525209de288e36bab56d3a19446249ffd067c8757b5d5870daa6a782b9567e74

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cdf89e8d2c2fb9a5db53881f501181d.exe
Size

1.9MB
MD5

6cdf89e8d2c2fb9a5db53881f501181d
SHA1

558eda84922e9824a2554414f5f049658d742575
SHA256

d3f54d4b32b7125991bc4a5543f24c536e16c8ac77eba12aad61256817d7ea97
SHA512

65f11caefff09248fef65676f439dc665fb9a540dc6faf90d7b318859c4f4b7cffe7e74de8f57296420a9e051cc929aecf55c509f6c933f5d53c0af43bf61cfd
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4664	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	4664	schtasks.exe	89

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6cdf89e8d2c2fb9a5db53881f501181d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cdf89e8d2c2fb9a5db53881f501181d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6cdf89e8d2c2fb9a5db53881f501181d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1936	powershell.exe
1532	powershell.exe
3184	powershell.exe
1188	powershell.exe
3508	powershell.exe
1536	powershell.exe
5104	powershell.exe
4540	powershell.exe
5032	powershell.exe
4904	powershell.exe
2524	powershell.exe
3704	powershell.exe
4836	powershell.exe
4276	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6cdf89e8d2c2fb9a5db53881f501181d.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	6cdf89e8d2c2fb9a5db53881f501181d.exe

