colibri | 3e7c17750f02bfba0b1870edaace58265a28d8f15d620393453d9274d7003e3e

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f675c9590aa70b92af054bbd4e63bb70N.exe
Size

4.9MB
MD5

f675c9590aa70b92af054bbd4e63bb70
SHA1

61b97bb45293faf091855b8c4dc623dc1d6c0068
SHA256

3e7c17750f02bfba0b1870edaace58265a28d8f15d620393453d9274d7003e3e
SHA512

5ff6e8f4b7090bdb784ecae861dd9e0ebb98eac3bdc539de78230be7285d912c49eab30c8b1d956c80004192e028a3505dbe951877c792deb03bc130c72bf5c9
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	184	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	4068	schtasks.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exef675c9590aa70b92af054bbd4e63bb70N.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1448-2-0x000000001C3C0000-0x000000001C4EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3040	powershell.exe
1488	powershell.exe
3760	powershell.exe
1212	powershell.exe
2764	powershell.exe
4520	powershell.exe
2396	powershell.exe
1988	powershell.exe
5012	powershell.exe
1640	powershell.exe
3440	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exef675c9590aa70b92af054bbd4e63bb70N.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	f675c9590aa70b92af054bbd4e63bb70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 44 IoCs

Processes:

tmp83CA.tmp.exetmp83CA.tmp.exetmp83CA.tmp.exedwm.exetmp9E92.tmp.exetmp9E92.tmp.exetmp9E92.tmp.exedwm.exetmpBE7D.tmp.exetmpBE7D.tmp.exetmpBE7D.tmp.exedwm.exetmpDA81.tmp.exetmpDA81.tmp.exetmpDA81.tmp.exetmpDA81.tmp.exedwm.exetmpC01.tmp.exetmpC01.tmp.exedwm.exetmp3DCF.tmp.exetmp3DCF.tmp.exetmp3DCF.tmp.exedwm.exetmp6F9D.tmp.exetmp6F9D.tmp.exedwm.exetmp8C2E.tmp.exetmp8C2E.tmp.exetmp8C2E.tmp.exedwm.exedwm.exedwm.exetmpF41F.tmp.exetmpF41F.tmp.exedwm.exedwm.exetmp2B7B.tmp.exetmp2B7B.tmp.exedwm.exetmp478E.tmp.exetmp478E.tmp.exetmp478E.tmp.exetmp478E.tmp.exe

pid	process
4748	tmp83CA.tmp.exe
4896	tmp83CA.tmp.exe
1252	tmp83CA.tmp.exe
1984	dwm.exe
1600	tmp9E92.tmp.exe
3716	tmp9E92.tmp.exe
3016	tmp9E92.tmp.exe
4608	dwm.exe
864	tmpBE7D.tmp.exe
1472	tmpBE7D.tmp.exe
1072	tmpBE7D.tmp.exe
4008	dwm.exe
4436	tmpDA81.tmp.exe
3164	tmpDA81.tmp.exe
4896	tmpDA81.tmp.exe
3904	tmpDA81.tmp.exe
3180	dwm.exe
4456	tmpC01.tmp.exe
1708	tmpC01.tmp.exe
1944	dwm.exe
4484	tmp3DCF.tmp.exe
4960	tmp3DCF.tmp.exe
4916	tmp3DCF.tmp.exe
4436	dwm.exe
3084	tmp6F9D.tmp.exe
4940	tmp6F9D.tmp.exe
1536	dwm.exe
3132	tmp8C2E.tmp.exe
4704	tmp8C2E.tmp.exe
4040	tmp8C2E.tmp.exe
1620	dwm.exe
592	dwm.exe
1684	dwm.exe
1720	tmpF41F.tmp.exe
4564	tmpF41F.tmp.exe
3212	dwm.exe
4600	dwm.exe
4100	tmp2B7B.tmp.exe
4076	tmp2B7B.tmp.exe
348	dwm.exe
2828	tmp478E.tmp.exe
4248	tmp478E.tmp.exe
4896	tmp478E.tmp.exe
2528	tmp478E.tmp.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exef675c9590aa70b92af054bbd4e63bb70N.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f675c9590aa70b92af054bbd4e63bb70N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

tmp83CA.tmp.exetmp9E92.tmp.exetmpBE7D.tmp.exetmpDA81.tmp.exetmpC01.tmp.exetmp3DCF.tmp.exetmp6F9D.tmp.exetmp8C2E.tmp.exetmpF41F.tmp.exetmp2B7B.tmp.exetmp478E.tmp.exe

