colibri | 97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Size

4.9MB
MD5

b0cae33b9c6d513565cffdde8ce50632
SHA1

4ef0e9fe78968a8bf9162c3da1837f4037dc9cd7
SHA256

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64
SHA512

31cef15772189762adcafd268dabeebd8ddde988a8503652fa9d5409d13a6e1ed1a624908e26943c28b9dc5a49477f080eb5d234a9aa68b89f95ee6f01d183e9
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8J:J

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	4240	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	4240	schtasks.exe	83

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exewininit.exewininit.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1008-3-0x000000001BDF0000-0x000000001BF1E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
5104	powershell.exe
4796	powershell.exe
792	powershell.exe
4328	powershell.exe
636	powershell.exe
2696	powershell.exe
2228	powershell.exe
2120	powershell.exe
1976	powershell.exe
1016	powershell.exe
4336	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exewininit.exewininit.exewininit.exewininit.exewininit.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 47 IoCs

Processes:

tmpD795.tmp.exetmpD795.tmp.exewininit.exetmp412.tmp.exetmp412.tmp.exewininit.exetmp24D9.tmp.exetmp24D9.tmp.exewininit.exewininit.exetmp60E8.tmp.exetmp60E8.tmp.exewininit.exetmp965F.tmp.exetmp965F.tmp.exetmp965F.tmp.exetmp965F.tmp.exewininit.exetmpB37C.tmp.exetmpB37C.tmp.exewininit.exetmpD116.tmp.exetmpD116.tmp.exewininit.exetmp555.tmp.exetmp555.tmp.exewininit.exetmp20CD.tmp.exetmp20CD.tmp.exewininit.exetmp5181.tmp.exetmp5181.tmp.exewininit.exetmp6CCA.tmp.exetmp6CCA.tmp.exewininit.exetmp88ED.tmp.exetmp88ED.tmp.exewininit.exetmpBB28.tmp.exetmpBB28.tmp.exewininit.exetmpD71C.tmp.exetmpD71C.tmp.exewininit.exetmpF34F.tmp.exetmpF34F.tmp.exe

pid	Process
4516	tmpD795.tmp.exe
3344	tmpD795.tmp.exe
4760	wininit.exe
244	tmp412.tmp.exe
4544	tmp412.tmp.exe
2152	wininit.exe
840	tmp24D9.tmp.exe
4556	tmp24D9.tmp.exe
4312	wininit.exe
4084	wininit.exe
4648	tmp60E8.tmp.exe
2880	tmp60E8.tmp.exe
4980	wininit.exe
4428	tmp965F.tmp.exe
2348	tmp965F.tmp.exe
5044	tmp965F.tmp.exe
1224	tmp965F.tmp.exe
4572	wininit.exe
1076	tmpB37C.tmp.exe
2780	tmpB37C.tmp.exe
116	wininit.exe
1132	tmpD116.tmp.exe
4192	tmpD116.tmp.exe
4508	wininit.exe
1352	tmp555.tmp.exe
2332	tmp555.tmp.exe
3992	wininit.exe
2416	tmp20CD.tmp.exe
4536	tmp20CD.tmp.exe
4648	wininit.exe
3008	tmp5181.tmp.exe
2108	tmp5181.tmp.exe
4428	wininit.exe
4572	tmp6CCA.tmp.exe
3392	tmp6CCA.tmp.exe
4756	wininit.exe
1976	tmp88ED.tmp.exe
3104	tmp88ED.tmp.exe
4696	wininit.exe
1072	tmpBB28.tmp.exe
4444	tmpBB28.tmp.exe
348	wininit.exe
2000	tmpD71C.tmp.exe
1616	tmpD71C.tmp.exe
1008	wininit.exe
2904	tmpF34F.tmp.exe
3952	tmpF34F.tmp.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

tmpD795.tmp.exetmp412.tmp.exetmp24D9.tmp.exetmp60E8.tmp.exetmp965F.tmp.exetmpB37C.tmp.exetmpD116.tmp.exetmp555.tmp.exetmp20CD.tmp.exetmp5181.tmp.exetmp6CCA.tmp.exetmp88ED.tmp.exetmpBB28.tmp.exetmpD71C.tmp.exetmpF34F.tmp.exe

