805c5709be7589073f6c90410ba05d8d4240ba487fe7c8febf2de9ba214a489e

Analysis

max time kernel
89s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9576cc7c1d016017905b260b127b983f.exe
Size

1.9MB
MD5

9576cc7c1d016017905b260b127b983f
SHA1

085fbeb0456c1eb2f9d1854e4940def27aab0386
SHA256

5d64fc503e241b1ffafe9179e97d244b2af292a14b95f5513c48ba0557d14de2
SHA512

8bb12a73650c814edf1899c1453b40b92114f316de9b76dbd20f724f2970514f0f4c6afcf41a37a8796e90917f4ef11cea1043e6815e08ce199643a27f64c4a0
SSDEEP

24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	3028	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	3028	schtasks.exe	89

UAC bypass 3 TTPs 18 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9576cc7c1d016017905b260b127b983f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9576cc7c1d016017905b260b127b983f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9576cc7c1d016017905b260b127b983f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4148	powershell.exe
416	powershell.exe
3144	powershell.exe
1284	powershell.exe
1924	powershell.exe
2000	powershell.exe
4216	powershell.exe
1032	powershell.exe
2652	powershell.exe
3724	powershell.exe
3492	powershell.exe
2644	powershell.exe
3760	powershell.exe
1384	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	9576cc7c1d016017905b260b127b983f.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	9576cc7c1d016017905b260b127b983f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 5 IoCs