Executes dropped EXE 6 IoCs

pid	Process
5164	sppsvc.exe
2424	sppsvc.exe
5340	sppsvc.exe
540	sppsvc.exe
5700	sppsvc.exe
6136	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6cdf89e8d2c2fb9a5db53881f501181d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cdf89e8d2c2fb9a5db53881f501181d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\9e8d7a4ca61bd9	6cdf89e8d2c2fb9a5db53881f501181d.exe
File created	C:\Program Files\Crashpad\6ccacd8608530f	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX80A6.tmp	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX8124.tmp	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Program Files\Google\Chrome\RuntimeBroker.exe	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Program Files\Crashpad\RCX919C.tmp	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Program Files\Crashpad\Idle.exe	6cdf89e8d2c2fb9a5db53881f501181d.exe
File created	C:\Program Files\Google\Chrome\RuntimeBroker.exe	6cdf89e8d2c2fb9a5db53881f501181d.exe
File created	C:\Program Files\Crashpad\Idle.exe	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Program Files\Crashpad\RCX919D.tmp	6cdf89e8d2c2fb9a5db53881f501181d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\schemas\smss.exe	6cdf89e8d2c2fb9a5db53881f501181d.exe
File created	C:\Windows\schemas\69ddcba757bf72	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Windows\schemas\RCX78EF.tmp	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Windows\schemas\RCX791F.tmp	6cdf89e8d2c2fb9a5db53881f501181d.exe
File opened for modification	C:\Windows\schemas\smss.exe	6cdf89e8d2c2fb9a5db53881f501181d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6cdf89e8d2c2fb9a5db53881f501181d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4136	schtasks.exe
4540	schtasks.exe
2884	schtasks.exe
3500	schtasks.exe
4396	schtasks.exe
3600	schtasks.exe
2068	schtasks.exe
856	schtasks.exe
4356	schtasks.exe
4904	schtasks.exe
1936	schtasks.exe
4040	schtasks.exe
4048	schtasks.exe
4272	schtasks.exe
2360	schtasks.exe
1508	schtasks.exe
3900	schtasks.exe
2192	schtasks.exe
1436	schtasks.exe
4800	schtasks.exe
4492	schtasks.exe
532	schtasks.exe
552	schtasks.exe
1664	schtasks.exe
3384	schtasks.exe
3256	schtasks.exe
2028	schtasks.exe
4944	schtasks.exe
4864	schtasks.exe
5040	schtasks.exe
4404	schtasks.exe
2408	schtasks.exe
4756	schtasks.exe
3532	schtasks.exe
1748	schtasks.exe
1760	schtasks.exe
3580	schtasks.exe
4204	schtasks.exe
412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
4540	powershell.exe
4540	powershell.exe
4904	powershell.exe
4904	powershell.exe
3508	powershell.exe
3508	powershell.exe
1188	powershell.exe
1188	powershell.exe
1532	powershell.exe
1532	powershell.exe
5032	powershell.exe
5032	powershell.exe
1536	powershell.exe
1536	powershell.exe
4836	powershell.exe
4836	powershell.exe
3184	powershell.exe
3184	powershell.exe
4540	powershell.exe
5104	powershell.exe
5104	powershell.exe
1936	powershell.exe
1936	powershell.exe
2524	powershell.exe
2524	powershell.exe
4276	powershell.exe
4276	powershell.exe
3704	powershell.exe
3704	powershell.exe
4276	powershell.exe
3704	powershell.exe
2524	powershell.exe
3508	powershell.exe
1536	powershell.exe
4904	powershell.exe
1188	powershell.exe
5032	powershell.exe
5104	powershell.exe
3184	powershell.exe
4836	powershell.exe
1532	powershell.exe
1936	powershell.exe
5164	sppsvc.exe
5164	sppsvc.exe
2424	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	5164	sppsvc.exe
Token: SeDebugPrivilege	2424	sppsvc.exe
Token: SeDebugPrivilege	5340	sppsvc.exe
Token: SeDebugPrivilege	540	sppsvc.exe
Token: SeDebugPrivilege	5700	sppsvc.exe
Token: SeDebugPrivilege	6136	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4904	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	129
PID 2340 wrote to memory of 4904	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	129
PID 2340 wrote to memory of 5032	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	130
PID 2340 wrote to memory of 5032	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	130
PID 2340 wrote to memory of 1532	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	131
PID 2340 wrote to memory of 1532	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	131
PID 2340 wrote to memory of 4540	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	132
PID 2340 wrote to memory of 4540	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	132
PID 2340 wrote to memory of 3184	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	134
PID 2340 wrote to memory of 3184	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	134
PID 2340 wrote to memory of 5104	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	135
PID 2340 wrote to memory of 5104	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	135
PID 2340 wrote to memory of 1536	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	137
PID 2340 wrote to memory of 1536	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	137
PID 2340 wrote to memory of 3508	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	138
PID 2340 wrote to memory of 3508	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	138
PID 2340 wrote to memory of 1188	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	139
PID 2340 wrote to memory of 1188	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	139
PID 2340 wrote to memory of 1936	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	141
PID 2340 wrote to memory of 1936	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	141
PID 2340 wrote to memory of 2524	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	142
PID 2340 wrote to memory of 2524	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	142
PID 2340 wrote to memory of 4276	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	146
PID 2340 wrote to memory of 4276	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	146
PID 2340 wrote to memory of 4836	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	150
PID 2340 wrote to memory of 4836	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	150
PID 2340 wrote to memory of 3704	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	153
PID 2340 wrote to memory of 3704	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	153
PID 2340 wrote to memory of 5164	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	157
PID 2340 wrote to memory of 5164	2340	6cdf89e8d2c2fb9a5db53881f501181d.exe	157
PID 5164 wrote to memory of 5588	5164	sppsvc.exe	158
PID 5164 wrote to memory of 5588	5164	sppsvc.exe	158
PID 5164 wrote to memory of 5636	5164	sppsvc.exe	159
PID 5164 wrote to memory of 5636	5164	sppsvc.exe	159
PID 5588 wrote to memory of 2424	5588	WScript.exe	168
PID 5588 wrote to memory of 2424	5588	WScript.exe	168
PID 2424 wrote to memory of 5016	2424	sppsvc.exe	169
PID 2424 wrote to memory of 5016	2424	sppsvc.exe	169
PID 2424 wrote to memory of 2084	2424	sppsvc.exe	170
PID 2424 wrote to memory of 2084	2424	sppsvc.exe	170
PID 5016 wrote to memory of 5340	5016	WScript.exe	177
PID 5016 wrote to memory of 5340	5016	WScript.exe	177
PID 5340 wrote to memory of 5204	5340	sppsvc.exe	178
PID 5340 wrote to memory of 5204	5340	sppsvc.exe	178
PID 5340 wrote to memory of 3124	5340	sppsvc.exe	179
PID 5340 wrote to memory of 3124	5340	sppsvc.exe	179
PID 5204 wrote to memory of 540	5204	WScript.exe	180
PID 5204 wrote to memory of 540	5204	WScript.exe	180
PID 540 wrote to memory of 2148	540	sppsvc.exe	181
PID 540 wrote to memory of 2148	540	sppsvc.exe	181
PID 540 wrote to memory of 3888	540	sppsvc.exe	182
PID 540 wrote to memory of 3888	540	sppsvc.exe	182
PID 2148 wrote to memory of 5700	2148	WScript.exe	184
PID 2148 wrote to memory of 5700	2148	WScript.exe	184
PID 5700 wrote to memory of 1480	5700	sppsvc.exe	185
PID 5700 wrote to memory of 1480	5700	sppsvc.exe	185
PID 5700 wrote to memory of 5792	5700	sppsvc.exe	186
PID 5700 wrote to memory of 5792	5700	sppsvc.exe	186
PID 1480 wrote to memory of 6136	1480	WScript.exe	187
PID 1480 wrote to memory of 6136	1480	WScript.exe	187
PID 6136 wrote to memory of 5660	6136	sppsvc.exe	188
PID 6136 wrote to memory of 5660	6136	sppsvc.exe	188
PID 6136 wrote to memory of 764	6136	sppsvc.exe	189
PID 6136 wrote to memory of 764	6136	sppsvc.exe	189