description	pid	Process	procid_target
PID 4516 set thread context of 3344	4516	tmpD795.tmp.exe	125
PID 244 set thread context of 4544	244	tmp412.tmp.exe	161
PID 840 set thread context of 4556	840	tmp24D9.tmp.exe	176
PID 4648 set thread context of 2880	4648	tmp60E8.tmp.exe	192
PID 5044 set thread context of 1224	5044	tmp965F.tmp.exe	203
PID 1076 set thread context of 2780	1076	tmpB37C.tmp.exe	212
PID 1132 set thread context of 4192	1132	tmpD116.tmp.exe	221
PID 1352 set thread context of 2332	1352	tmp555.tmp.exe	232
PID 2416 set thread context of 4536	2416	tmp20CD.tmp.exe	241
PID 3008 set thread context of 2108	3008	tmp5181.tmp.exe	251
PID 4572 set thread context of 3392	4572	tmp6CCA.tmp.exe	261
PID 1976 set thread context of 3104	1976	tmp88ED.tmp.exe	270
PID 1072 set thread context of 4444	1072	tmpBB28.tmp.exe	280
PID 2000 set thread context of 1616	2000	tmpD71C.tmp.exe	288
PID 2904 set thread context of 3952	2904	tmpF34F.tmp.exe	298

Drops file in Program Files directory 28 IoCs

Processes:

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Security\BrowserCore\RCXEE93.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\wininit.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXE3F0.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows Media Player\ea1d8f6d871115	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Google\Chrome\Application\wininit.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows Media Player\upfc.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\Registry.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXF115.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXDCC8.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Google\e1ef82546f0b02	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows NT\5940a34987c991	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\ee2ad38f3d4382	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXD68B.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Google\SppExtComObj.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Google\RCXD8A0.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Uninstall Information\wininit.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Windows Security\BrowserCore\lsass.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Google\Chrome\Application\56085415360792	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Uninstall Information\wininit.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCXEC8F.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\upfc.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\Registry.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows NT\dllhost.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\lsass.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows NT\dllhost.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Uninstall Information\56085415360792	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Windows Security\BrowserCore\6203df4a6bafc7	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Google\SppExtComObj.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

Drops file in Windows directory 8 IoCs

Processes:

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

description	ioc	Process
File opened for modification	C:\Windows\Vss\RCXDAB4.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\Vss\dwm.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXE642.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Vss\dwm.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Vss\6cb0b6c459d5d3	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Prefetch\ReadyBoot\9e8d7a4ca61bd9	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp412.tmp.exetmp20CD.tmp.exetmpD71C.tmp.exetmp965F.tmp.exetmp5181.tmp.exetmpF34F.tmp.exetmpB37C.tmp.exetmpBB28.tmp.exetmpD795.tmp.exetmp965F.tmp.exetmp965F.tmp.exetmp555.tmp.exetmp6CCA.tmp.exetmp88ED.tmp.exetmp24D9.tmp.exetmp60E8.tmp.exetmpD116.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp412.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp20CD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD71C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp965F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5181.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF34F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB37C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB28.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD795.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp965F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp965F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp555.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6CCA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp88ED.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp24D9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp60E8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD116.tmp.exe

Modifies registry class 16 IoCs

Processes:

wininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exewininit.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1948	schtasks.exe
1092	schtasks.exe
4528	schtasks.exe
2152	schtasks.exe
3984	schtasks.exe
4520	schtasks.exe
4812	schtasks.exe
4472	schtasks.exe
3084	schtasks.exe
4392	schtasks.exe
3268	schtasks.exe
2772	schtasks.exe
2880	schtasks.exe
584	schtasks.exe
2164	schtasks.exe
4896	schtasks.exe
4660	schtasks.exe
2240	schtasks.exe
4424	schtasks.exe
2352	schtasks.exe
2808	schtasks.exe
2112	schtasks.exe
1912	schtasks.exe
3608	schtasks.exe
4252	schtasks.exe
640	schtasks.exe
4220	schtasks.exe
1168	schtasks.exe
2988	schtasks.exe
2332	schtasks.exe
1028	schtasks.exe
4900	schtasks.exe
1668	schtasks.exe
3460	schtasks.exe
4012	schtasks.exe
1076	schtasks.exe
1860	schtasks.exe
4512	schtasks.exe
1220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	Process
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1016	powershell.exe
1016	powershell.exe
4336	powershell.exe
4336	powershell.exe
2696	powershell.exe
2696	powershell.exe
1976	powershell.exe
1976	powershell.exe
792	powershell.exe
792	powershell.exe
4328	powershell.exe
4328	powershell.exe
1016	powershell.exe
5104	powershell.exe
5104	powershell.exe
2120	powershell.exe
2120	powershell.exe
4796	powershell.exe
4796	powershell.exe
636	powershell.exe
636	powershell.exe
2228	powershell.exe
2228	powershell.exe
2120	powershell.exe
2228	powershell.exe
4796	powershell.exe
4336	powershell.exe
2696	powershell.exe
1976	powershell.exe
792	powershell.exe
4328	powershell.exe
5104	powershell.exe
636	powershell.exe
4760	wininit.exe
4760	wininit.exe
2152	wininit.exe
4312	wininit.exe
4084	wininit.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

description	pid	Process
Token: SeDebugPrivilege	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	4760	wininit.exe
Token: SeDebugPrivilege	2152	wininit.exe
Token: SeDebugPrivilege	4312	wininit.exe
Token: SeDebugPrivilege	4084	wininit.exe
Token: SeDebugPrivilege	4980	wininit.exe
Token: SeDebugPrivilege	4572	wininit.exe
Token: SeDebugPrivilege	116	wininit.exe
Token: SeDebugPrivilege	4508	wininit.exe
Token: SeDebugPrivilege	3992	wininit.exe
Token: SeDebugPrivilege	4648	wininit.exe
Token: SeDebugPrivilege	4428	wininit.exe
Token: SeDebugPrivilege	4756	wininit.exe
Token: SeDebugPrivilege	4696	wininit.exe
Token: SeDebugPrivilege	348	wininit.exe
Token: SeDebugPrivilege	1008	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exetmpD795.tmp.exewininit.exetmp412.tmp.exeWScript.exewininit.exetmp24D9.tmp.exe

