
2304	powershell.exe
1580	powershell.exe
3004	OSPPSVC.exe
1720	OSPPSVC.exe
2452	OSPPSVC.exe
1544	OSPPSVC.exe
2716	OSPPSVC.exe
2932	OSPPSVC.exe
2472	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	3004	OSPPSVC.exe
Token: SeDebugPrivilege	1720	OSPPSVC.exe
Token: SeDebugPrivilege	2452	OSPPSVC.exe
Token: SeDebugPrivilege	1544	OSPPSVC.exe
Token: SeDebugPrivilege	2716	OSPPSVC.exe
Token: SeDebugPrivilege	2932	OSPPSVC.exe
Token: SeDebugPrivilege	2472	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2636	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	89
PID 2128 wrote to memory of 2636	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	89
PID 2128 wrote to memory of 2636	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	89
PID 2128 wrote to memory of 2340	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	90
PID 2128 wrote to memory of 2340	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	90
PID 2128 wrote to memory of 2340	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	90
PID 2128 wrote to memory of 2612	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	93
PID 2128 wrote to memory of 2612	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	93
PID 2128 wrote to memory of 2612	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	93
PID 2128 wrote to memory of 680	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	94
PID 2128 wrote to memory of 680	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	94
PID 2128 wrote to memory of 680	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	94
PID 2128 wrote to memory of 1044	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	95
PID 2128 wrote to memory of 1044	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	95
PID 2128 wrote to memory of 1044	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	95
PID 2128 wrote to memory of 2208	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	96
PID 2128 wrote to memory of 2208	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	96
PID 2128 wrote to memory of 2208	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	96
PID 2128 wrote to memory of 2456	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	97
PID 2128 wrote to memory of 2456	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	97
PID 2128 wrote to memory of 2456	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	97
PID 2128 wrote to memory of 1860	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	98
PID 2128 wrote to memory of 1860	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	98
PID 2128 wrote to memory of 1860	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	98
PID 2128 wrote to memory of 2112	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	99
PID 2128 wrote to memory of 2112	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	99
PID 2128 wrote to memory of 2112	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	99
PID 2128 wrote to memory of 1936	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	100
PID 2128 wrote to memory of 1936	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	100
PID 2128 wrote to memory of 1936	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	100
PID 2128 wrote to memory of 2472	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	101
PID 2128 wrote to memory of 2472	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	101
PID 2128 wrote to memory of 2472	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	101
PID 2128 wrote to memory of 1544	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	102
PID 2128 wrote to memory of 1544	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	102
PID 2128 wrote to memory of 1544	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	102
PID 2128 wrote to memory of 1964	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	103
PID 2128 wrote to memory of 1964	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	103
PID 2128 wrote to memory of 1964	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	103
PID 2128 wrote to memory of 1952	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	105
PID 2128 wrote to memory of 1952	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	105
PID 2128 wrote to memory of 1952	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	105
PID 2128 wrote to memory of 2460	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	107
PID 2128 wrote to memory of 2460	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	107
PID 2128 wrote to memory of 2460	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	107
PID 2128 wrote to memory of 2768	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	109
PID 2128 wrote to memory of 2768	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	109
PID 2128 wrote to memory of 2768	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	109
PID 2128 wrote to memory of 2088	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	110
PID 2128 wrote to memory of 2088	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	110
PID 2128 wrote to memory of 2088	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	110
PID 2128 wrote to memory of 1580	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	112
PID 2128 wrote to memory of 1580	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	112
PID 2128 wrote to memory of 1580	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	112
PID 2128 wrote to memory of 2556	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	113
PID 2128 wrote to memory of 2556	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	113
PID 2128 wrote to memory of 2556	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	113
PID 2128 wrote to memory of 2304	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	114
PID 2128 wrote to memory of 2304	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	114
PID 2128 wrote to memory of 2304	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	114
PID 2128 wrote to memory of 2792	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	127
PID 2128 wrote to memory of 2792	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	127
PID 2128 wrote to memory of 2792	2128	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	127
PID 2792 wrote to memory of 2704	2792	cmd.exe	131