pid	Process
5272	csrss.exe
5932	csrss.exe
5160	csrss.exe
2472	csrss.exe
5184	csrss.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9576cc7c1d016017905b260b127b983f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9576cc7c1d016017905b260b127b983f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\sysmon.exe	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX8A41.tmp	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\upfc.exe	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files\Windows Defender\de-DE\SearchApp.exe	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files\Google\Chrome\StartMenuExperienceHost.exe	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files\Google\Chrome\55b276f4edf653	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCX9390.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Google\Chrome\StartMenuExperienceHost.exe	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\RCXA0EB.tmp	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files (x86)\Windows Mail\121e5b5079f7c0	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\SearchApp.exe	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\RCXA0EA.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\upfc.exe	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files\ModifiableWindowsApps\StartMenuExperienceHost.exe	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\upfc.exe	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files (x86)\Windows Mail\sysmon.exe	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX8A40.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX9ABB.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXA2EF.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXA300.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\upfc.exe	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\ea1d8f6d871115	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files\Windows Defender\de-DE\38384e6a620884	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\ea1d8f6d871115	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCX9312.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX9AAA.tmp	9576cc7c1d016017905b260b127b983f.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\taskhostw.exe	9576cc7c1d016017905b260b127b983f.exe
File created	C:\Windows\it-IT\ea9f0e6c9e2dcd	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Windows\it-IT\RCXA524.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Windows\it-IT\RCXA525.tmp	9576cc7c1d016017905b260b127b983f.exe
File opened for modification	C:\Windows\it-IT\taskhostw.exe	9576cc7c1d016017905b260b127b983f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9576cc7c1d016017905b260b127b983f.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1752	schtasks.exe
1700	schtasks.exe
1088	schtasks.exe
2316	schtasks.exe
4116	schtasks.exe
2396	schtasks.exe
2896	schtasks.exe
4688	schtasks.exe
648	schtasks.exe
1604	schtasks.exe
2108	schtasks.exe
2112	schtasks.exe
4920	schtasks.exe
4944	schtasks.exe
400	schtasks.exe
816	schtasks.exe
960	schtasks.exe
2040	schtasks.exe
1784	schtasks.exe
1884	schtasks.exe
4600	schtasks.exe
3888	schtasks.exe
3152	schtasks.exe
2580	schtasks.exe
2612	schtasks.exe
2564	schtasks.exe
4672	schtasks.exe
1620	schtasks.exe
332	schtasks.exe
3184	schtasks.exe
4644	schtasks.exe
3636	schtasks.exe
4084	schtasks.exe
536	schtasks.exe
2684	schtasks.exe
4448	schtasks.exe
4648	schtasks.exe
2480	schtasks.exe
5076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
4928	9576cc7c1d016017905b260b127b983f.exe
4928	9576cc7c1d016017905b260b127b983f.exe
4928	9576cc7c1d016017905b260b127b983f.exe
4928	9576cc7c1d016017905b260b127b983f.exe
4928	9576cc7c1d016017905b260b127b983f.exe
4928	9576cc7c1d016017905b260b127b983f.exe
4928	9576cc7c1d016017905b260b127b983f.exe
3492	powershell.exe
3492	powershell.exe
1284	powershell.exe
1284	powershell.exe
2644	powershell.exe
2644	powershell.exe
4148	powershell.exe
4148	powershell.exe
4216	powershell.exe
4216	powershell.exe
1384	powershell.exe
1384	powershell.exe
1924	powershell.exe
1924	powershell.exe
3724	powershell.exe
3724	powershell.exe
1032	powershell.exe
1032	powershell.exe
3144	powershell.exe
3144	powershell.exe
3760	powershell.exe
3760	powershell.exe
416	powershell.exe
416	powershell.exe
2000	powershell.exe
2000	powershell.exe
2652	powershell.exe
2652	powershell.exe
1384	powershell.exe
416	powershell.exe
1284	powershell.exe
3492	powershell.exe
3492	powershell.exe
2644	powershell.exe
4148	powershell.exe
3724	powershell.exe
1924	powershell.exe
4216	powershell.exe
2652	powershell.exe
3144	powershell.exe
3760	powershell.exe
2000	powershell.exe
1032	powershell.exe
5272	csrss.exe
5272	csrss.exe
5932	csrss.exe
5160	csrss.exe
5160	csrss.exe
2472	csrss.exe
5184	csrss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	9576cc7c1d016017905b260b127b983f.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	5272	csrss.exe
Token: SeDebugPrivilege	5932	csrss.exe
Token: SeDebugPrivilege	5160	csrss.exe
Token: SeDebugPrivilege	2472	csrss.exe
Token: SeDebugPrivilege	5184	csrss.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2644	4928	9576cc7c1d016017905b260b127b983f.exe	134
PID 4928 wrote to memory of 2644	4928	9576cc7c1d016017905b260b127b983f.exe	134
PID 4928 wrote to memory of 3760	4928	9576cc7c1d016017905b260b127b983f.exe	135
PID 4928 wrote to memory of 3760	4928	9576cc7c1d016017905b260b127b983f.exe	135
PID 4928 wrote to memory of 1384	4928	9576cc7c1d016017905b260b127b983f.exe	136
PID 4928 wrote to memory of 1384	4928	9576cc7c1d016017905b260b127b983f.exe	136
PID 4928 wrote to memory of 2000	4928	9576cc7c1d016017905b260b127b983f.exe	137
PID 4928 wrote to memory of 2000	4928	9576cc7c1d016017905b260b127b983f.exe	137
PID 4928 wrote to memory of 4216	4928	9576cc7c1d016017905b260b127b983f.exe	138
PID 4928 wrote to memory of 4216	4928	9576cc7c1d016017905b260b127b983f.exe	138
PID 4928 wrote to memory of 4148	4928	9576cc7c1d016017905b260b127b983f.exe	139
PID 4928 wrote to memory of 4148	4928	9576cc7c1d016017905b260b127b983f.exe	139
PID 4928 wrote to memory of 3492	4928	9576cc7c1d016017905b260b127b983f.exe	140
PID 4928 wrote to memory of 3492	4928	9576cc7c1d016017905b260b127b983f.exe	140
PID 4928 wrote to memory of 1924	4928	9576cc7c1d016017905b260b127b983f.exe	141
PID 4928 wrote to memory of 1924	4928	9576cc7c1d016017905b260b127b983f.exe	141
PID 4928 wrote to memory of 3724	4928	9576cc7c1d016017905b260b127b983f.exe	142
PID 4928 wrote to memory of 3724	4928	9576cc7c1d016017905b260b127b983f.exe	142
PID 4928 wrote to memory of 2652	4928	9576cc7c1d016017905b260b127b983f.exe	144
PID 4928 wrote to memory of 2652	4928	9576cc7c1d016017905b260b127b983f.exe	144
PID 4928 wrote to memory of 1284	4928	9576cc7c1d016017905b260b127b983f.exe	145
PID 4928 wrote to memory of 1284	4928	9576cc7c1d016017905b260b127b983f.exe	145
PID 4928 wrote to memory of 1032	4928	9576cc7c1d016017905b260b127b983f.exe	147
PID 4928 wrote to memory of 1032	4928	9576cc7c1d016017905b260b127b983f.exe	147
PID 4928 wrote to memory of 3144	4928	9576cc7c1d016017905b260b127b983f.exe	149
PID 4928 wrote to memory of 3144	4928	9576cc7c1d016017905b260b127b983f.exe	149
PID 4928 wrote to memory of 416	4928	9576cc7c1d016017905b260b127b983f.exe	150
PID 4928 wrote to memory of 416	4928	9576cc7c1d016017905b260b127b983f.exe	150
PID 4928 wrote to memory of 5272	4928	9576cc7c1d016017905b260b127b983f.exe	162
PID 4928 wrote to memory of 5272	4928	9576cc7c1d016017905b260b127b983f.exe	162
PID 5272 wrote to memory of 5724	5272	csrss.exe	164
PID 5272 wrote to memory of 5724	5272	csrss.exe	164
PID 5272 wrote to memory of 5772	5272	csrss.exe	165
PID 5272 wrote to memory of 5772	5272	csrss.exe	165
PID 5724 wrote to memory of 5932	5724	WScript.exe	166
PID 5724 wrote to memory of 5932	5724	WScript.exe	166
PID 5932 wrote to memory of 6072	5932	csrss.exe	167
PID 5932 wrote to memory of 6072	5932	csrss.exe	167
PID 5932 wrote to memory of 6116	5932	csrss.exe	168
PID 5932 wrote to memory of 6116	5932	csrss.exe	168
PID 6072 wrote to memory of 5160	6072	WScript.exe	178
PID 6072 wrote to memory of 5160	6072	WScript.exe	178
PID 5160 wrote to memory of 2416	5160	csrss.exe	179
PID 5160 wrote to memory of 2416	5160	csrss.exe	179
PID 5160 wrote to memory of 368	5160	csrss.exe	180
PID 5160 wrote to memory of 368	5160	csrss.exe	180
PID 2416 wrote to memory of 2472	2416	WScript.exe	181
PID 2416 wrote to memory of 2472	2416	WScript.exe	181
PID 2472 wrote to memory of 4416	2472	csrss.exe	182
PID 2472 wrote to memory of 4416	2472	csrss.exe	182
PID 2472 wrote to memory of 2532	2472	csrss.exe	183
PID 2472 wrote to memory of 2532	2472	csrss.exe	183
PID 4416 wrote to memory of 5184	4416	WScript.exe	184
PID 4416 wrote to memory of 5184	4416	WScript.exe	184
PID 5184 wrote to memory of 5872	5184	csrss.exe	185
PID 5184 wrote to memory of 5872	5184	csrss.exe	185
PID 5184 wrote to memory of 5748	5184	csrss.exe	186
PID 5184 wrote to memory of 5748	5184	csrss.exe	186