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cdf89e8d2c2fb9a5db53881f501181d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6cdf89e8d2c2fb9a5db53881f501181d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6cdf89e8d2c2fb9a5db53881f501181d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6cdf89e8d2c2fb9a5db53881f501181d.exe
"C:\Users\Admin\AppData\Local\Temp\6cdf89e8d2c2fb9a5db53881f501181d.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6cdf89e8d2c2fb9a5db53881f501181d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Music\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Users\Admin\Documents\My Music\sppsvc.exe
  "C:\Users\Admin\Documents\My Music\sppsvc.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5164
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d443311-7067-4cc7-9f14-be7041ff8012.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5588
  - - C:\Users\Admin\Documents\My Music\sppsvc.exe
      "C:\Users\Admin\Documents\My Music\sppsvc.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2424
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ea0700-8b96-4bc6-95a9-2ea97efbd232.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Users\Admin\Documents\My Music\sppsvc.exe
        
        "C:\Users\Admin\Documents\My Music\sppsvc.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c72c661-f2f2-4dce-9d82-51a949bbbe7c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5204
        
        C:\Users\Admin\Documents\My Music\sppsvc.exe
        
        "C:\Users\Admin\Documents\My Music\sppsvc.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5485a8db-c619-4823-ba99-12d9b653990c.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Users\Admin\Documents\My Music\sppsvc.exe
        
        "C:\Users\Admin\Documents\My Music\sppsvc.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce509f7a-4c8b-43ca-b43b-8636d915bc3f.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\Documents\My Music\sppsvc.exe
        
        "C:\Users\Admin\Documents\My Music\sppsvc.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:6136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfae42d6-6cae-4ccd-93ef-c0d3636aa43d.vbs"
        13⤵
        
        PID:5660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\177837ad-d37c-4ca0-99fd-8bf0aaa758c4.vbs"
        13⤵
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7234604-aece-42c6-93e3-54b19f8e4967.vbs"
        11⤵
        
        PID:5792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ba0670d-e2e5-481d-92e4-c9873ec46a9c.vbs"
        9⤵
        
        PID:3888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71fd84bb-3b9b-46cb-9af4-1acb40d85be9.vbs"
        7⤵
        
        PID:3124
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d437eb7c-adeb-4bc7-b91b-707963c37ab5.vbs"
        5⤵
        