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
"C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Savanna\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYzffUCe2L.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2704
- - C:\Users\Default\Application Data\OSPPSVC.exe
    "C:\Users\Default\Application Data\OSPPSVC.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1d7c1b1-a1bd-448e-bdee-a0a0ed816b21.vbs"
      4⤵
      PID:2188
    - - C:\Users\Default\Application Data\OSPPSVC.exe
        
        "C:\Users\Default\Application Data\OSPPSVC.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1720
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e7f449-21e2-4cff-9492-e222ad5b0118.vbs"
        6⤵
        
        PID:2136
        
        C:\Users\Default\Application Data\OSPPSVC.exe
        
        "C:\Users\Default\Application Data\OSPPSVC.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bab4ebd-a601-40ea-a308-05dd966e80c2.vbs"
        8⤵
        
        PID:1288
        
        C:\Users\Default\Application Data\OSPPSVC.exe
        
        "C:\Users\Default\Application Data\OSPPSVC.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2efa2c24-9816-43fd-8b3d-c64d452734be.vbs"
        10⤵
        
        PID:2712
        
        C:\Users\Default\Application Data\OSPPSVC.exe
        
        "C:\Users\Default\Application Data\OSPPSVC.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\217d4e08-9b7a-45b3-9ab0-68301137d07e.vbs"
        12⤵
        
        PID:2552
        
        C:\Users\Default\Application Data\OSPPSVC.exe
        
        "C:\Users\Default\Application Data\OSPPSVC.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb11565a-d025-48b8-a1e3-38fdfb309b78.vbs"
        14⤵
        
        PID:1704
        
        C:\Users\Default\Application Data\OSPPSVC.exe
        
        "C:\Users\Default\Application Data\OSPPSVC.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4740e5d2-257f-46c8-9530-9ff189dc6cd4.vbs"
        14⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\220f03a9-f6e0-4d20-8041-481196a67807.vbs"
        12⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85927e21-1f27-4ce9-aa56-3e7ab6383ca5.vbs"
        10⤵
        
        PID:444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e60bda6-b86c-484b-9c03-d3bf5b95e6ac.vbs"
        8⤵
        
        PID:1512
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11d5482b-9d55-4d06-ab45-3c37cd354c81.vbs"
        6⤵
        
        PID:3028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\845f6752-e2b9-4d37-b665-9bf92a371ac3.vbs"
      4⤵
      PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Application Data\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b178" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b178" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe

Filesize
1.9MB

MD5
07b7c94ec0c39cb7de8b356c8dc27408

SHA1
14500cbc0dd87b96c22982c9fe1ddf3acbb6999e

SHA256
3553967c47e1a880e0a2598484976e507d8df8eb01488253a9480ab5811f4820

SHA512
f552d887bd3818bb51299408b2a65a0eddc1f588b62f3e134cd89c0c968bfb49cfdbff4d208118da2e4141568548f939e4e7a40269d76daf32c0140c15ed4e90

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe

Filesize
1.9MB

MD5
469094f26e434d35a41fa39cdb7af7eb

SHA1
c3fe293ef7ba686cc91895ed0833834e160646f4

SHA256
6b5fe892b41ee35d3319c7603f5df23535cf3034335d1cc359848b6f622fefdc

SHA512
aba8a8a9448df7d425b250f357931ff40094ddee716bbe11ecf88929ec14f80aa7e1601c119636b0b862427970ccd714963b95bcdfc679d32d9e79351623e344

Download Submit
C:\Program Files (x86)\Windows Media Player\csrss.exe

Filesize
1.9MB

MD5
9c40040df8049f58c2865912037b2c13

SHA1
9dfc9cfa18d30204f3c5de404c2b6f1e4ace9b72

SHA256
7d7cb67cc7bdff8cf2cc02e742f2913ee831a2faf5071904d8d274c903e3dbe5

SHA512
f0d2bbe199ef0761105740bd02664c8c747b608ba01c11101c9cab12e9b0fb392a96574573a94b820d735be08a3e4b5af6686604e61461cfa12a93207a0d8c57