System policy modification 1 TTPs 18 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9576cc7c1d016017905b260b127b983f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9576cc7c1d016017905b260b127b983f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9576cc7c1d016017905b260b127b983f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9576cc7c1d016017905b260b127b983f.exe
"C:\Users\Admin\AppData\Local\Temp\9576cc7c1d016017905b260b127b983f.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9576cc7c1d016017905b260b127b983f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\9576cc7c1d016017905b260b127b983f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\lib\fonts\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:416
- C:\3ac54ddf2ad44faa6035cf\csrss.exe
  "C:\3ac54ddf2ad44faa6035cf\csrss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5272
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ce7b87b-d13c-4133-a6c1-4e021d31dd24.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5724
  - - C:\3ac54ddf2ad44faa6035cf\csrss.exe
      C:\3ac54ddf2ad44faa6035cf\csrss.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5932
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55842bae-be4b-4a2a-94e3-5d2d5b6cca29.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6072
      - C:\3ac54ddf2ad44faa6035cf\csrss.exe
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b8de01-58f9-449e-92de-9c111130a050.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41f9d45b-f222-4b76-b218-f7f3e2e88522.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21f4992d-6421-4329-9b30-f790bb455080.vbs"
        11⤵
        
        PID:5872
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        12⤵
        
        PID:1288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3c7445-1644-47d8-9220-60fee808f55c.vbs"
        13⤵
        
        PID:3008
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        14⤵
        
        PID:4412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f2f83f6-d930-4571-8c11-093c0645c056.vbs"
        15⤵
        
        PID:5492
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        16⤵
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4032544e-f6fd-43ee-b666-70bc9602135f.vbs"
        17⤵
        