description	pid	process	target process
PID 4896 set thread context of 1252	4896	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 3716 set thread context of 3016	3716	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 1472 set thread context of 1072	1472	tmpBE7D.tmp.exe	tmpBE7D.tmp.exe
PID 4896 set thread context of 3904	4896	tmpDA81.tmp.exe	tmpDA81.tmp.exe
PID 4456 set thread context of 1708	4456	tmpC01.tmp.exe	tmpC01.tmp.exe
PID 4960 set thread context of 4916	4960	tmp3DCF.tmp.exe	tmp3DCF.tmp.exe
PID 3084 set thread context of 4940	3084	tmp6F9D.tmp.exe	tmp6F9D.tmp.exe
PID 4704 set thread context of 4040	4704	tmp8C2E.tmp.exe	tmp8C2E.tmp.exe
PID 1720 set thread context of 4564	1720	tmpF41F.tmp.exe	tmpF41F.tmp.exe
PID 4100 set thread context of 4076	4100	tmp2B7B.tmp.exe	tmp2B7B.tmp.exe
PID 4896 set thread context of 2528	4896	tmp478E.tmp.exe	tmp478E.tmp.exe

Drops file in Program Files directory 12 IoCs

Processes:

f675c9590aa70b92af054bbd4e63bb70N.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\0a1fd5f707cd16	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\Google\Temp\lsass.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\Google\Temp\6203df4a6bafc7	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX8504.tmp	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\lsass.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\eddb19405b7ce1	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\RCX8718.tmp	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX892C.tmp	f675c9590aa70b92af054bbd4e63bb70N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp83CA.tmp.exetmp83CA.tmp.exetmpDA81.tmp.exetmpF41F.tmp.exetmp478E.tmp.exetmp478E.tmp.exetmp9E92.tmp.exetmpBE7D.tmp.exetmpDA81.tmp.exetmp3DCF.tmp.exetmp6F9D.tmp.exetmp2B7B.tmp.exetmp8C2E.tmp.exetmp478E.tmp.exetmp9E92.tmp.exetmpBE7D.tmp.exetmpDA81.tmp.exetmpC01.tmp.exetmp3DCF.tmp.exetmp8C2E.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp83CA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp83CA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDA81.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF41F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp478E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp478E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E92.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBE7D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDA81.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3DCF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6F9D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2B7B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C2E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp478E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E92.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBE7D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDA81.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC01.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3DCF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C2E.tmp.exe

Modifies registry class 14 IoCs

Processes:

dwm.exedwm.exedwm.exedwm.exef675c9590aa70b92af054bbd4e63bb70N.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f675c9590aa70b92af054bbd4e63bb70N.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3196	schtasks.exe
400	schtasks.exe
4916	schtasks.exe
2700	schtasks.exe
3360	schtasks.exe
4768	schtasks.exe
3956	schtasks.exe
4804	schtasks.exe
5028	schtasks.exe
3392	schtasks.exe
184	schtasks.exe
3020	schtasks.exe
5020	schtasks.exe
4984	schtasks.exe
1288	schtasks.exe
5064	schtasks.exe
1280	schtasks.exe
3688	schtasks.exe
4940	schtasks.exe
2548	schtasks.exe
1708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

f675c9590aa70b92af054bbd4e63bb70N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	process
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
1448	f675c9590aa70b92af054bbd4e63bb70N.exe
4520	powershell.exe
4520	powershell.exe
5012	powershell.exe
5012	powershell.exe
3760	powershell.exe
3760	powershell.exe
2396	powershell.exe
2396	powershell.exe
3040	powershell.exe
3040	powershell.exe
1488	powershell.exe
1488	powershell.exe
1640	powershell.exe
1640	powershell.exe
1988	powershell.exe
1988	powershell.exe
3440	powershell.exe
3440	powershell.exe
1212	powershell.exe
1212	powershell.exe
5012	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
4520	powershell.exe
1488	powershell.exe
3760	powershell.exe
2396	powershell.exe
3040	powershell.exe
1988	powershell.exe
1212	powershell.exe
1640	powershell.exe
3440	powershell.exe
1984	dwm.exe
4608	dwm.exe
4008	dwm.exe
3180	dwm.exe
1944	dwm.exe
4436	dwm.exe
1536	dwm.exe
1620	dwm.exe
592	dwm.exe
1684	dwm.exe
3212	dwm.exe
4600	dwm.exe
348	dwm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1448	f675c9590aa70b92af054bbd4e63bb70N.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1984	dwm.exe
Token: SeDebugPrivilege	4608	dwm.exe
Token: SeDebugPrivilege	4008	dwm.exe
Token: SeDebugPrivilege	3180	dwm.exe
Token: SeDebugPrivilege	1944	dwm.exe
Token: SeDebugPrivilege	4436	dwm.exe
Token: SeDebugPrivilege	1536	dwm.exe
Token: SeDebugPrivilege	1620	dwm.exe
Token: SeDebugPrivilege	592	dwm.exe
Token: SeDebugPrivilege	1684	dwm.exe
Token: SeDebugPrivilege	3212	dwm.exe
Token: SeDebugPrivilege	4600	dwm.exe
Token: SeDebugPrivilege	348	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f675c9590aa70b92af054bbd4e63bb70N.exetmp83CA.tmp.exetmp83CA.tmp.exedwm.exetmp9E92.tmp.exetmp9E92.tmp.exeWScript.exedwm.exetmpBE7D.tmp.exe

