colibri | bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Size

4.9MB
MD5

1c49870cb9f2c55b6b22bd847a95cedb
SHA1

6fb3c646d41e94d57f4f0d01d853c090589514da
SHA256

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922
SHA512

969c4a8f98da747a080a3de37924aedca323733c3c412948d58036354aa78a0f8547f35dbcce8128dbc5e8db85573b791d7ccd0ebb6521351189e4f0b7393452
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8e:+

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2716	schtasks.exe
3956	schtasks.exe
4796	schtasks.exe
3076	schtasks.exe
4944	schtasks.exe
4372	schtasks.exe
1224	schtasks.exe
4836	schtasks.exe
2436	schtasks.exe
2680	schtasks.exe
3188	schtasks.exe
4872	schtasks.exe
764	schtasks.exe
544	schtasks.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ee2ad38f3d4382	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2844	schtasks.exe
2264	schtasks.exe
4768	schtasks.exe
1580	schtasks.exe
3540	schtasks.exe
1468	schtasks.exe
1836	schtasks.exe
3720	schtasks.exe
1084	schtasks.exe
1960	schtasks.exe
3480	schtasks.exe
704	schtasks.exe
4928	schtasks.exe
4576	schtasks.exe
4604	schtasks.exe
3008	schtasks.exe
4592	schtasks.exe
5024	schtasks.exe
2872	schtasks.exe
4404	schtasks.exe
1500	schtasks.exe
3172	schtasks.exe
4332	schtasks.exe
2576	schtasks.exe
2508	schtasks.exe
264	schtasks.exe
2020	schtasks.exe
3836	schtasks.exe
4964	schtasks.exe
4448	schtasks.exe
4700	schtasks.exe
2264	schtasks.exe
File created	C:\Windows\ja-JP\9e8d7a4ca61bd9	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
4936	schtasks.exe
1628	schtasks.exe
664	schtasks.exe
1428	schtasks.exe
2916	schtasks.exe
5076	schtasks.exe
2332	schtasks.exe
4680	schtasks.exe
File created	C:\Windows\Tasks\cc11b995f2a76d	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
5100	schtasks.exe
3024	schtasks.exe
1332	schtasks.exe
2952	schtasks.exe
4864	schtasks.exe
2312	schtasks.exe
2856	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3376	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1092-2-0x000000001BFE0000-0x000000001C10E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4124	powershell.exe
4064	powershell.exe
3288	powershell.exe
704	powershell.exe
2112	powershell.exe
1980	powershell.exe
4456	powershell.exe
3036	powershell.exe
4960	powershell.exe
2872	powershell.exe
1640	powershell.exe
4512	powershell.exe
4876	powershell.exe
3248	powershell.exe
264	powershell.exe
2008	powershell.exe
2304	powershell.exe
856	powershell.exe
2752	powershell.exe
3116	powershell.exe
4376	powershell.exe
2908	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Executes dropped EXE 33 IoCs

Processes:

tmpC44E.tmp.exetmpC44E.tmp.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exetmpEAEC.tmp.exetmpEAEC.tmp.exeRuntimeBroker.exetmp1D09.tmp.exetmp1D09.tmp.exetmp1D09.tmp.exeRuntimeBroker.exetmp3B00.tmp.exetmp3B00.tmp.exeRuntimeBroker.exetmp6D0D.tmp.exetmp6D0D.tmp.exeRuntimeBroker.exetmp9E3F.tmp.exetmp9E3F.tmp.exeRuntimeBroker.exetmpBB1D.tmp.exetmpBB1D.tmp.exeRuntimeBroker.exetmpEC6E.tmp.exetmpEC6E.tmp.exeRuntimeBroker.exetmp1C29.tmp.exetmp1C29.tmp.exeRuntimeBroker.exetmp4ED2.tmp.exetmp4ED2.tmp.exeRuntimeBroker.exetmp7F0A.tmp.exetmp7F0A.tmp.exe