        PID:2084
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b55b918-53ea-4805-9488-7c54635d6a0b.vbs"
    3⤵
    PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\0154351536fc379faee1\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\0154351536fc379faee1\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\0154351536fc379faee1\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Music\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Crashpad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\SearchApp.exe

Filesize
1.9MB

MD5
6cdf89e8d2c2fb9a5db53881f501181d

SHA1
558eda84922e9824a2554414f5f049658d742575

SHA256
d3f54d4b32b7125991bc4a5543f24c536e16c8ac77eba12aad61256817d7ea97

SHA512
65f11caefff09248fef65676f439dc665fb9a540dc6faf90d7b318859c4f4b7cffe7e74de8f57296420a9e051cc929aecf55c509f6c933f5d53c0af43bf61cfd

Download Submit
C:\0154351536fc379faee1\System.exe

Filesize
1.9MB

MD5
ad99cb8555f5862907428e50d1547173

SHA1
55f4387112352965680f66f3bbcb10aea56697ff

SHA256
16371e67007926d9d1d0df7d0d5b27016a85c3afbf603962ca3c12ce032ddc3e

SHA512
14dc890c38e98739ff0dfeb4f4f6292c146eec382c5a35e53e04a1699c40b1800a09a98c729dbcc7dbc310f5dc688096228d0cb283302ed7d667e5dee047ba0d

Download Submit
C:\3ac54ddf2ad44faa6035cf\upfc.exe

Filesize
1.9MB

MD5
cf7bf96a126b921effb130ab3a618e0d

SHA1
66c117c31e51dbcc3c0445339c18a2760b0c6771

SHA256
fa5cc97834f6e8f9f41a8765f96e2e9363e3d383adc7d885037170027f075ed7

SHA512
dc359ac6d2df2de6fda9f72494efb1d4b3afd87dddbc51a6237eb7273924afd23854a14798198db45a433937ffbd1c495dfc117345c070c09c2386ae1ebef147

Download Submit
C:\Program Files\Google\Chrome\RuntimeBroker.exe

Filesize
1.9MB

MD5
8a6237f8dda6b7a054febc2faaeebd15

SHA1
7ce0332ccf08a0879ac8c99619fa7b593e4b5770

SHA256
d65a8ae6290df9e453d84b392d6629ae581eb5e7cc356bce050f48533fba937c

SHA512
b2688fcfb16cb65b805baa9e91c919ffc44eb3698cb95734b8023a0762aced9cf259303b4c5dbe9cf64baa5eea8151d5f8f60bad9db1fded67321be88bd26059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e348622866b20e881135e0384075ab84

SHA1
d770bf7171f0d184bba9830e2cc896f2913f068b

SHA256
80bdda48e9513fc808d445af95c69370d760a1cb982dfcffa4f6c02016314494

SHA512
00f37657dd1f54fc38c8d568a19cf66d32d5f6423bf0ddc497394037e197202a227ed5d17e37e0606ee4fdf9b987fde216dccefa843c6cbe47188b1a44efe5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
452593747a6f6f0b2e08d8502e1ec6e7

SHA1
027c3a7f5f18e7a1e96bbf2a3d3c267e72821836

SHA256
495c62eea4eb41269dbcdba0c0acd65d27a407ac837f5c04feaaa0542963b33d

SHA512
17a8288467e77ade8e81bf7620e9013ff3690c2577a172ce30734c65ca2d2328afd3737dd6a9fb6b4d7ba673767f094986f6b996f5920d7e1cdecdf019e37488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3daae9cdd018437ea3c21aba22ed09c6

SHA1
9f0127b1483e1937d5d8cccf3ae1de0cac1c4c58

SHA256
10ae5cee35e47503d6db91713d92e11babdbb6c06f309fc761dccc7d9684723a

SHA512
17b4b1aa30c7871f7325f67b1b3ab5cd6f6eaafd7e4b45e96beb7fb84f80d0c4858852dbb15c1dfa2abf3e2aa6507c85e041807a575f29fe0c5dc215b04a206a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ee21a21f8b414c5a89db56be6641dd5