description	pid	process	target process
PID 1448 wrote to memory of 4748	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	tmp83CA.tmp.exe
PID 1448 wrote to memory of 4748	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	tmp83CA.tmp.exe
PID 1448 wrote to memory of 4748	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	tmp83CA.tmp.exe
PID 4748 wrote to memory of 4896	4748	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4748 wrote to memory of 4896	4748	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4748 wrote to memory of 4896	4748	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4896 wrote to memory of 1252	4896	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4896 wrote to memory of 1252	4896	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4896 wrote to memory of 1252	4896	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4896 wrote to memory of 1252	4896	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4896 wrote to memory of 1252	4896	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4896 wrote to memory of 1252	4896	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 4896 wrote to memory of 1252	4896	tmp83CA.tmp.exe	tmp83CA.tmp.exe
PID 1448 wrote to memory of 2764	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 2764	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 3040	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 3040	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 3440	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 3440	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1488	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1488	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 3760	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 3760	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 4520	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 4520	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1212	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1212	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 2396	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 2396	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1988	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1988	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 5012	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 5012	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1640	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1640	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	powershell.exe
PID 1448 wrote to memory of 1984	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	dwm.exe
PID 1448 wrote to memory of 1984	1448	f675c9590aa70b92af054bbd4e63bb70N.exe	dwm.exe
PID 1984 wrote to memory of 1480	1984	dwm.exe	WScript.exe
PID 1984 wrote to memory of 1480	1984	dwm.exe	WScript.exe
PID 1984 wrote to memory of 3512	1984	dwm.exe	WScript.exe
PID 1984 wrote to memory of 3512	1984	dwm.exe	WScript.exe
PID 1984 wrote to memory of 1600	1984	dwm.exe	tmp9E92.tmp.exe
PID 1984 wrote to memory of 1600	1984	dwm.exe	tmp9E92.tmp.exe
PID 1984 wrote to memory of 1600	1984	dwm.exe	tmp9E92.tmp.exe
PID 1600 wrote to memory of 3716	1600	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 1600 wrote to memory of 3716	1600	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 1600 wrote to memory of 3716	1600	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 3716 wrote to memory of 3016	3716	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 3716 wrote to memory of 3016	3716	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 3716 wrote to memory of 3016	3716	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 3716 wrote to memory of 3016	3716	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 3716 wrote to memory of 3016	3716	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 3716 wrote to memory of 3016	3716	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 3716 wrote to memory of 3016	3716	tmp9E92.tmp.exe	tmp9E92.tmp.exe
PID 1480 wrote to memory of 4608	1480	WScript.exe	dwm.exe
PID 1480 wrote to memory of 4608	1480	WScript.exe	dwm.exe
PID 4608 wrote to memory of 3752	4608	dwm.exe	WScript.exe
PID 4608 wrote to memory of 3752	4608	dwm.exe	WScript.exe
PID 4608 wrote to memory of 4876	4608	dwm.exe	WScript.exe
PID 4608 wrote to memory of 4876	4608	dwm.exe	WScript.exe
PID 4608 wrote to memory of 864	4608	dwm.exe	tmpBE7D.tmp.exe
PID 4608 wrote to memory of 864	4608	dwm.exe	tmpBE7D.tmp.exe
PID 4608 wrote to memory of 864	4608	dwm.exe	tmpBE7D.tmp.exe
PID 864 wrote to memory of 1472	864	tmpBE7D.tmp.exe	tmpBE7D.tmp.exe