pid	process
3916	tmpC44E.tmp.exe
5012	tmpC44E.tmp.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1788	tmpEAEC.tmp.exe
4752	tmpEAEC.tmp.exe
4300	RuntimeBroker.exe
1960	tmp1D09.tmp.exe
3776	tmp1D09.tmp.exe
3380	tmp1D09.tmp.exe
2644	RuntimeBroker.exe
4752	tmp3B00.tmp.exe
1616	tmp3B00.tmp.exe
3892	RuntimeBroker.exe
648	tmp6D0D.tmp.exe
4376	tmp6D0D.tmp.exe
3424	RuntimeBroker.exe
4696	tmp9E3F.tmp.exe
3368	tmp9E3F.tmp.exe
2660	RuntimeBroker.exe
3544	tmpBB1D.tmp.exe
4780	tmpBB1D.tmp.exe
5096	RuntimeBroker.exe
2396	tmpEC6E.tmp.exe
2492	tmpEC6E.tmp.exe
2908	RuntimeBroker.exe
1616	tmp1C29.tmp.exe
3440	tmp1C29.tmp.exe
1672	RuntimeBroker.exe
1204	tmp4ED2.tmp.exe
1708	tmp4ED2.tmp.exe
4540	RuntimeBroker.exe
3120	tmp7F0A.tmp.exe
3324	tmp7F0A.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RuntimeBroker.exeRuntimeBroker.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

tmpC44E.tmp.exetmpEAEC.tmp.exetmp1D09.tmp.exetmp3B00.tmp.exetmp6D0D.tmp.exetmp9E3F.tmp.exetmpBB1D.tmp.exetmpEC6E.tmp.exetmp1C29.tmp.exetmp4ED2.tmp.exetmp7F0A.tmp.exe

description	pid	process	target process
PID 3916 set thread context of 5012	3916	tmpC44E.tmp.exe	tmpC44E.tmp.exe
PID 1788 set thread context of 4752	1788	tmpEAEC.tmp.exe	tmpEAEC.tmp.exe
PID 3776 set thread context of 3380	3776	tmp1D09.tmp.exe	tmp1D09.tmp.exe
PID 4752 set thread context of 1616	4752	tmp3B00.tmp.exe	tmp3B00.tmp.exe
PID 648 set thread context of 4376	648	tmp6D0D.tmp.exe	tmp6D0D.tmp.exe
PID 4696 set thread context of 3368	4696	tmp9E3F.tmp.exe	tmp9E3F.tmp.exe
PID 3544 set thread context of 4780	3544	tmpBB1D.tmp.exe	tmpBB1D.tmp.exe
PID 2396 set thread context of 2492	2396	tmpEC6E.tmp.exe	tmpEC6E.tmp.exe
PID 1616 set thread context of 3440	1616	tmp1C29.tmp.exe	tmp1C29.tmp.exe
PID 1204 set thread context of 1708	1204	tmp4ED2.tmp.exe	tmp4ED2.tmp.exe
PID 3120 set thread context of 3324	3120	tmp7F0A.tmp.exe	tmp7F0A.tmp.exe