        PID:6052
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        
        C:\3ac54ddf2ad44faa6035cf\csrss.exe
        18⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82d0c2b0-e70e-4df5-be3b-12a856eebf6a.vbs"
        19⤵
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ada96291-36c8-4ac2-8e77-c0d8fd6b64f0.vbs"
        19⤵
        
        PID:4468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\683f66c6-3935-4090-a0cd-a61239f165c6.vbs"
        17⤵
        
        PID:5296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25890a1e-d657-42d1-9c99-30882ee01baf.vbs"
        15⤵
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\231c03c0-29c3-4941-8c56-4fdfb3e4dc8e.vbs"
        13⤵
        
        PID:5484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2824bf1d-103d-4a99-bcfd-61f48e504330.vbs"
        11⤵
        
        PID:5748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dce19eed-29ae-4d7f-8a4a-485891dfe2d5.vbs"
        9⤵
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e40b2ff-37f4-4e79-92fa-360d22c93c74.vbs"
        7⤵
        
        PID:368
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e23cc895-2344-4593-bbaf-b9b9b6c9d177.vbs"
        5⤵
        
        PID:6116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22ff9e4-687f-4ab7-9b49-d4ba88644271.vbs"
    3⤵
    PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\3ac54ddf2ad44faa6035cf\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\3ac54ddf2ad44faa6035cf\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f9" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\9576cc7c1d016017905b260b127b983f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f" /sc ONLOGON /tr "'C:\Users\Default User\9576cc7c1d016017905b260b127b983f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f9" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\9576cc7c1d016017905b260b127b983f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\lib\fonts\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\fonts\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\lib\fonts\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\de-DE\SearchApp.exe

Filesize
1.9MB

MD5
9576cc7c1d016017905b260b127b983f

SHA1
085fbeb0456c1eb2f9d1854e4940def27aab0386

SHA256
5d64fc503e241b1ffafe9179e97d244b2af292a14b95f5513c48ba0557d14de2

SHA512
8bb12a73650c814edf1899c1453b40b92114f316de9b76dbd20f724f2970514f0f4c6afcf41a37a8796e90917f4ef11cea1043e6815e08ce199643a27f64c4a0

Download Submit
C:\Program Files\Windows Defender\de-DE\SearchApp.exe

Filesize
1.9MB

MD5
1b1bd3bfddd8f65916c3df28ee3acd94

SHA1
50f6cbcbc1e6c41f99f68d1e7acd75c929041f4f

SHA256
755dfecc25cb11ce95f2e411b2105bca8ee512efbf05f90176a84ddc24a92477

SHA512
b9735c6f0fd3f9b5f5305b1ac9e56ca3ac00172654cef7711a3973efec3550a50cb8658bac609d5defa1f0d183b9eb24af83dc68031896ce3db0294fcdf0d45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80dfd43d9904cb4bdd37f6934f47ccf8

SHA1
72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

SHA256
a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

SHA512
793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6da7498c3e43161a4d3c1d3e7b3c7d05

SHA1
52da2cb1a4168a5cef57539f258722a47e0bc044

SHA256
8b5539719f1a6a35add264c26e9661b4700f528582a89e4cd0c8188eb3e6fea9

SHA512
108470742f03ab0ab5244ef36530d5be2e3d0428e37c75ec4c44d2c13c0ec450beeb73e6006a85e8fe1d4570d8d59a501f98ff75666b2852107883ef5b5a02ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae19674c4dd6a419a8ce8bc65e65167

SHA1
8b3f7e010483412b803e756c850fecd29cf9fb8a

SHA256
f4a34d2ff32e49df841e87405dab2661bcae83c20ee781a13fbe73924fd672cd

SHA512
9865dd43b4494081bb625844fcedb56dfc335b5f2cadd5c4094f0848df07ab5fa40faeb3adbbb91e1355ed436dfbf44ff4ae9ad39cdbd5fbfdef4d1813f3ee74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ebbb17f3791dea62cf267d83cf036a4

SHA1
266c27acf64b85afd8380277f767cc54f91ab2b0

SHA256
2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

SHA512
6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a16aff60eb3c3e35753a259b050c8a27

SHA1
85196d5dfb23d0c8b32b186325e2d58315a11287

SHA256
a057f85fa5358fac25f1337c1fbabeffb1ca1908b352208038293ec575dfc206

SHA512
13e6514cddaafba8f4fe3b08f6d6e118823ad454aac4efcb71a82438de50f97cd9570f44d594db27e4c534912a12ed066ea098b95505a6994f854f8349f2f5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35be6e176d67a5af3e24a7f54b4a9574