description	pid	Process	procid_target
PID 1008 wrote to memory of 4516	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	123
PID 1008 wrote to memory of 4516	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	123
PID 1008 wrote to memory of 4516	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	123
PID 4516 wrote to memory of 3344	4516	tmpD795.tmp.exe	125
PID 4516 wrote to memory of 3344	4516	tmpD795.tmp.exe	125
PID 4516 wrote to memory of 3344	4516	tmpD795.tmp.exe	125
PID 4516 wrote to memory of 3344	4516	tmpD795.tmp.exe	125
PID 4516 wrote to memory of 3344	4516	tmpD795.tmp.exe	125
PID 4516 wrote to memory of 3344	4516	tmpD795.tmp.exe	125
PID 4516 wrote to memory of 3344	4516	tmpD795.tmp.exe	125
PID 1008 wrote to memory of 2696	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	130
PID 1008 wrote to memory of 2696	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	130
PID 1008 wrote to memory of 636	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	131
PID 1008 wrote to memory of 636	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	131
PID 1008 wrote to memory of 4328	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	132
PID 1008 wrote to memory of 4328	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	132
PID 1008 wrote to memory of 4336	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	133
PID 1008 wrote to memory of 4336	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	133
PID 1008 wrote to memory of 792	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	134
PID 1008 wrote to memory of 792	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	134
PID 1008 wrote to memory of 1016	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	135
PID 1008 wrote to memory of 1016	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	135
PID 1008 wrote to memory of 1976	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	136
PID 1008 wrote to memory of 1976	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	136
PID 1008 wrote to memory of 4796	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	137
PID 1008 wrote to memory of 4796	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	137
PID 1008 wrote to memory of 2120	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	138
PID 1008 wrote to memory of 2120	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	138
PID 1008 wrote to memory of 5104	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	139
PID 1008 wrote to memory of 5104	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	139
PID 1008 wrote to memory of 2228	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	140
PID 1008 wrote to memory of 2228	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	140
PID 1008 wrote to memory of 4760	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	152
PID 1008 wrote to memory of 4760	1008	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	152
PID 4760 wrote to memory of 4764	4760	wininit.exe	157
PID 4760 wrote to memory of 4764	4760	wininit.exe	157
PID 4760 wrote to memory of 3908	4760	wininit.exe	158
PID 4760 wrote to memory of 3908	4760	wininit.exe	158
PID 4760 wrote to memory of 244	4760	wininit.exe	159
PID 4760 wrote to memory of 244	4760	wininit.exe	159
PID 4760 wrote to memory of 244	4760	wininit.exe	159
PID 244 wrote to memory of 4544	244	tmp412.tmp.exe	161
PID 244 wrote to memory of 4544	244	tmp412.tmp.exe	161
PID 244 wrote to memory of 4544	244	tmp412.tmp.exe	161
PID 244 wrote to memory of 4544	244	tmp412.tmp.exe	161
PID 244 wrote to memory of 4544	244	tmp412.tmp.exe	161
PID 244 wrote to memory of 4544	244	tmp412.tmp.exe	161
PID 244 wrote to memory of 4544	244	tmp412.tmp.exe	161
PID 4764 wrote to memory of 2152	4764	WScript.exe	170
PID 4764 wrote to memory of 2152	4764	WScript.exe	170
PID 2152 wrote to memory of 4404	2152	wininit.exe	172
PID 2152 wrote to memory of 4404	2152	wininit.exe	172
PID 2152 wrote to memory of 4968	2152	wininit.exe	173
PID 2152 wrote to memory of 4968	2152	wininit.exe	173
PID 2152 wrote to memory of 840	2152	wininit.exe	174
PID 2152 wrote to memory of 840	2152	wininit.exe	174
PID 2152 wrote to memory of 840	2152	wininit.exe	174
PID 840 wrote to memory of 4556	840	tmp24D9.tmp.exe	176
PID 840 wrote to memory of 4556	840	tmp24D9.tmp.exe	176
PID 840 wrote to memory of 4556	840	tmp24D9.tmp.exe	176
PID 840 wrote to memory of 4556	840	tmp24D9.tmp.exe	176
PID 840 wrote to memory of 4556	840	tmp24D9.tmp.exe	176
PID 840 wrote to memory of 4556	840	tmp24D9.tmp.exe	176
PID 840 wrote to memory of 4556	840	tmp24D9.tmp.exe	176

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

Processes:

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
"C:\Users\Admin\AppData\Local\Temp\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1008
- C:\Users\Admin\AppData\Local\Temp\tmpD795.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD795.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\tmpD795.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpD795.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Program Files\Uninstall Information\wininit.exe
  "C:\Program Files\Uninstall Information\wininit.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ff7c46c-bfac-4633-8072-68894182a2bd.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Program Files\Uninstall Information\wininit.exe
      "C:\Program Files\Uninstall Information\wininit.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2152
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57c889f8-bbb4-422b-9451-258c78e11556.vbs"
        5⤵
        
        PID:4404
      - C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57aed317-d7b2-4c8b-8176-a0038b42bfc5.vbs"
        7⤵
        
        PID:2016
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb32162-bcaf-432a-b96e-399cbb589234.vbs"
        9⤵
        
        PID:4544
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d382ca3-837b-4d0c-95bc-c07ecae77a94.vbs"
        11⤵
        
        PID:872
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9780475d-1af8-4c9c-af6d-d3041758a012.vbs"
        13⤵
        
        PID:1792
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6232d8a1-a6e1-4703-a761-66ed9262b4a4.vbs"
        15⤵
        
        PID:4752
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95110aea-0f3c-4ece-8a29-1f1a2971e8ef.vbs"
        17⤵
        
        PID:464
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a70cef1a-1f0c-45de-8f97-8208db2ce33e.vbs"
        19⤵
        
        PID:3268
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79d0fb0-bb83-455f-afcf-6a5727517de3.vbs"
        21⤵
        