Drops file in Program Files directory 26 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\e978f868350d50	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC8F3.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\55b276f4edf653	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Common Files\powershell.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Java\jdk-1.8\csrss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\csrss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Media Player\fr-FR\conhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Common Files\powershell.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ee2ad38f3d4382	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Microsoft.NET\9e8d7a4ca61bd9	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\69ddcba757bf72	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\conhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXD3E5.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Media Player\fr-FR\088424020bedd6	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Java\jdk-1.8\886983d96e3d3e	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Drops file in Windows directory 24 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	process
File created	C:\Windows\ja-JP\RuntimeBroker.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\ja-JP\9e8d7a4ca61bd9	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\Tasks\winlogon.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\ja-JP\RuntimeBroker.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\Migration\WTR\lsass.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\it-IT\088424020bedd6	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\Vss\e978f868350d50	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\twain_32\5940a34987c991	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\appcompat\appraiser\upfc.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\Migration\WTR\lsass.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\twain_32\dllhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\Tasks\RCXC1DB.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\twain_32\dllhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\ja-JP\RCXD7FE.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\Migration\WTR\6203df4a6bafc7	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\Vss\powershell.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\it-IT\conhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\Tasks\cc11b995f2a76d	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\twain_32\RCXD5EA.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\appcompat\appraiser\upfc.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\Vss\powershell.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\Tasks\winlogon.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\appcompat\appraiser\ea1d8f6d871115	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\it-IT\conhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpC44E.tmp.exetmpEAEC.tmp.exetmp1D09.tmp.exetmp1D09.tmp.exetmpBB1D.tmp.exetmpEC6E.tmp.exetmp1C29.tmp.exetmp3B00.tmp.exetmp6D0D.tmp.exetmp9E3F.tmp.exetmp4ED2.tmp.exetmp7F0A.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC44E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEAEC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1D09.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1D09.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB1D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEC6E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1C29.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3B00.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6D0D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E3F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4ED2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7F0A.tmp.exe

Modifies registry class 11 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
704	schtasks.exe
4768	schtasks.exe
3640	schtasks.exe
3836	schtasks.exe
2312	schtasks.exe
2752	schtasks.exe
3076	schtasks.exe
5064	schtasks.exe
1960	schtasks.exe
2436	schtasks.exe
4604	schtasks.exe
3288	schtasks.exe
1580	schtasks.exe
4944	schtasks.exe
3852	schtasks.exe
4836	schtasks.exe
2036	schtasks.exe
2020	schtasks.exe
548	schtasks.exe
5100	schtasks.exe
4404	schtasks.exe
4372	schtasks.exe
4700	schtasks.exe
2264	schtasks.exe
3956	schtasks.exe
4796	schtasks.exe
4928	schtasks.exe
1428	schtasks.exe
4396	schtasks.exe
664	schtasks.exe
1580	schtasks.exe
4448	schtasks.exe
748	schtasks.exe
1084	schtasks.exe
5076	schtasks.exe
2264	schtasks.exe
4576	schtasks.exe
2844	schtasks.exe
4576	schtasks.exe
3720	schtasks.exe
2716	schtasks.exe
884	schtasks.exe
3008	schtasks.exe
2312	schtasks.exe
4872	schtasks.exe
4936	schtasks.exe
1224	schtasks.exe
3188	schtasks.exe
892	schtasks.exe
1628	schtasks.exe
5024	schtasks.exe
4772	schtasks.exe
1548	schtasks.exe
2508	schtasks.exe
264	schtasks.exe
2768	schtasks.exe
2856	schtasks.exe
2332	schtasks.exe
764	schtasks.exe
544	schtasks.exe
1468	schtasks.exe
2576	schtasks.exe
2872	schtasks.exe
3996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
4960	powershell.exe
4960	powershell.exe
3036	powershell.exe
3036	powershell.exe
3248	powershell.exe
3248	powershell.exe
4064	powershell.exe
4064	powershell.exe
2872	powershell.exe
2872	powershell.exe
1980	powershell.exe
1980	powershell.exe
4512	powershell.exe
4512	powershell.exe
4876	powershell.exe
4876	powershell.exe
4064	powershell.exe
2112	powershell.exe
2112	powershell.exe
1640	powershell.exe
1640	powershell.exe
2008	powershell.exe
2008	powershell.exe
4512	powershell.exe
2872	powershell.exe
4960	powershell.exe
3248	powershell.exe
3036	powershell.exe
2112	powershell.exe
4876	powershell.exe
1640	powershell.exe
1980	powershell.exe
2008	powershell.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	4300	RuntimeBroker.exe
Token: SeDebugPrivilege	2644	RuntimeBroker.exe
Token: SeDebugPrivilege	3892	RuntimeBroker.exe
Token: SeDebugPrivilege	3424	RuntimeBroker.exe
Token: SeDebugPrivilege	2660	RuntimeBroker.exe
Token: SeDebugPrivilege	5096	RuntimeBroker.exe
Token: SeDebugPrivilege	2908	RuntimeBroker.exe
Token: SeDebugPrivilege	1672	RuntimeBroker.exe
Token: SeDebugPrivilege	4540	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exetmpC44E.tmp.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exetmpEAEC.tmp.exe