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exef675c9590aa70b92af054bbd4e63bb70N.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f675c9590aa70b92af054bbd4e63bb70N.exe
"C:\Users\Admin\AppData\Local\Temp\f675c9590aa70b92af054bbd4e63bb70N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1448

C:\Users\Admin\AppData\Local\Temp\tmp83CA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp83CA.tmp.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\tmp83CA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp83CA.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\tmp83CA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp83CA.tmp.exe"
4⤵
- Executes dropped EXE
PID:1252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Recovery\WindowsRE\dwm.exe
"C:\Recovery\WindowsRE\dwm.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fce4c13e-533c-42cd-8600-036933b6ccd9.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4608

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f856198d-5a3e-4539-ac93-a52fb06fc4b0.vbs"
5⤵
PID:3752

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e989574-4d9f-4fd6-b7a6-731f6ad167d7.vbs"
7⤵
PID:3488

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3180

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a587cd42-45f8-4663-ace7-8e0d572a948d.vbs"
9⤵
PID:3380

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a50bb34c-785c-4e5c-b826-2c61ebabab95.vbs"
11⤵
PID:396

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4436

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\872cd8b4-3c68-4363-bbea-34e26ac310b3.vbs"
13⤵
PID:3076

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3863e664-fe16-4823-a41c-a0c32225aefd.vbs"
15⤵
PID:2788

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1620

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8914f5fd-a87c-4a25-84a8-769974530731.vbs"
17⤵
PID:756

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b7324a-0f57-4b9c-9883-0380a376ec56.vbs"
19⤵
PID:4512

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48569865-e9eb-4465-86c2-c8413c607bc0.vbs"
21⤵
PID:2192

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d4c93a-f551-4e39-9677-6947accdf7cb.vbs"
23⤵
PID:4704

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86be82d-49e1-4d45-acf7-dbe8e6a5a79f.vbs"
25⤵
PID:4368

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f6f8651-03e1-4853-832a-6f042c7032d2.vbs"
27⤵
PID:4788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2fae75d-b901-4b26-8bd1-aef9ac2511d3.vbs"
27⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\tmp478E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp478E.tmp.exe"
27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828

C:\Users\Admin\AppData\Local\Temp\tmp478E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp478E.tmp.exe"
28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4248

C:\Users\Admin\AppData\Local\Temp\tmp478E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp478E.tmp.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4896

C:\Users\Admin\AppData\Local\Temp\tmp478E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp478E.tmp.exe"
30⤵
- Executes dropped EXE
PID:2528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0356835-01c9-4dba-ab3d-de048c5d2f9e.vbs"
25⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\tmp2B7B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2B7B.tmp.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4100

C:\Users\Admin\AppData\Local\Temp\tmp2B7B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2B7B.tmp.exe"
26⤵
- Executes dropped EXE
PID:4076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\240ad4a7-b72e-4475-813b-d44f9c37f017.vbs"
23⤵
PID:1524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c28a11b-d91a-4111-bd05-848648e97511.vbs"
21⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\tmpF41F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF41F.tmp.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1720

C:\Users\Admin\AppData\Local\Temp\tmpF41F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF41F.tmp.exe"
22⤵
- Executes dropped EXE
PID:4564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b35ea4-4a08-4ecf-a609-5505ee014697.vbs"
19⤵
PID:2960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7929790-ca12-484f-b961-a53702a699e5.vbs"
17⤵
PID:3716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb90c19a-d4ca-4cd8-8bf2-4f3d51ad3180.vbs"
15⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\tmp8C2E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8C2E.tmp.exe"
15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132

C:\Users\Admin\AppData\Local\Temp\tmp8C2E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8C2E.tmp.exe"
16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp8C2E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8C2E.tmp.exe"
17⤵
- Executes dropped EXE
PID:4040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b039e24-dafd-4baf-8733-bc764e474798.vbs"
13⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\tmp6F9D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6F9D.tmp.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3084

C:\Users\Admin\AppData\Local\Temp\tmp6F9D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6F9D.tmp.exe"
14⤵
- Executes dropped EXE
PID:4940

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5346dd8-9157-4b17-a103-e1c93d375fbe.vbs"
11⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\tmp3DCF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3DCF.tmp.exe"
11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4484

C:\Users\Admin\AppData\Local\Temp\tmp3DCF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3DCF.tmp.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4960

C:\Users\Admin\AppData\Local\Temp\tmp3DCF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3DCF.tmp.exe"
13⤵
- Executes dropped EXE
PID:4916

