colibri | a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Size

4.9MB
MD5

9ccdd0840333a8d430bc300546d8aa87
SHA1

1150679348b39ee6d63d875084e6d2dc36eff56f
SHA256

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36
SHA512

c95f27d3fea0afba3424ac4d56754891d294fa3b86ec01d5aee0075f8b8078b5274b21b30b90a8a9ab8de48b2574b45d14b86d59077fbbcc366a8c775a004221
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	2152	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2152	schtasks.exe	86

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4108-3-0x000000001B900000-0x000000001BA2E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3088	powershell.exe
4344	powershell.exe
4676	powershell.exe
4072	powershell.exe
2324	powershell.exe
1544	powershell.exe
1276	powershell.exe
3928	powershell.exe
868	powershell.exe
1436	powershell.exe
2680	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 40 IoCs

pid	Process
3208	tmpC36F.tmp.exe
1824	tmpC36F.tmp.exe
1220	tmpC36F.tmp.exe
3304	sihost.exe
1620	tmp145E.tmp.exe
4072	tmp145E.tmp.exe
552	sihost.exe
4032	tmp34D6.tmp.exe
1844	tmp34D6.tmp.exe
4892	sihost.exe
3644	tmp6675.tmp.exe
532	tmp6675.tmp.exe
1184	sihost.exe
4904	tmp994D.tmp.exe
1840	tmp994D.tmp.exe
4844	tmp994D.tmp.exe
1976	sihost.exe
4920	sihost.exe
2288	tmpEAB9.tmp.exe
3088	tmpEAB9.tmp.exe
2016	sihost.exe
2044	tmp1DB0.tmp.exe
1588	tmp1DB0.tmp.exe
2196	sihost.exe
4928	sihost.exe
2616	tmp57EA.tmp.exe
3644	tmp57EA.tmp.exe
4892	sihost.exe
4792	tmp75C3.tmp.exe
4560	tmp75C3.tmp.exe
5076	tmp75C3.tmp.exe
2904	sihost.exe
4940	tmpA7CF.tmp.exe
1040	tmpA7CF.tmp.exe
5040	sihost.exe
4560	tmpC53A.tmp.exe
3548	tmpC53A.tmp.exe
3540	sihost.exe
2340	tmpF5B1.tmp.exe
216	tmpF5B1.tmp.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 1220	1824	tmpC36F.tmp.exe	144
PID 1620 set thread context of 4072	1620	tmp145E.tmp.exe	186
PID 4032 set thread context of 1844	4032	tmp34D6.tmp.exe	198
PID 3644 set thread context of 532	3644	tmp6675.tmp.exe	209
PID 1840 set thread context of 4844	1840	tmp994D.tmp.exe	219
PID 2288 set thread context of 3088	2288	tmpEAB9.tmp.exe	235
PID 2044 set thread context of 1588	2044	tmp1DB0.tmp.exe	244
PID 2616 set thread context of 3644	2616	tmp57EA.tmp.exe	259
PID 4560 set thread context of 5076	4560	tmp75C3.tmp.exe	268
PID 4940 set thread context of 1040	4940	tmpA7CF.tmp.exe	278
PID 4560 set thread context of 3548	4560	tmpC53A.tmp.exe	287
PID 2340 set thread context of 216	2340	tmpF5B1.tmp.exe	296