description	pid	process	target process
PID 1092 wrote to memory of 3916	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	tmpC44E.tmp.exe
PID 1092 wrote to memory of 3916	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	tmpC44E.tmp.exe
PID 1092 wrote to memory of 3916	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	tmpC44E.tmp.exe
PID 3916 wrote to memory of 5012	3916	tmpC44E.tmp.exe	tmpC44E.tmp.exe
PID 3916 wrote to memory of 5012	3916	tmpC44E.tmp.exe	tmpC44E.tmp.exe
PID 3916 wrote to memory of 5012	3916	tmpC44E.tmp.exe	tmpC44E.tmp.exe
PID 3916 wrote to memory of 5012	3916	tmpC44E.tmp.exe	tmpC44E.tmp.exe
PID 3916 wrote to memory of 5012	3916	tmpC44E.tmp.exe	tmpC44E.tmp.exe
PID 3916 wrote to memory of 5012	3916	tmpC44E.tmp.exe	tmpC44E.tmp.exe
PID 3916 wrote to memory of 5012	3916	tmpC44E.tmp.exe	tmpC44E.tmp.exe
PID 1092 wrote to memory of 2008	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 2008	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 4960	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 4960	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 3248	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 3248	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 4064	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 4064	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 2112	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 2112	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 4876	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 4876	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 4512	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 4512	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 1980	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 1980	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 3036	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 3036	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 1640	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 1640	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 2872	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 2872	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1092 wrote to memory of 340	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 1092 wrote to memory of 340	1092	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 340 wrote to memory of 1788	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	tmpEAEC.tmp.exe
PID 340 wrote to memory of 1788	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	tmpEAEC.tmp.exe
PID 340 wrote to memory of 1788	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	tmpEAEC.tmp.exe
PID 1788 wrote to memory of 4752	1788	tmpEAEC.tmp.exe	tmpEAEC.tmp.exe
PID 1788 wrote to memory of 4752	1788	tmpEAEC.tmp.exe	tmpEAEC.tmp.exe
PID 1788 wrote to memory of 4752	1788	tmpEAEC.tmp.exe	tmpEAEC.tmp.exe
PID 1788 wrote to memory of 4752	1788	tmpEAEC.tmp.exe	tmpEAEC.tmp.exe
PID 1788 wrote to memory of 4752	1788	tmpEAEC.tmp.exe	tmpEAEC.tmp.exe
PID 1788 wrote to memory of 4752	1788	tmpEAEC.tmp.exe	tmpEAEC.tmp.exe
PID 1788 wrote to memory of 4752	1788	tmpEAEC.tmp.exe	tmpEAEC.tmp.exe
PID 340 wrote to memory of 4124	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 4124	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 2908	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 2908	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 264	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 264	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 4456	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 4456	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 3288	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 3288	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 2304	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 2304	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 856	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 856	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 2752	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 2752	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 3116	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 3116	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 4376	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 340 wrote to memory of 4376	340	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
"C:\Users\Admin\AppData\Local\Temp\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1092
- C:\Users\Admin\AppData\Local\Temp\tmpC44E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC44E.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\tmpC44E.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC44E.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
  "C:\Users\Admin\AppData\Local\Temp\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:340
- - C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:704
- - C:\Recovery\WindowsRE\RuntimeBroker.exe
    "C:\Recovery\WindowsRE\RuntimeBroker.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4300
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\835b937c-3c91-4375-93a5-4ed54a3cd52c.vbs"
      4⤵
      PID:3688
    - - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1af85d-9445-4e3a-9cd8-6a721a2805b7.vbs"
        6⤵
        