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\291440e4-e5bc-4123-a584-1d257dbe7506.vbs"
9⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\tmpC01.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC01.tmp.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4456

C:\Users\Admin\AppData\Local\Temp\tmpC01.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC01.tmp.exe"
10⤵
- Executes dropped EXE
PID:1708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b42535d-02e2-4b1d-8ceb-85106ea830d5.vbs"
7⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.exe"
7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436

C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.exe"
8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3164

C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4896

C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.exe"
10⤵
- Executes dropped EXE
PID:3904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e64298b-8c7e-42bc-9441-8c1df54f3dc0.vbs"
5⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\tmpBE7D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBE7D.tmp.exe"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\tmpBE7D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBE7D.tmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1472

C:\Users\Admin\AppData\Local\Temp\tmpBE7D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBE7D.tmp.exe"
7⤵
- Executes dropped EXE
PID:1072

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f3ee447-b9dd-4e8e-9624-5a8cabce784e.vbs"
3⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716

C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.exe"
5⤵
- Executes dropped EXE
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Temp\backgroundTaskHost.exe

Filesize
4.9MB

MD5
f675c9590aa70b92af054bbd4e63bb70

SHA1
61b97bb45293faf091855b8c4dc623dc1d6c0068

SHA256
3e7c17750f02bfba0b1870edaace58265a28d8f15d620393453d9274d7003e3e

SHA512
5ff6e8f4b7090bdb784ecae861dd9e0ebb98eac3bdc539de78230be7285d912c49eab30c8b1d956c80004192e028a3505dbe951877c792deb03bc130c72bf5c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\872cd8b4-3c68-4363-bbea-34e26ac310b3.vbs

Filesize
705B

MD5
c2d3d64258b892352d19d58725816b01

SHA1
5c8a939dcb5014f40d251a480de03dc247e0127a

SHA256
659a020f4762160d67522a84d1844d25dedc0ffef1245bc2a8cf929822cc8fa9

SHA512
1e10a7869b1c5977faab814c8b90790964bc0fbe6e88a6676e102a557dd93f223bd49c04f86acd15bf9678969b09a492ac36bb4fd090e3216d0de56b8726f02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e989574-4d9f-4fd6-b7a6-731f6ad167d7.vbs

Filesize
705B

MD5
8fd77db0d09607a3d012055fc7080eb8

SHA1
1eba4667f4807581b0973b1e6b147aaddeb1e4c4

SHA256
c01a015fcb57cba98528c0cee9fb6b6d4e7d99b78a61c4732da525ddd55ce090

SHA512
08113dea593e7970321b50ed404ce8a60d50e22dc7d01fccac546b7427e57963f56e8ae809611e3a8f49d539d51aa6d174acc517cc3f9c25d726e5093d1ef884

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f3ee447-b9dd-4e8e-9624-5a8cabce784e.vbs

Filesize
481B

MD5
3d93b9da8eb51159a68605526ddff8a7

SHA1
3fdd8ecbdde436ab4efca7b884c95ddb797a9fad

SHA256
41c6c116c902b38f591f366a4c46772afb5ded10f9d879b20c52a1ed6eaab2f7

SHA512
8bb71a36ac1fcd427c9b0aecc02f2decbee9f1a1c9c8820f1d61727df485e69adafb8f52029dbcf2078f414a98b1c30c432ff60b50a6903bf9a0d2b6f80e0ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfwehmef.0d3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a50bb34c-785c-4e5c-b826-2c61ebabab95.vbs

Filesize
705B

MD5
b2f6023a4ca7d5b4ae898be4a4756738

SHA1
6d4be76a6b4cda3c6fbed402b8dfc5d6ae031996

SHA256
f4779eecb8507e2173b5a55acee63042f185d2d8f0385c3f4ab9550cbea6a946

SHA512
6d9865c6c9595543145fe1e0f5a54c4af91ba4145149e1b15dd53d9f8220ed5c7055756bdb2661cab5fefb172c511d195bacd4bfe714b0a1a617751624ec88a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a587cd42-45f8-4663-ace7-8e0d572a948d.vbs

Filesize
705B

MD5
2ef81557a94d9c3dd5baec321629a16c

SHA1
4f263d1559e35fe219366d432aa6fcf07406e22f

SHA256
5b57621c0a8ac5c0fc47e2a299a095eb7544aa957b86680d2a6b5b452325beba

SHA512
cdd3e3206abb5e2ed2283f8d0e6eb7b8fac6cd56fe0fa1ce6ab9fc3a07c82c42a4761c2f84c0f6f56c96ad95675efd75bf7b33c7e9e6ced61188d3fd21ff79bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f856198d-5a3e-4539-ac93-a52fb06fc4b0.vbs