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ee2ad38f3d4382	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXE0D9.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\MSBuild\explorer.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsass.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\MSBuild\RCXCE14.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXE530.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCXEA33.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\6cb0b6c459d5d3	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Microsoft Office\TextInputHost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Microsoft Office\22eafd247d37c3	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD7AD.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXDA2F.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\66fc9ff0ee96c2	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Windows Defender\fr-FR\TextInputHost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC9DC.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\sihost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXD51C.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXDEC4.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXE7B2.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\TextInputHost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\MSBuild\7a0fd90576e088	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXC7A8.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\sihost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Windows Multimedia Platform\Registry.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Windows Defender\fr-FR\22eafd247d37c3	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXD2E8.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsass.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\Windows Multimedia Platform\ee2ad38f3d4382	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\MSBuild\explorer.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Microsoft Office\TextInputHost.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\Registry.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\6203df4a6bafc7	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\CRMLog\RCXEC48.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Windows\Registration\CRMLog\taskhostw.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Windows\uk-UA\winlogon.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Windows\uk-UA\cc11b995f2a76d	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Windows\Registration\CRMLog\taskhostw.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Windows\Registration\CRMLog\ea9f0e6c9e2dcd	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Windows\uk-UA\RCXE31C.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Windows\uk-UA\winlogon.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6675.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF5B1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC36F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp145E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp34D6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEAB9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp75C3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp75C3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp994D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1DB0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp57EA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC53A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC36F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp994D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA7CF.tmp.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3720	schtasks.exe
752	schtasks.exe
2316	schtasks.exe
4856	schtasks.exe
4652	schtasks.exe
2856	schtasks.exe
3452	schtasks.exe
2660	schtasks.exe
2972	schtasks.exe
3804	schtasks.exe
2324	schtasks.exe
1380	schtasks.exe
2852	schtasks.exe
2644	schtasks.exe
4732	schtasks.exe
1816	schtasks.exe
3348	schtasks.exe
4508	schtasks.exe
2292	schtasks.exe
5112	schtasks.exe
5104	schtasks.exe
216	schtasks.exe
5076	schtasks.exe
4528	schtasks.exe
4684	schtasks.exe
1392	schtasks.exe
2788	schtasks.exe
1084	schtasks.exe
2896	schtasks.exe
4568	schtasks.exe
704	schtasks.exe
380	schtasks.exe
4344	schtasks.exe
2180	schtasks.exe
4724	schtasks.exe
4156	schtasks.exe
3364	schtasks.exe
4112	schtasks.exe
3548	schtasks.exe
4444	schtasks.exe
3088	schtasks.exe
436	schtasks.exe
1504	schtasks.exe
2760	schtasks.exe
4808	schtasks.exe
2380	schtasks.exe
2360	schtasks.exe
2508	schtasks.exe
2692	schtasks.exe
2288	schtasks.exe
1804	schtasks.exe
1856	schtasks.exe
3640	schtasks.exe
1436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
4072	powershell.exe
4072	powershell.exe
2324	powershell.exe
2324	powershell.exe
3928	powershell.exe
3928	powershell.exe
1436	powershell.exe
1436	powershell.exe
4344	powershell.exe
4344	powershell.exe
868	powershell.exe
868	powershell.exe
4676	powershell.exe
4676	powershell.exe
2680	powershell.exe
2680	powershell.exe
3088	powershell.exe
3088	powershell.exe
1436	powershell.exe
1544	powershell.exe
1544	powershell.exe
1276	powershell.exe
1276	powershell.exe
1276	powershell.exe
4072	powershell.exe
2324	powershell.exe
3928	powershell.exe
4344	powershell.exe