SHA1
900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9

SHA256
c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7

SHA512
09d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\21f4992d-6421-4329-9b30-f790bb455080.vbs

Filesize
711B

MD5
50ce6fca6392628fd28ee939118c98c8

SHA1
5a2ba1e8d119368c1e5b3edb5ac1e54c970ee81d

SHA256
05e223d20dd2a35e8fe50aff9d68455e1af0c46fc03dedee7fd1c1f3d227a552

SHA512
c9f53a64ea85681b79c4dfe85b18b0852fd858d6fea6080fca92589027e6a0ab818fcecef047e395efe93bfee3efdf884cbe404e376f1d1642c23dd2145c9540

Download Submit
C:\Users\Admin\AppData\Local\Temp\4032544e-f6fd-43ee-b666-70bc9602135f.vbs

Filesize
711B

MD5
e9f3378244b6697d3ebed3ff3452e8ae

SHA1
724c32412a5614c854e9b7447c4600359c2a4d71

SHA256
7b40f09a77c21cddbc6feb1a518a29c95ed628c338c8c5e112182fc35aa97c1c

SHA512
8933e68ca36a98d5a24ca1c4358392bf2eec4c96ffef9b616669c166ee60cacebe5a744f9caa1965eff9e46f1205f420c4af19de0080332453469ea9b43c74f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41f9d45b-f222-4b76-b218-f7f3e2e88522.vbs

Filesize
711B

MD5
ba6c81d65398b4c7b3dd9945f9520e33

SHA1
e10d31ca39c9cc3e4765088da66314183d9793f1

SHA256
860b2f21df5ae0f692bacd68f4c636f1fb166e7b93667dfaeb56d2b5e821536d

SHA512
631f16d426e74ecd3f7c40fc5f2954c94298fdf8ebcdab8abede44a4f621e57269f770e9c89dc1ef13474998392bde7c9a8def6b76695a7a3ab567237831d7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\55842bae-be4b-4a2a-94e3-5d2d5b6cca29.vbs

Filesize
711B

MD5
d2a6c3249679edce6a3ac47c2d02ff3f

SHA1
777a6a4b3dd76274d8d89ed528e8d847bdd3f3b5

SHA256
23dbc705032d4bc505d05f8a4c0732c78d0952eb29807ab06b506cf72303a290

SHA512
9f9c00b37e89acf5e03d41d846a778afb0c090d6de35d2b2030210dfd319c3b6b209788a587a0a3ddb1565b35527c96210f222f7aee30be36c4e2acd35892236

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ce7b87b-d13c-4133-a6c1-4e021d31dd24.vbs

Filesize
711B

MD5
e2e2ffc4e1cff4572e52113c0bc8fd81

SHA1
44f26c58d4e100e8172452782664fd193149d4b3

SHA256
2d4ff9ac1467f65a708829c7df52eabd944ebf58c3e197bf74af9c4e3c7cc2fe

SHA512
4f3250cbe57a37c7747911fcb84a41d11a86c20d80478309eb27c3248bdd8c74601a8701b8040cb5605696e0801afccb71be06ad55d6c137874d4e7a6afc24ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f2f83f6-d930-4571-8c11-093c0645c056.vbs

Filesize
711B

MD5
3aee7ac30740f3db08adb36e5fd5f0e2

SHA1
217e63bf2909df51d67061602645cd02ac7535e0

SHA256
90b414d83961255b43c8d14c48d563e7ed0208c2f49bf7708e43563af2c18095

SHA512
dac2d53ddb1c942ed3d55c6474e026a67c5bee3e13b338d52c6fd53e523376fa1090d2e866b098529b96df3338da586cf812be4296343c00fd7128adfd3b5624

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d0c2b0-e70e-4df5-be3b-12a856eebf6a.vbs

Filesize
711B

MD5
9001c158adc91851af873270131792fc

SHA1
e3f703c5a7cb2aaf1720e9605cbf98a9aa1ea85e

SHA256
40f8402403120dd566bf272878b9d072426278e9209199d30ff087211ad8626b

SHA512
eb08da50005fb2edf52ba26f8aa8b9a32979802fa6db83c68764072cf8bca5d0ced938fa7ee5698d0cc71072e670c7b3e72d04178ce75e433972bc996a724dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxbs0egh.n0d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b22ff9e4-687f-4ab7-9b49-d4ba88644271.vbs