        PID:2252
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1f9d164-1372-4dd0-9924-14f2f257ee88.vbs"
        8⤵
        
        PID:1668
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ea84832-67f1-4276-8784-c65e5b3cf3fb.vbs"
        10⤵
        
        PID:116
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09c07a0d-f6da-419a-b5c2-84f575dcf3d9.vbs"
        12⤵
        
        PID:2644
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbaa26fc-1e0c-4e57-8c80-7437cdbead47.vbs"
        14⤵
        
        PID:4536
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30a9fcd3-6033-46a6-aaa7-9d8ebf84b8c1.vbs"
        16⤵
        
        PID:4460
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb6b80a5-8c32-4277-86df-3d6b5a30cea5.vbs"
        18⤵
        
        PID:4576
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db48d62e-7141-4d43-8928-b0dfebcea67a.vbs"
        20⤵
        
        PID:4148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef793958-e96c-4969-ac04-5aa6190cf804.vbs"
        20⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7F0A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7F0A.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7F0A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7F0A.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97e5c882-900e-4a78-a15a-e6334d7a03d1.vbs"
        18⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp4ED2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4ED2.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp4ED2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4ED2.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c93bd6d-7ce2-43ac-a05f-da2c3733a5dc.vbs"
        16⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7d20153-fa5b-4f74-97f0-13881a8fed0e.vbs"
        14⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmpEC6E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEC6E.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmpEC6E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEC6E.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4537c3d0-c77c-4c12-b425-90efb2e18abd.vbs"
        12⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\tmpBB1D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBB1D.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmpBB1D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBB1D.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9a9f99f-de26-40c6-bb99-c931e57c125e.vbs"
        10⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E3F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E3F.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E3F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E3F.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64d2d468-1848-485b-ad7a-790727352204.vbs"
        8⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D0D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D0D.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D0D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D0D.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\194cf03f-15c8-423e-a029-46ef53425b9a.vbs"
        6⤵
        
        PID:4224
      - C:\Users\Admin\AppData\Local\Temp\tmp3B00.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3B00.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp3B00.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3B00.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:1616
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2843fb7-77a2-43fa-8fb3-d292b70b0a6a.vbs"
      4⤵
      PID:440
  - - C:\Users\Admin\AppData\Local\Temp\tmp1D09.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp1D09.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\tmp1D09.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1D09.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3776
      - C:\Users\Admin\AppData\Local\Temp\tmp1D09.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1D09.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Setup\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Setup\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Application Data\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Contacts\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\appraiser\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\powershell.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\powershell.exe'" /rl HIGHEST /f
1⤵
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\powershell.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Vss\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe

Filesize
4.9MB

MD5
1c49870cb9f2c55b6b22bd847a95cedb

SHA1
6fb3c646d41e94d57f4f0d01d853c090589514da

SHA256
bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922

SHA512
969c4a8f98da747a080a3de37924aedca323733c3c412948d58036354aa78a0f8547f35dbcce8128dbc5e8db85573b791d7ccd0ebb6521351189e4f0b7393452

Download Submit
C:\Recovery\WindowsRE\886983d96e3d3e

Filesize
78B

MD5
a3ef87dc847e71ae2b79b2fbb456aedb

SHA1
09ebaeae42d69848fc90bc40b210a6ab23b0b108

SHA256
327e94477fe18d6c8774c0eb6d2c564fa79fed2c5c79c76e8f2183698d65ebdf

SHA512
d004ac390420438d39a1f295a79fc2efca9950beff28b9d3c87a3887291e7184be73ff73b8bb139cfce536ab67fe7832b7ef6378cfa5b860df53743500cba989