3088	powershell.exe
4676	powershell.exe
2680	powershell.exe
868	powershell.exe
1544	powershell.exe
3304	sihost.exe
552	sihost.exe
4892	sihost.exe
1184	sihost.exe
1976	sihost.exe
4920	sihost.exe
2016	sihost.exe
2196	sihost.exe
4928	sihost.exe
4892	sihost.exe
2904	sihost.exe
5040	sihost.exe
3540	sihost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	3304	sihost.exe
Token: SeDebugPrivilege	552	sihost.exe
Token: SeDebugPrivilege	4892	sihost.exe
Token: SeDebugPrivilege	1184	sihost.exe
Token: SeDebugPrivilege	1976	sihost.exe
Token: SeDebugPrivilege	4920	sihost.exe
Token: SeDebugPrivilege	2016	sihost.exe
Token: SeDebugPrivilege	2196	sihost.exe
Token: SeDebugPrivilege	4928	sihost.exe
Token: SeDebugPrivilege	4892	sihost.exe
Token: SeDebugPrivilege	2904	sihost.exe
Token: SeDebugPrivilege	5040	sihost.exe
Token: SeDebugPrivilege	3540	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 3208	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	141
PID 4108 wrote to memory of 3208	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	141
PID 4108 wrote to memory of 3208	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	141
PID 3208 wrote to memory of 1824	3208	tmpC36F.tmp.exe	143
PID 3208 wrote to memory of 1824	3208	tmpC36F.tmp.exe	143
PID 3208 wrote to memory of 1824	3208	tmpC36F.tmp.exe	143
PID 1824 wrote to memory of 1220	1824	tmpC36F.tmp.exe	144
PID 1824 wrote to memory of 1220	1824	tmpC36F.tmp.exe	144
PID 1824 wrote to memory of 1220	1824	tmpC36F.tmp.exe	144
PID 1824 wrote to memory of 1220	1824	tmpC36F.tmp.exe	144
PID 1824 wrote to memory of 1220	1824	tmpC36F.tmp.exe	144
PID 1824 wrote to memory of 1220	1824	tmpC36F.tmp.exe	144
PID 1824 wrote to memory of 1220	1824	tmpC36F.tmp.exe	144
PID 4108 wrote to memory of 1276	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	154
PID 4108 wrote to memory of 1276	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	154
PID 4108 wrote to memory of 3088	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	155
PID 4108 wrote to memory of 3088	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	155
PID 4108 wrote to memory of 3928	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	156
PID 4108 wrote to memory of 3928	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	156
PID 4108 wrote to memory of 868	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	157
PID 4108 wrote to memory of 868	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	157
PID 4108 wrote to memory of 4344	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	158
PID 4108 wrote to memory of 4344	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	158
PID 4108 wrote to memory of 4676	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	159
PID 4108 wrote to memory of 4676	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	159
PID 4108 wrote to memory of 1436	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	160
PID 4108 wrote to memory of 1436	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	160
PID 4108 wrote to memory of 4072	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	161
PID 4108 wrote to memory of 4072	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	161
PID 4108 wrote to memory of 2680	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	162
PID 4108 wrote to memory of 2680	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	162
PID 4108 wrote to memory of 2324	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	163
PID 4108 wrote to memory of 2324	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	163
PID 4108 wrote to memory of 1544	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	164
PID 4108 wrote to memory of 1544	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	164
PID 4108 wrote to memory of 3364	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	175
PID 4108 wrote to memory of 3364	4108	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	175
PID 3364 wrote to memory of 2356	3364	cmd.exe	178
PID 3364 wrote to memory of 2356	3364	cmd.exe	178
PID 3364 wrote to memory of 3304	3364	cmd.exe	180
PID 3364 wrote to memory of 3304	3364	cmd.exe	180
PID 3304 wrote to memory of 2312	3304	sihost.exe	182
PID 3304 wrote to memory of 2312	3304	sihost.exe	182
PID 3304 wrote to memory of 1628	3304	sihost.exe	183
PID 3304 wrote to memory of 1628	3304	sihost.exe	183
PID 3304 wrote to memory of 1620	3304	sihost.exe	184
PID 3304 wrote to memory of 1620	3304	sihost.exe	184
PID 3304 wrote to memory of 1620	3304	sihost.exe	184
PID 1620 wrote to memory of 4072	1620	tmp145E.tmp.exe	186
PID 1620 wrote to memory of 4072	1620	tmp145E.tmp.exe	186
PID 1620 wrote to memory of 4072	1620	tmp145E.tmp.exe	186
PID 1620 wrote to memory of 4072	1620	tmp145E.tmp.exe	186
PID 1620 wrote to memory of 4072	1620	tmp145E.tmp.exe	186
PID 1620 wrote to memory of 4072	1620	tmp145E.tmp.exe	186
PID 1620 wrote to memory of 4072	1620	tmp145E.tmp.exe	186
PID 2312 wrote to memory of 552	2312	WScript.exe	189
PID 2312 wrote to memory of 552	2312	WScript.exe	189
PID 552 wrote to memory of 2976	552	sihost.exe	193
PID 552 wrote to memory of 2976	552	sihost.exe	193
PID 552 wrote to memory of 3448	552	sihost.exe	194
PID 552 wrote to memory of 3448	552	sihost.exe	194
PID 552 wrote to memory of 4032	552	sihost.exe	196
PID 552 wrote to memory of 4032	552	sihost.exe	196
PID 552 wrote to memory of 4032	552	sihost.exe	196