SHA1
2403dc36f95bcc4536ac61057a9ce76e11b470f9

SHA256
49cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71

SHA512
996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
241a30ee59b4b06c007874e90fe80d6d

SHA1
5f1ba41ebc6984909a65725c2e686c6012bd32c6

SHA256
91b63fc7449595695b9e0ee26704ea721dc66d7da9e99b38c66962f6d93e65bb

SHA512
61f9ce6d433cc8efe06587ddcb4921a1bf6516fcd3c36ad79a2583acf1122202bf9565ccd5e8c28430b0fd09b1564b2a17b97f7a6c9e6ffe5a0ea76400fbaaf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57a97b6c8c4cecbbaca70e7453397c5e

SHA1
89aaaa12386a9b191b7570c942b6c302bce1b218

SHA256
61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

SHA512
0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa06cb40f97ab488651f3aebd1e07736

SHA1
5094da2f768387c80a0e879ef43ffbdc677ddc97

SHA256
d792dfc55ca10a274ff6ace7d3f5bf6d4cfc9dcefd7c0e9b8aa714fff8988b82

SHA512
e3d49f6cb6b50acd6e93c9bc2b46cffa238d1d28b26f1c549267f32abdfd239c75a261b7bab9edcce606f35b8ca632676efaca3f2b1bbdb9bb739115f6003af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b55b918-53ea-4805-9488-7c54635d6a0b.vbs

Filesize
496B

MD5
4f632228a170e8599e02308edc29ea5e

SHA1
46834d60237c7ee75a6f77358583159bb045800c

SHA256
b9a9dca292fdbee5d665f83ed244f398d915912fea4ce25f3e45eb969d9b7399

SHA512
1b05a3ad6c2dcc7a3a3de4fcd2f879bc131a3644408b2778df39b98ba2dda455da9cc1539802c085576a236372df999e32235db7579551dc78c8f24c695dc048

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c72c661-f2f2-4dce-9d82-51a949bbbe7c.vbs

Filesize
720B

MD5
af7b0c6a888e37b160e7cdbccff759b9

SHA1
eda4c096472921e14decb078aa16be573e062b8c

SHA256
ff7726e9cb1bb7a47089b3489f510c3dabc113a4e2a4063edfc4af4d58c54789

SHA512
a2e68810903622ba01d5193fce2d97a601f1959eac9a05b99ad186d00eecbbd0f7ae33bc89400fc3c53cde11c1b1dd6d80e25d287880f9532527ebe05746b74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d443311-7067-4cc7-9f14-be7041ff8012.vbs

Filesize
720B

MD5
53a844f0bf0e8aa091b91c721538043f

SHA1
300a760b1b91a6503daa9ceb3c146b76945af625

SHA256
879ca564c986e603b6db4b8033c295ffbb2bd83254f75bfcc01bc471b2385d63

SHA512
13e3280cfc9d97c405c981e2935bd375391b93690c26014f7816017dd62aae03d207d6b3574e372436278ab6af9d55a79c6112c283758e51dd570871de9f16f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5485a8db-c619-4823-ba99-12d9b653990c.vbs

Filesize
719B

MD5
3d6d49529f9ceb47019aea9cbb77ad27

SHA1
c248ad96123a1a86b3f8edcd18fc16adf543b8a6

SHA256
1ee6bf5b70374c6b2b743192b8d3dddfe039bc2e7364497b18595082053e71f9

SHA512
0a66fdd58875654a6e3782341009d7cf6de0fd19df3b17ae613a29ebf3c691b31250b5d6d730a753de77709d5bd70aabaf724c793c2f9e0cc107c1ee7f826d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vhczm0c.cnx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2ea0700-8b96-4bc6-95a9-2ea97efbd232.vbs

Filesize
720B

MD5
02df86dafcc9c47109499289d8b1c708

SHA1
86f452cf674ba8f2b1a3a803b27f3391ed12a751

SHA256
ea4fc2970470d9677a367933a080202225cc07f9c217760223ddc13534525dcd

SHA512
e8730795aadfd80172684e30c5d0a7c650b6b304775646b754612c66ae6577e5963abd2e523fa1baabd1d37cb4bebc1b3e24a4332dba25e8019890e7db87a398