Download Submit
C:\Program Files\Java\lsass.exe

Filesize
1.9MB

MD5
9f30385fab69f24df7f2e9403fb5465e

SHA1
1f9027f32b0ad3b0783679096649f9941bc7e802

SHA256
896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17

SHA512
3be52680b247764f555ea23382d05b1e08f955aa2e89378fcb6e41dfdede63af8e0510e2adc848ba0cb7e9eae362996421fba880110f3167ade8400beedabadc

Download Submit
C:\Program Files\Windows Mail\ja-JP\Idle.exe

Filesize
1.9MB

MD5
4fa10f41d79670fc72ef8475d6e42f01

SHA1
3d63459af142a98d98bff41e58ca0a29c42d35df

SHA256
ad0bd0a777e0198c44707d502319393db402bf4b57a27edfbb858b588b0d4337

SHA512
4f747046fa2df2ba98ee49af00ffc9c68e999ef997b053b3463f89d468e7b8492b66d11c38a877ab7ef37ac0953e8942609d5fc686c2b99ec80f5b168e1d5a03

Download Submit
C:\Program Files\Windows Mail\ja-JP\RCXE8EE.tmp

Filesize
1.9MB

MD5
b7ca6dfeeb907f337d5331d96fb8e43f

SHA1
8f55809ef499db379cf69a0c22591543766688cb

SHA256
190ebea75bd9206abd6a118f54c5d89cb16f454040e7097e1453416508969249

SHA512
373e8fdfc83455776ae21323082c4d6d14ef80c71b5e423a4eec273bdf67d0c0994e7afa791ab314c6664e164bfc7e558019c140464dcc7920d8d3f80f3f5f55

Download Submit
C:\Program Files\Windows Portable Devices\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Filesize
1.9MB

MD5
a8d0edfada995875aeee2ffc8bfb4b4b

SHA1
db040b2c9bfce3ca242db32d28bbcd37e7b693c8

SHA256
41a14db96eafbf6535e10b2206039b480af3d2d22f39f61d9139e6523336e0c0

SHA512
9a0868ec78eb5bc0eb6551bd839ddc4aca46db11f5d42728c51ab0a4ac74ed73a122d42e7de4ecd75072aa846fadb8317dd0b9d4881cbf28e25e7995d5e1c11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\217d4e08-9b7a-45b3-9ab0-68301137d07e.vbs

Filesize
721B

MD5
d8659003893e5b2f35325b6c30a0b69c

SHA1
e875b1d2a49bd5fcb8af98d5daf816ec4eb5d756

SHA256
5156be382dc226858b166ba283e877b635d7f605eeeca26c8da4e8c48238a29a

SHA512
7e5a007fd5bec6e0c7a811f72b649dafc5434896c281b9d48aaa9432119ae422554083d7f92a4d13bd00cbfd974da871856e65e76aac0beb54a909e1a8663b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2efa2c24-9816-43fd-8b3d-c64d452734be.vbs

Filesize
721B

MD5
6df5fa3355fb39faf9114c86d54945f3

SHA1
d2287d51ebc17af58bf5364a2e02ed730f298eb6

SHA256
35013f8e6b920dad77d9bad315cadcbea68135b224586c88835690f92bb0da03

SHA512
91d6be4a60a30006e53392f5dca60dcd777b9e2098ee28edc4d66c8dd64d5c9eb7d0499af2c4ce77cbd6aa8fa10fd44dd6b491b9651f6d380658a0514e179520

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bab4ebd-a601-40ea-a308-05dd966e80c2.vbs