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
"C:\Users\Admin\AppData\Local\Temp\a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4108
- C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XGbYzrvfKy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2356
- - C:\Recovery\WindowsRE\sihost.exe
    "C:\Recovery\WindowsRE\sihost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3304
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad147b51-9044-45c7-8ce9-87f77d4f2baf.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:552
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc39a88-14c1-4518-a500-4fd34da725f7.vbs"
        6⤵
        
        PID:2976
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18e42ba8-2bb8-4a5a-b61f-3e1521764ca5.vbs"
        8⤵
        
        PID:1020
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12d3619d-66ce-42ca-bbc8-3551f6f27cf1.vbs"
        10⤵
        
        PID:1848
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33b69f5f-03d5-47c4-b108-8d2008af09c6.vbs"
        12⤵
        
        PID:1760
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9238fcbf-216f-4e04-be26-2846906a5f22.vbs"
        14⤵
        
        PID:1416
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7f89bc-462c-44a9-a1ed-f1212ce232d8.vbs"
        16⤵
        
        PID:2268
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cc0977e-3be6-4d12-bc70-63087fa14534.vbs"
        18⤵
        
        PID:3804
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d999cb6-abb8-4e9d-814c-e186b26086a3.vbs"
        20⤵
        
        PID:3240
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\674aebdd-d14a-413a-8493-7205f064f6d7.vbs"
        22⤵
        
        PID:3312
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cab59b6-d055-4e4a-a798-aebdf08e0501.vbs"
        24⤵
        
        PID:4756
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92879c79-7824-44c5-b0db-61f0bb473e92.vbs"
        26⤵
        
        PID:4436
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bfbfe65-fe2f-433a-bd1e-e49fd6f4bd8d.vbs"
        28⤵
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27fe8077-28c7-447c-8ecd-aaee2beb318b.vbs"
        28⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmpF5B1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF5B1.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmpF5B1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF5B1.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96db8e5b-ed36-4f9b-81f8-3045a9c03633.vbs"
        26⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmpC53A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC53A.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmpC53A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC53A.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\126ba9c5-c0b5-455f-9e75-8f4b005a0edc.vbs"
        24⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmpA7CF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA7CF.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmpA7CF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA7CF.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc32071-5339-40e9-9b04-a2366bc0efb6.vbs"
        22⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp75C3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp75C3.tmp.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp75C3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp75C3.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp75C3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp75C3.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1854fb60-cca9-448c-a5df-29daec8bb43f.vbs"
        20⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faf41bac-fac4-4e4b-a631-7a9ded695b31.vbs"
        18⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cef23be-a4cb-4f26-bf88-9958b6b73e3c.vbs"
        16⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp1DB0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1DB0.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp1DB0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1DB0.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\395fc872-4137-4dba-8b45-cf44e5d3350e.vbs"
        14⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmpEAB9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEAB9.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmpEAB9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEAB9.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d6ccb14-fa8c-4e1a-9c0f-86a0483d48b7.vbs"
        12⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c863362d-75f8-45f7-9794-cb2f54b8ad42.vbs"
        10⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp994D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp994D.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp994D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp994D.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp994D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp994D.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e080601-77f7-443f-bf27-b9d1ab20988c.vbs"
        8⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:532
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56a8c2af-1d95-4047-94ad-f665ef86766a.vbs"
        6⤵
        
        PID:3448
      - C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:1844
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9ccd40a-b54b-4bd2-b067-c32b2a074d01.vbs"
      4⤵
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\tmp145E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp145E.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\tmp145E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp145E.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\explorer.exe

Filesize
4.9MB

MD5
9ccdd0840333a8d430bc300546d8aa87

SHA1
1150679348b39ee6d63d875084e6d2dc36eff56f

SHA256
a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36

SHA512
c95f27d3fea0afba3424ac4d56754891d294fa3b86ec01d5aee0075f8b8078b5274b21b30b90a8a9ab8de48b2574b45d14b86d59077fbbcc366a8c775a004221

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe

Filesize
4.9MB

MD5
6dbe21d1f8b63ab3ced3453e381ee0d9

SHA1
3b5723ae88af12fab4e5640073e773ccacc6c23d

SHA256
6e92ba632028e4e1dffd5983ab4c293e9e273424cd15d1fcac174b640e94e24a

SHA512
3fd097a1275b1d7e3beb87de1977925d5a7949af4629c85effb3127cef613ec46baf5a7ff063da0c5221551ad486cdb43c8564b656281a04fb11f10241c086cf

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe

Filesize
4.9MB

MD5
dc75b13d60a4b4bb76960642a69d185a

SHA1
83fc606bbcb0393f79f557aad290f4532ffa864c

SHA256
bd0fb29d6f2c0b654933487ac63209310e45fae3535b7b3a82b3934dd18b8d4a

SHA512
493079b3fda6f089072a6db6232f7d3138de75de13a9269d1f011053d6eebfe085a7b271779f43b5d78575e87d762203fc2b3ecfbe0b421bbc9d5962b3e5bd86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\12d3619d-66ce-42ca-bbc8-3551f6f27cf1.vbs