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
4.9MB

MD5
4199c234a34e8301fa65d9f8d46f7fb2

SHA1
386ec5d487bfdedf489db33ce3474d643b4f0f64

SHA256
1d30f1bd6accec8a688214edfd248fa31e223bff8af773c894f7759a3f53a020

SHA512
54d945405a2c13b0883adbf2152db9c5d05a048bde40a2ea9b9d7b955439355fec89d5a534858dbd2c660f1dc49463edfe3296a8bc3ee947547d4089183b6f20

Download Submit
C:\Recovery\WindowsRE\f3b6ecef712a24

Filesize
467B

MD5
597d955a4fa895ce85acedc0546c1bd3

SHA1
08a54a318ee8fc5a606ee0c4c532fb383e717dc9

SHA256
c15cf7234906872bf76da223fbeb03a4fec9856a494478e383a7ee335a69152e

SHA512
0d5fe3546fedef317c3bb789f15cfa9a19a964798040c045402c50293de475c1cd45b9791c579ac36fa9da650e86a715f9fd7d7f0f17407c5da490ac34648b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d260b9113078da49af4677c7901f5a03

SHA1
7d0778773d3d1e765a884bb03acdbccdeece582c

SHA256
e4e51ddb68b0d36fd0d284c35a13e24dcd60b405fde030db98d73e5035fc028a

SHA512
e89c9b953aca2f489affeacc6392459f55ae78658a65d78802f4468c0dddd1689092c84bed3d7cb199bb508558fd1997f757422d76b82d55b1c070f64845d356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ab6cc81c5230a598c0ad1711b6bd97

SHA1
de7e270e12d447dfc5896b7c96777eb32725778a

SHA256
900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

SHA512
ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
be95052f298019b83e11336567f385fc

SHA1
556e6abda268afaeeec5e1ee65adc01660b70534

SHA256
ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027

SHA512
233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
11561ff5645f63e9ac8d34fddb724574

SHA1
9f1cffd8ce05ec7290c73160630dc4bd497efdad

SHA256
cea565872018d0f2012763db09f9351aa8080888c670171d9b1d703bc87f3397

SHA512
23e4faaccdca9bec26acaacb3c293750305bceb4ba1df2d62ab84c6e251b901a835e5418864101d705c87ce7142f777c5de1c40926886272e260a48b6796354d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ea84832-67f1-4276-8784-c65e5b3cf3fb.vbs

Filesize
715B

MD5
58bb81bd505d763bac5088b0456b1ccf

SHA1
c83b1d14c1ec0547ca24780000f743ae3e2e1684

SHA256
82efd4e9bce1f45e55e70f50d3fe62f7c608212fdacdd9053dcf9d05a4a122d1

SHA512
4192e1855814952b7960df6eeeb66eb0fae2a319b99dd6ff60e9bc7f91644deb8a7a69b4cf6a5be8021df3a5a9ff4a9ae13dcdf6055295d70bad367bd9206d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\835b937c-3c91-4375-93a5-4ed54a3cd52c.vbs

Filesize
715B

MD5
b5bc89b55188079f6debecaab80d371e

SHA1
5ca8c9d11f8a33e94be0524f9ce14521efbadb2b

SHA256
415faf028833a5b3c4e5124a26d2adfbb30106ea9f0b6f06dde22f76f8c4dbce

SHA512
d2e0b81159ef11064486d1edf7460e61797c2bb4aacf934ccbaa134a01e922e783337e7f97ba891ee90199a7c9a1f48bea83cac6fc27af1db98012dd89ca50f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_41dvfb42.cnv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1f9d164-1372-4dd0-9924-14f2f257ee88.vbs

Filesize
715B

MD5
f14d2cddbaea8de127ec21d5e5793671

SHA1
5e80358f69e096aa4f2ecb25e7ae1e973cc694ce

SHA256
6b0b06881231cbd3981f31ca7e9157443dccbff9d0f2b7659eafcf0cca1cec97

SHA512
2ae503489f28283c3060dab8ac1387af328a9b810e296180dd1e7b37caea508492db9c77ea57dfc357c715bb0ffa830667cff9ef1b12f64a81c3dfd2af6420a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2843fb7-77a2-43fa-8fb3-d292b70b0a6a.vbs