Filesize
721B

MD5
a5d82d8edb6d28e76188d4f62a4fbef7

SHA1
985d21b4001b4850edeaebb58db1ac9cb19accdb

SHA256
e4bc666296e1cfa997a312258a1c886d083a6adab1008168e9f82eb1c7d5ddde

SHA512
8c351610eb38f98b347498d7477d11f232fad419cdcfdcd6d8a5a1f46cab09093ab550ba0a1ea10a13aaa72372340bcfe568fea04d87097b2d150f905ea176eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\845f6752-e2b9-4d37-b665-9bf92a371ac3.vbs

Filesize
497B

MD5
ae2edd37b10bbfe5393741847b1d6336

SHA1
f14a22d28571dc3b6ea603064b57538ab2377618

SHA256
cdd86660c0ba08142dac46d7d20ac6f11f17ea55912bccfdaa2b374055b58661

SHA512
1012f8d379e7761ab9b10c834d9ddf1253efb2057b486cef46572c781e78ed519d6ffd6b50d24c1526d48c24ad5ae1b5d348f0f1269a02bfc706fbe38376c0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYzffUCe2L.bat

Filesize
210B

MD5
3a958b5567a84d09ddbb80c089b188c4

SHA1
f6f8233e48d8e424d4377b9ef9cd049827083f38

SHA256
6d80423554ba6e3215bf4a122cb5900b3e41b4d9f66f414b3881bf3c44c3dbbc

SHA512
2658eb3226d112f9f616247af510f42fc296b70f4e9b2cac017cff3f45b96b8ba6f3c206b089d46deef4846620f3037b18a213367c1ef9b66ed6dae03d9c8db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb11565a-d025-48b8-a1e3-38fdfb309b78.vbs

Filesize
721B

MD5
5ea7e9b9695f83d9fb9c72b3466dd485

SHA1
cd077a0c98f952f716f3aef0692ef5884c8f4dbd

SHA256
c293dbcc06419456b2a3036811e0064b39b928997f46964d4a7c29dd6331a8ba

SHA512
acf0d27179063e2b318e3bf476cd6c17427d33bf7f87e577e8c664dd15034c553a92712b96dc9138bd70a65c5d336b595ec36d5ce0b8e5412c8505c8f2b51ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9e7f449-21e2-4cff-9492-e222ad5b0118.vbs

Filesize
721B

MD5
6d642b44d6db58e1a62bc4f3f5f8f909

SHA1
3c45f9077548a56b902659cbfd8869c82fbeed7a

SHA256
7c93efe6b0bd552bbc661a1768c2b6caa9dbd6eb481984083ebfe4ab11fdbf53

SHA512
1cf01cfcd1192571c15df5168d5c0acc28ba3fe67ec1d5110bc2db6b871eeaffc6ee94d9980db786c06ce4013be01e8bd3ef1b29f7d256bdccf1ca68a88ae787

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1d7c1b1-a1bd-448e-bdee-a0a0ed816b21.vbs

Filesize
721B

MD5
1349ffd93888fecf6192e452d2f3c915

SHA1
2b4fec336d23d3c61b85523f9b3c8433520c8ba1

SHA256
5a395fe3dd931ffa4ffcdb9fffca42fcd93b4c014482ec87fdc4b487fc5dc32d

SHA512
44b652fd5c07169103a6d7b5037c58b43dc29bcc6f8358ab6d4014d1522d484d4d43ffd442a0157a6eb8a17026d305bd53687568bfc2b9df805049eb7984ffe1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cd2c310aaa19c37bbaff15de22d4edc5

SHA1
30d1c70040a660a1371e09891b6795af68a6ea1c

SHA256
a289198d0f4344959aaa87354c99a0f950e766b8b51fcbbce1461442ea0430ff

SHA512
ef673b9cd8ca4a7019f3af32cbf79c1001064c419c7823e47d2d996233604938211da77ec0fad6cead290bcf6f236bfc1022de178f7986448c5b09407e827cd2