Filesize
708B

MD5
de6cc9f353213a2db5f4c83198bb979f

SHA1
34e96a6b9dec2955323de079adbd0a3dc25f54a3

SHA256
c6f5c4b5202a8a61429263f996cb16d596bb230a99068d202db3079c11e91c18

SHA512
b32e056ce7d02690ba24aae1afb97c5ccbe4aca552764040096d90e052f667d8355fa814d8f37952501f4a10e794e2a5c8e16190dc536e2abb74c09e24bd3ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\18e42ba8-2bb8-4a5a-b61f-3e1521764ca5.vbs

Filesize
708B

MD5
e8905e8ea26266b873600b5c4826e0d2

SHA1
e34baed1758dfcfcdfcb13be2e9aeaca96b4d7f2

SHA256
c4724c3789532c69f3bae760b58bad07c1786a2cb0b7d91f5f894bda0d6af08e

SHA512
20530a97e484e65572c04863a0faf5b0626a2defabfc4b3240812bb9de3304e96c4b197e0dbca43af844c99a1af136f2388a72e2fda50d7e4e0583006974b9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\33b69f5f-03d5-47c4-b108-8d2008af09c6.vbs

Filesize
708B

MD5
5ae8dc915ec63b276184536ce95c5822

SHA1
8d1bdcf9b39e646024fa3be04e8765853ad6fc78

SHA256
9cfc814a1903091314a7e6d9022cab7bdb5e99df71bdbf88de42141174210976

SHA512
ea9dc19a1b7c7f68e198027889380d6359ced2af87baf57d2f3c05f37ed1dd1aa9364a35286c1c2a5a187ee717c1589654c9e2ffe73d9d51ceda1913ce3d8d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a7f89bc-462c-44a9-a1ed-f1212ce232d8.vbs

Filesize
708B

MD5
4f7ef1d286ec5dab909328aef87b9c3e

SHA1
332fd89238ef36b931047d87aaeae2b7a288e439

SHA256
854cf5a233fc49a5bc4debf89eda051b86e4ff5e1b370be32528952d958fe798

SHA512
3c74c5de6e5368836b7e66675c2b57530637743e11ff6e90774aa677380f95d89b3279a44e6f2f8cc05720a777546e99dcb756132afdef08e45f0620ed3cfd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9238fcbf-216f-4e04-be26-2846906a5f22.vbs

Filesize
708B

MD5
21d83ab5e29b1dcd51852f68ff97fdc1

SHA1
8cce91ec364cbfa22730195b807bdace503f692b

SHA256
15731bdd2251c74963b5145c194ddcd3e3378be2d4052746b19f7f9ba5c93b4d

SHA512
2c2b1685d8225b7aba47e0b8e4ad6c2562ddad9c0e8f29d53fa8b9a8aaddac164a107070cc751ec19aa16f68d0bb6cb70d7e1d7288d4189d6c44a57f8143eb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dc39a88-14c1-4518-a500-4fd34da725f7.vbs

Filesize
707B

MD5
96c6f8fdf8799911b408a62f6e492e73

SHA1
f79bcbcfad2dd70106dfb4dca6f84fe6adce2aa2

SHA256
9c75ffa2fd85df1a52327259fc90627e84e88776820cb963f4aa98590226b808

SHA512
622434ce7c3a8ad457239108fe355ddb248e5aa43c30adf48c91ea497a6b727be9deee1209bb5dff15bef9e26b97944198e1188d64bf8b5effb865c6a014cbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGbYzrvfKy.bat

Filesize
197B

MD5
7696deee2499978935398f71e454df9a

SHA1
d0cbb343742f47dec2a2b37b2f8ec4a6889fb6f2

SHA256
0910a0701767056d577dee5e464ad056eb08eb64ea7a833fba118e9c303d3b31

SHA512
419e7517cc862970337a547a1e9cab694029464034368406c79467f586bc2ca66125f000d4f30f5f8cfd7092adddff8221535d95ddc5ad384f0d1a56d47047ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dl310g5.qbh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad147b51-9044-45c7-8ce9-87f77d4f2baf.vbs