Filesize
491B

MD5
d6056c3363150bc6a861e8c7861f82b1

SHA1
b195c18d5b370353119396fd475da3fc2259d0f8

SHA256
13697424fb32d46504e678412ca1b6e9cf137c84d961cd1ad1cd970c79893e55

SHA512
998780b44971c4aae6f04841118439ab78f9dfb64e6647cf9306592010d67d9a3c24324af3b541703da24010586b417446f07e868c3be39aa566dac211ca2555

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe1af85d-9445-4e3a-9cd8-6a721a2805b7.vbs

Filesize
715B

MD5
dfc206929363f3170676e65b08112b80

SHA1
17a700a36c820de469e3b01cb59d4b73a151af95

SHA256
b4a7b16bf71db0546fc1df298f04472c7e6d5764ac61b2a13b6d75bf22092916

SHA512
241033306838c1bd175cf17b6ed4613be505c5968ab3bf6b0e7b556993cabd426017c8ba5c154ae9257e9e5564b02d3876b4f4377aa39fd5021fd3de8e4b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC44E.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/340-242-0x000000001BBF0000-0x000000001BC02000-memory.dmp

Filesize
72KB

Download
memory/1092-11-0x0000000003390000-0x00000000033A2000-memory.dmp

Filesize
72KB

Download
memory/1092-5-0x00000000033A0000-0x00000000033F0000-memory.dmp

Filesize
320KB

Download
memory/1092-175-0x00007FFAF29E3000-0x00007FFAF29E5000-memory.dmp

Filesize
8KB

Download
memory/1092-18-0x000000001C150000-0x000000001C15C000-memory.dmp

Filesize
48KB

Download
memory/1092-17-0x000000001C140000-0x000000001C148000-memory.dmp

Filesize
32KB

Download
memory/1092-15-0x000000001C120000-0x000000001C12E000-memory.dmp

Filesize
56KB

Download
memory/1092-14-0x000000001C110000-0x000000001C11E000-memory.dmp

Filesize
56KB

Download
memory/1092-13-0x00000000033F0000-0x00000000033FA000-memory.dmp

Filesize
40KB

Download
memory/1092-12-0x000000001CCC0000-0x000000001D1E8000-memory.dmp

Filesize
5.2MB

Download
memory/1092-0-0x00007FFAF29E3000-0x00007FFAF29E5000-memory.dmp

Filesize
8KB

Download
memory/1092-10-0x0000000003380000-0x000000000338A000-memory.dmp

Filesize
40KB

Download
memory/1092-241-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/1092-1-0x0000000000CC0000-0x00000000011B4000-memory.dmp

Filesize
5.0MB

Download
memory/1092-6-0x00000000019A0000-0x00000000019A8000-memory.dmp

Filesize
32KB

Download
memory/1092-8-0x0000000003350000-0x0000000003366000-memory.dmp

Filesize
88KB

Download
memory/1092-9-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/1092-7-0x00000000019C0000-0x00000000019D0000-memory.dmp

Filesize
64KB

Download
memory/1092-4-0x0000000003330000-0x000000000334C000-memory.dmp

Filesize
112KB

Download
memory/1092-3-0x00007FFAF29E0000-0x00007FFAF34A1000-memory.dmp

Filesize
10.8MB

Download
memory/1092-16-0x000000001C130000-0x000000001C138000-memory.dmp

Filesize
32KB

Download
memory/1092-2-0x000000001BFE0000-0x000000001C10E000-memory.dmp

Filesize
1.2MB

Download
memory/3248-138-0x000002559D830000-0x000002559D852000-memory.dmp

Filesize
136KB

Download
memory/4300-511-0x000000001D1C0000-0x000000001D1D2000-memory.dmp

Filesize
72KB

Download
memory/5012-75-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download