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce509f7a-4c8b-43ca-b43b-8636d915bc3f.vbs

Filesize
720B

MD5
ef06290040550711df1423a0d0dd1aae

SHA1
edac90f40aede6b660df014af640aa902e10ca47

SHA256
596b8ca7b99bd10f59ad3766f4b03f3ccab8dc3721b05440c7b05e2d7b9cc17e

SHA512
efa4686462f9e65cd8b50a2542a11d56a7fc81517a7a6a161050690f14284da9115b3dfd1849d1950cfba3e333d8ab86df379127469883a1c91a8dd87896a9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfae42d6-6cae-4ccd-93ef-c0d3636aa43d.vbs

Filesize
720B

MD5
9bb410cee4d36ccc3c8db332bce13c64

SHA1
1cfe826b2d5be254ec5fb8ed1e436748c8fc5528

SHA256
96abe01b85a82a3c74f8106995b651f43b427397c961336ab0169fce60bda954

SHA512
967ef2609e45e1f2d4442b8ab7eb9507df18ce2d2de05d7b9b454ab993feb17928b140f8db32dced3be29b8f020b069d07411b99c5c140158edc87c7fb80b703

Download Submit
memory/1536-267-0x000001DAFAF10000-0x000001DAFAF32000-memory.dmp

Filesize
136KB

Download
memory/2340-1-0x0000000000A90000-0x0000000000C7A000-memory.dmp

Filesize
1.9MB

Download
memory/2340-8-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

Filesize
40KB

Download
memory/2340-197-0x00007FF838540000-0x00007FF839001000-memory.dmp

Filesize
10.8MB

Download
memory/2340-5-0x0000000002DA0000-0x0000000002DA8000-memory.dmp

Filesize
32KB

Download
memory/2340-9-0x000000001B820000-0x000000001B876000-memory.dmp

Filesize
344KB

Download
memory/2340-391-0x00007FF838540000-0x00007FF839001000-memory.dmp

Filesize
10.8MB

Download
memory/2340-7-0x0000000002DC0000-0x0000000002DD6000-memory.dmp

Filesize
88KB

Download
memory/2340-4-0x000000001B7D0000-0x000000001B820000-memory.dmp

Filesize
320KB

Download
memory/2340-3-0x0000000002D80000-0x0000000002D9C000-memory.dmp

Filesize
112KB

Download
memory/2340-2-0x00007FF838540000-0x00007FF839001000-memory.dmp

Filesize
10.8MB

Download
memory/2340-177-0x00007FF838543000-0x00007FF838545000-memory.dmp

Filesize
8KB

Download
memory/2340-10-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/2340-19-0x000000001C0D0000-0x000000001C0DC000-memory.dmp

Filesize
48KB

Download
memory/2340-16-0x000000001B950000-0x000000001B95A000-memory.dmp

Filesize
40KB

Download
memory/2340-17-0x000000001B960000-0x000000001B96E000-memory.dmp

Filesize
56KB

Download
memory/2340-18-0x000000001C0C0000-0x000000001C0C8000-memory.dmp

Filesize
32KB

Download
memory/2340-0-0x00007FF838543000-0x00007FF838545000-memory.dmp

Filesize
8KB

Download
memory/2340-20-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

Filesize
48KB

Download
memory/2340-6-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/2340-15-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

Filesize
48KB

Download
memory/2340-14-0x000000001CAB0000-0x000000001CFD8000-memory.dmp

Filesize
5.2MB

Download
memory/2340-13-0x000000001B8A0000-0x000000001B8B2000-memory.dmp

Filesize
72KB

Download
memory/2340-11-0x000000001B890000-0x000000001B898000-memory.dmp

Filesize
32KB

Download
memory/5164-392-0x000000001B090000-0x000000001B0E6000-memory.dmp

Filesize
344KB

Download