        PID:4248
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b30f1735-248c-41a5-9b5c-aee37ea92091.vbs"
        23⤵
        
        PID:1352
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbacc78a-954e-43fe-81ca-8a8161a6293a.vbs"
        25⤵
        
        PID:1892
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b58704ee-8a5c-4cb5-96f2-72cb491003b1.vbs"
        27⤵
        
        PID:1676
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eee4354-406c-4f63-9639-224326679913.vbs"
        29⤵
        
        PID:728
        
        C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23123540-553e-49c8-b246-aed8838e6f79.vbs"
        31⤵
        
        PID:4088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aff7f0f-4a8a-4a34-bd36-a96a92dbc80a.vbs"
        31⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmpF34F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF34F.tmp.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmpF34F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF34F.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c056b10c-f5e9-44c2-902f-86e54fc63b24.vbs"
        29⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmp.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6d217ff-4133-4981-83c3-6b7f73e7ff10.vbs"
        27⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmpBB28.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBB28.tmp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmpBB28.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBB28.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba7b2715-0832-4252-bbde-d5398e0c8113.vbs"
        25⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp88ED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp88ED.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp88ED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp88ED.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46cbf343-f7a1-4d0e-8ccc-5a7685e1c6af.vbs"
        23⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp6CCA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6CCA.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp6CCA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6CCA.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c2e96a1-7b7f-4e12-9da6-d82d3e16f1ba.vbs"
        21⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp5181.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5181.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp5181.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5181.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7f6618-e556-4454-80e7-3806fc68a47f.vbs"
        19⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp20CD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp20CD.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp20CD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp20CD.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7ec959d-91d6-4bb0-beeb-abd6a3cf7650.vbs"
        17⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp555.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp555.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp555.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp555.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\688a9e9f-fa43-4e7d-95ce-c76d37518ad4.vbs"
        15⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96316dca-7ab2-487f-b769-a537b50f5547.vbs"
        13⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmpB37C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB37C.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB37C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB37C.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45f593d2-5628-4c9e-b473-9263ad128e0f.vbs"
        11⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45771bc2-eb44-4d93-bb6e-2754a8f8873d.vbs"
        9⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp60E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp60E8.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp60E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp60E8.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a03c057-7176-4573-a69a-3b283f450390.vbs"
        7⤵
        
        PID:2612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63f511bb-0910-4308-b831-fd6812ce6efc.vbs"
        5⤵
        
        PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\tmp24D9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp24D9.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\tmp24D9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp24D9.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:4556
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5af8c74-a0d4-4385-9645-4a2d5b08d11d.vbs"
    3⤵
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\tmp412.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp412.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Users\Admin\AppData\Local\Temp\tmp412.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp412.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Google\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Vss\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Recent\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\RCXF115.tmp

Filesize
4.9MB

MD5
d8b16b41376bb02dc94ae97095b11c85

SHA1
5f5b2773e6522dbf107232a29f5c8bbd4fb8b584

SHA256
b0df6b2a05b8b7a783678a11348b9a787f27da446bc847778e1ad81e4a14e9d5

SHA512
41f059c704e1d0e4045890577feedf11c951da71090034ef7f014b499f3cbe782deee1b964b70cc27f3bf8fa62dee4288e9f7b29cd3d352af00c167d1a1c38b6

Download Submit
C:\Recovery\WindowsRE\RCXE857.tmp

Filesize
4.9MB

MD5
79327925ea78a350f9f3e16a837aa13a

SHA1
c3a97174feced7b6a107e4607875a432e9098b0a

SHA256
20608229beeed9571debe29a22b24c13d16d222d5f72d4f72e1dcfbf39268e4f

SHA512
cf8cec67fda39e3adcfd3f772f05d187676262adfd494b233455cac521ad53c8a5825594d139296e645939ca6acc0009ba563be5532355110542236d4fb873a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d382ca3-837b-4d0c-95bc-c07ecae77a94.vbs