Download Submit
C:\Users\Admin\Links\RCXEB60.tmp

Filesize
1.9MB

MD5
e13d2e4bf753b67e6b6448f8a65941ff

SHA1
a7e606c218cacca0dd246b7aa564e0f6a612a63c

SHA256
7d9c97272ccdbe525d4836fc5c36a7d3780bd5ecd7e7888d2e5840b65816857d

SHA512
6945c856f5708735c86e1b44ef169b8671e3065498dfaa8ebdf110f698d1df791ff27c65c4e4aacf6ae25502e4087712050e6d09da14a57ae5d4c2851d846c72

Download Submit
C:\Users\Default\AppData\Roaming\OSPPSVC.exe

Filesize
1.9MB

MD5
ecbead103dc337300d7209c2fc4a9553

SHA1
c345b10dcb2bcae6f2d3981b0f81f1eaf635fa72

SHA256
12f6b618cb3533b9f541562ae160f80df9a9fa9e49b88d43e3400ac1fb382d78

SHA512
14a51cf6f49f321ca532e57b07fec7eea958ce81e20f834848d727232768b6a95591e9fe548133a9b12b87d0f30ee72b46d44a2cd99f745b5284bd54788d80c9

Download Submit
C:\Users\Public\Downloads\spoolsv.exe

Filesize
1.9MB

MD5
5f68d9dc1ea65f3fc09823cb84016dfe

SHA1
556630ae057883fb7bfc8f15a771105fd3d727a1

SHA256
4810a8c3d65ccd4f22a27720457a240383c9fd8177fcc2c36fa1c7feea0ec32d

SHA512
04caa202a8e524f1d6eb9a2cd475517f585545ffac21e9f66105249353de2884b93452419881ff36c761ee7d584f0c495feffafd1d790bf07178f402558c8712

Download Submit
C:\Windows\AppCompat\Programs\WmiPrvSE.exe

Filesize
1.9MB

MD5
7e3ea478eb98f534c43148329321062a

SHA1
9960c0ef84aa9a18f860f6bc8256c63d6bdc7fca

SHA256
217055098db54a2c49b0b7afc84982cf40d7b7fade8a283e75728d9fa48d5368

SHA512
3509f3d9e5600ad8629a7a5951ec7cc205b2b02d17437fd922171b9788fefb8b19a6a790068cc434f5ce5424cd3d358617b1fa239791bf1f1d1bb3a97b31df8a

Download Submit
memory/1544-427-0x0000000000EF0000-0x00000000010DA000-memory.dmp

Filesize
1.9MB

Download
memory/1720-401-0x0000000000230000-0x000000000041A000-memory.dmp

Filesize
1.9MB

Download
memory/1720-402-0x0000000002050000-0x00000000020A6000-memory.dmp

Filesize
344KB

Download
memory/1936-299-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2128-222-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-357-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-18-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2128-4-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2128-14-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2128-13-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/2128-10-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2128-12-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2128-205-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000000C90000-0x0000000000E7A000-memory.dmp

Filesize
1.9MB

Download
memory/2128-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2128-17-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2128-2-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-8-0x0000000000AF0000-0x0000000000B46000-memory.dmp

Filesize
344KB

Download
memory/2128-5-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2128-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Filesize
4KB

Download
memory/2128-16-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2128-6-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2128-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2128-15-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/2128-7-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2452-415-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2452-414-0x0000000000B10000-0x0000000000CFA000-memory.dmp

Filesize
1.9MB

Download
memory/2472-463-0x0000000000860000-0x0000000000A4A000-memory.dmp

Filesize
1.9MB

Download
memory/2636-300-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2716-439-0x0000000000640000-0x0000000000696000-memory.dmp

Filesize
344KB

Download
memory/2932-451-0x00000000000A0000-0x000000000028A000-memory.dmp

Filesize
1.9MB

Download
memory/3004-390-0x0000000000C50000-0x0000000000E3A000-memory.dmp

Filesize
1.9MB

Download