Filesize
705B

MD5
d1a9a494b097d8ffe9afeae6959370b0

SHA1
0656aaf4e5368b6ac83863eb3d727b8143120f4a

SHA256
61b772e9d90a6eb38c9bdf1a6a8d99680211f8e1b525dca88aaf4d2cb8a14a98

SHA512
7c5288c307ee6a4e234fec5a8295b79deee87b0c03c725089d4d90c12c5ba1164fac34d8c739a638dbedf73e05e204f0200dd2390b89422e285163dfe6a8127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fce4c13e-533c-42cd-8600-036933b6ccd9.vbs

Filesize
705B

MD5
26fc24afd63b7f946db0223f97a16f99

SHA1
0e4db9fb47e9d4eb51be2668c2a2b2103ba0f2c2

SHA256
c7e603154b04138bfea34f1653a6ceddad0fe6b5ebdacebc83f79d3da4fc53f9

SHA512
446f057bc40c863e613deb26620eaacc93b71a51e0e5788ab3df131f0407b59e9675031a54c8028f0c67c715eeac6ed059a23fd20b2be34800d4f1d10965a165

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83CA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1252-76-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1448-5-0x0000000003760000-0x00000000037B0000-memory.dmp

Filesize
320KB

Download
memory/1448-4-0x00000000036F0000-0x000000000370C000-memory.dmp

Filesize
112KB

Download
memory/1448-10-0x0000000003750000-0x000000000375A000-memory.dmp

Filesize
40KB

Download
memory/1448-17-0x000000001CA30000-0x000000001CA38000-memory.dmp

Filesize
32KB

Download
memory/1448-13-0x000000001C9F0000-0x000000001C9FA000-memory.dmp

Filesize
40KB

Download
memory/1448-0-0x00007FFDF7A33000-0x00007FFDF7A35000-memory.dmp

Filesize
8KB

Download
memory/1448-15-0x000000001CA10000-0x000000001CA1E000-memory.dmp

Filesize
56KB

Download
memory/1448-12-0x000000001CF20000-0x000000001D448000-memory.dmp

Filesize
5.2MB

Download
memory/1448-14-0x000000001CA00000-0x000000001CA0E000-memory.dmp

Filesize
56KB

Download
memory/1448-259-0x00007FFDF7A30000-0x00007FFDF84F1000-memory.dmp

Filesize
10.8MB

Download
memory/1448-1-0x0000000000FA0000-0x0000000001494000-memory.dmp

Filesize
5.0MB

Download
memory/1448-11-0x000000001C290000-0x000000001C2A2000-memory.dmp

Filesize
72KB

Download
memory/1448-18-0x000000001CB40000-0x000000001CB4C000-memory.dmp

Filesize
48KB

Download
memory/1448-3-0x00007FFDF7A30000-0x00007FFDF84F1000-memory.dmp

Filesize
10.8MB

Download
memory/1448-2-0x000000001C3C0000-0x000000001C4EE000-memory.dmp

Filesize
1.2MB

Download
memory/1448-9-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/1448-6-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/1448-7-0x0000000003710000-0x0000000003720000-memory.dmp

Filesize
64KB

Download
memory/1448-8-0x0000000003720000-0x0000000003736000-memory.dmp

Filesize
88KB

Download
memory/1448-16-0x000000001CA20000-0x000000001CA28000-memory.dmp

Filesize
32KB

Download
memory/1684-473-0x000000001C070000-0x000000001C082000-memory.dmp

Filesize
72KB

Download
memory/1944-391-0x0000000003310000-0x0000000003322000-memory.dmp

Filesize
72KB

Download
memory/1984-262-0x000000001BB80000-0x000000001BB92000-memory.dmp

Filesize
72KB

Download
memory/3180-367-0x0000000003670000-0x0000000003682000-memory.dmp

Filesize
72KB

Download
memory/4008-337-0x000000001C960000-0x000000001C972000-memory.dmp

Filesize
72KB

Download
memory/4520-157-0x000001E59CE10000-0x000001E59CE32000-memory.dmp

Filesize
136KB

Download
memory/4600-497-0x0000000002AF0000-0x0000000002B02000-memory.dmp

Filesize
72KB

Download