Filesize
487B

MD5
66e62f5bb921c8a2b962f22f47fecf27

SHA1
8f48cbfe82de8a705026386317b549a10de076ee

SHA256
28a53b48bcda81d2033f056b714a40a7919fc36bff0eae6863600fe225a3001a

SHA512
edc1b34cbac2d667c6d8fe4a48ddf09af0f71367784c27d6987413242fbbedfced64bffa86651e96a5a1457802856171425bc718c5ba4b71739d475a2a7dff6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb3c7445-1644-47d8-9220-60fee808f55c.vbs

Filesize
711B

MD5
e58265c7b7908b94c686142b0a6f1fa3

SHA1
77d7db5cbff81992d4f2ec421f2824953ca40276

SHA256
20a79eed1d16b1044290924600ac7bf65874428a0eb32d6c7a7ef1941fe8df3d

SHA512
5ada27dbe4f143a03299770f979662ad0aea85353cd86fbdc1d7ea185a4abd496f8bb92934f00d9105b70e094d5a4f4b97b3c5f8138746e646376a185296e386

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4b8de01-58f9-449e-92de-9c111130a050.vbs

Filesize
711B

MD5
1341f2ad0343bccf4552cf82f64662b7

SHA1
c7c3b653d5636cc5bf306b3543183b9b229916f3

SHA256
c16585abb9bdee7501a15927cba7e87f6982e9bed0461a97ff7c015b96404bca

SHA512
0fc28226a0c379317c7609c76e1f4169713e813a8a70616bbfc63c902cb400af722021edfcbb46039fce4da0ff1561392b006f163a84ae46e42b6d9a2f3daffa

Download Submit
memory/1288-482-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/1288-493-0x00007FFAC0550000-0x00007FFAC05CD000-memory.dmp

Filesize
500KB

Download
memory/3492-264-0x0000020A7CAA0000-0x0000020A7CAC2000-memory.dmp

Filesize
136KB

Download
memory/4412-496-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/4928-10-0x000000001C240000-0x000000001C24C000-memory.dmp

Filesize
48KB

Download
memory/4928-355-0x00007FFAB1D10000-0x00007FFAB27D1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-1-0x0000000000E40000-0x000000000102A000-memory.dmp

Filesize
1.9MB

Download
memory/4928-193-0x00007FFAB1D13000-0x00007FFAB1D15000-memory.dmp

Filesize
8KB

Download
memory/4928-14-0x000000001CD30000-0x000000001D258000-memory.dmp

Filesize
5.2MB

Download
memory/4928-15-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/4928-18-0x000000001C470000-0x000000001C478000-memory.dmp

Filesize
32KB

Download
memory/4928-17-0x000000001C460000-0x000000001C46E000-memory.dmp

Filesize
56KB

Download
memory/4928-19-0x000000001C480000-0x000000001C48C000-memory.dmp

Filesize
48KB

Download
memory/4928-20-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/4928-16-0x000000001C450000-0x000000001C45A000-memory.dmp

Filesize
40KB

Download
memory/4928-0-0x00007FFAB1D13000-0x00007FFAB1D15000-memory.dmp

Filesize
8KB

Download
memory/4928-394-0x00007FFAB1D10000-0x00007FFAB27D1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-13-0x000000001C260000-0x000000001C272000-memory.dmp

Filesize
72KB

Download
memory/4928-11-0x000000001C250000-0x000000001C258000-memory.dmp

Filesize
32KB

Download
memory/4928-9-0x000000001BB90000-0x000000001BBE6000-memory.dmp

Filesize
344KB

Download
memory/4928-7-0x000000001BB60000-0x000000001BB76000-memory.dmp

Filesize
88KB

Download
memory/4928-8-0x000000001BB80000-0x000000001BB8A000-memory.dmp

Filesize
40KB

Download
memory/4928-3-0x000000001BB30000-0x000000001BB4C000-memory.dmp

Filesize
112KB

Download
memory/4928-4-0x000000001C1F0000-0x000000001C240000-memory.dmp

Filesize
320KB

Download
memory/4928-5-0x0000000003140000-0x0000000003148000-memory.dmp

Filesize
32KB

Download
memory/4928-2-0x00007FFAB1D10000-0x00007FFAB27D1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-6-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/5272-402-0x000000001D900000-0x000000001D956000-memory.dmp

Filesize
344KB

Download
memory/5932-437-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download