Filesize
708B

MD5
410f34fdfd652183c2e6fdb5b8b2f25c

SHA1
7ba092caff9da0e0285df1bc958501454cdcf9c5

SHA256
92d152b16905e36b9d40890aca219ae02edf488dfdac47063984d9e9e44e7d03

SHA512
8fa75ce1e4943e38e210adc02a0aa178fde86f4b5d0a035bc277d9d801a873918e09d85320d1283ec21b1755e93a1bf19b2464edee6b0a45ef192ed556170418

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9ccd40a-b54b-4bd2-b067-c32b2a074d01.vbs

Filesize
484B

MD5
66922a16a35195fd9e644f970c59e4e1

SHA1
020425be62c7442263b4e5dbfff3c5100af69fe4

SHA256
796825cd3ac424caf3c5ba1a43e5ecc6e263ec3cd02a82783c9ed04b2c0900b0

SHA512
6eee7011bb575d4d635fcdd226200f1d2ded053b8a3926e149f6d9da65bce7b0684855014e0b2eb86726cf85336c95e14206feee0f421cf091fd86f45ddf9f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1184-424-0x000000001CA60000-0x000000001CB62000-memory.dmp

Filesize
1.0MB

Download
memory/1184-425-0x000000001C500000-0x000000001C535000-memory.dmp

Filesize
212KB

Download
memory/1220-71-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1976-437-0x000000001CC30000-0x000000001CD32000-memory.dmp

Filesize
1.0MB

Download
memory/1976-438-0x000000001BFD0000-0x000000001C005000-memory.dmp

Filesize
212KB

Download
memory/2016-464-0x000000001B8A0000-0x000000001B8B2000-memory.dmp

Filesize
72KB

Download
memory/2196-487-0x000000001C1F0000-0x000000001C202000-memory.dmp

Filesize
72KB

Download
memory/2324-218-0x000001F0A4770000-0x000001F0A4792000-memory.dmp

Filesize
136KB

Download
memory/3304-327-0x000000001BE90000-0x000000001BEA2000-memory.dmp

Filesize
72KB

Download
memory/4108-10-0x000000001BA40000-0x000000001BA4A000-memory.dmp

Filesize
40KB

Download
memory/4108-16-0x000000001C0F0000-0x000000001C0F8000-memory.dmp

Filesize
32KB

Download
memory/4108-11-0x000000001BA50000-0x000000001BA62000-memory.dmp

Filesize
72KB

Download
memory/4108-5-0x000000001BA80000-0x000000001BAD0000-memory.dmp

Filesize
320KB

Download
memory/4108-6-0x00000000014E0000-0x00000000014E8000-memory.dmp

Filesize
32KB

Download
memory/4108-7-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/4108-18-0x000000001C210000-0x000000001C21C000-memory.dmp

Filesize
48KB

Download
memory/4108-0-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download
memory/4108-199-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4108-8-0x0000000002E00000-0x0000000002E16000-memory.dmp

Filesize
88KB

Download
memory/4108-14-0x000000001BA70000-0x000000001BA7E000-memory.dmp

Filesize
56KB

Download
memory/4108-13-0x000000001BA60000-0x000000001BA6A000-memory.dmp

Filesize
40KB

Download
memory/4108-15-0x000000001C0E0000-0x000000001C0EE000-memory.dmp

Filesize
56KB

Download
memory/4108-4-0x00000000014C0000-0x00000000014DC000-memory.dmp

Filesize
112KB

Download
memory/4108-12-0x000000001C610000-0x000000001CB38000-memory.dmp

Filesize
5.2MB

Download
memory/4108-17-0x000000001C100000-0x000000001C108000-memory.dmp

Filesize
32KB

Download
memory/4108-3-0x000000001B900000-0x000000001BA2E000-memory.dmp

Filesize
1.2MB

Download
memory/4108-153-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4108-138-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download
memory/4108-2-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4108-9-0x000000001BA30000-0x000000001BA40000-memory.dmp

Filesize
64KB

Download
memory/4108-1-0x0000000000670000-0x0000000000B64000-memory.dmp

Filesize
5.0MB

Download
memory/4892-375-0x000000001BD10000-0x000000001BD22000-memory.dmp

Filesize
72KB

Download
memory/4920-462-0x000000001CF40000-0x000000001D042000-memory.dmp

Filesize
1.0MB

Download