Filesize
726B

MD5
5c12f649c11caed466eb98862031725b

SHA1
1fe3b43c419c5fef80379c38c843306431826d7e

SHA256
d8c1650856626cd1d3ca250c2efd5244d29af9571341934f09860ff5a0156977

SHA512
2566d11200f977ee3dc02e46252d98912837ee22322258d20a87227af3f8c023c340a9eabb9d2dddc63739c11828f79874554ecf9544b0236fbdff0b2578af7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\57aed317-d7b2-4c8b-8176-a0038b42bfc5.vbs

Filesize
726B

MD5
ca8745686ed07d8e1558e082d8d17072

SHA1
237005f41271d823c776a8bbbc06d9415ef68e7a

SHA256
e2b6bb297d87e2f7e781782c3d717aa950ed8150d978137c0be2b31dfc6bae5a

SHA512
3aa5b554a75ac0cce9d1dc29a2b2960a5dc738ba0f05d5f6d377be3963e8aee6fa4766b25852e66b09c112e584a797465bda3c14a40bd989953532b1b9c186e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\57c889f8-bbb4-422b-9451-258c78e11556.vbs

Filesize
726B

MD5
986022aca8f88de28da3d04c6ea3b78b

SHA1
f6959ae40abe7dea490e8034afcfe4aff7525baf

SHA256
be9a0f910e6997cdb17814ed7c6edd622e6a09ca8d77c5560436d6555edaa383

SHA512
69403d21b098cb4b6f69598d4fb0d1942ff70a77620c5ca6ac067b2e24066174eb8340fb6950126005d812da20e8698ec40a38a5bd1b31b5006f7cf4b2886012

Download Submit
C:\Users\Admin\AppData\Local\Temp\6232d8a1-a6e1-4703-a761-66ed9262b4a4.vbs

Filesize
725B

MD5
2f1306d969fe12402fecb6e1a2c107b6

SHA1
e8d8d9f20c526e434918d4a0a7edd72ffe985597

SHA256
fbfbb2c1d39db9d8d8475f5682f7e9ef97b5811603ef0497da49e279be8b47e3

SHA512
714a74687c838fbfdd61db99b0dfca370667b27b46c175cc8b8a467de9827c208efdd9d8d86ad78d8763c3ae1e7cd68ec8630b5736830193e151349f9e9bad46

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cb32162-bcaf-432a-b96e-399cbb589234.vbs

Filesize
726B

MD5
0cf69c1f19cb0332b478b8e3495bbd7e

SHA1
9f9f32e8bcba84924988fa02df02b03fe03dfd2e

SHA256
d2d259aadaf3d89af74b5026ce2c9ce3e9fb1c83f3e9d58bd8cc6499047535f5

SHA512
24d0f625e8fcd149b2942037b04399317f49d1bdccba8ad06e59ebb86f7c41174ce4d0303db30722961f0b8b9961edffa248060baf0f4f5783ed5aed997030df

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ff7c46c-bfac-4633-8072-68894182a2bd.vbs

Filesize
726B

MD5
a6cb30edd06e258b36ab9c21d90a9c27

SHA1
1e0ff01ecc72e72ab75ee6884bec81066f34d7fa

SHA256
334ded3a83a0ec323c6b6ad376576a140b850653b24c104b858a658d25818d34

SHA512
08effdd4f1b275c78343048c9058942cb01152de6321c26f9c71b40d6c6fd8d43657e6b86f5b03f41e61c2308c226499b6e68bf171797e1f44a17aa68e3a5223

Download Submit
C:\Users\Admin\AppData\Local\Temp\9780475d-1af8-4c9c-af6d-d3041758a012.vbs

Filesize
726B

MD5
ac283d9d2ae0662a8495dbbf7ba3b8b6

SHA1
da91abdab5d9bc79142a4e090bce89c2ff624b54

SHA256
36d9cf591785f714313ac1757e17d729691139f312aaa192d8b18e03996a1126

SHA512
3fe65a9faef1857e3ffdd3d1ebc272b56e748e92aa592b851baeb88e17a95b4afd26f889556a92ddb794117164c0c12facce1acba1d4ed074f671e77e5da3bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ty4n3wl4.lkm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5af8c74-a0d4-4385-9645-4a2d5b08d11d.vbs

Filesize
502B

MD5
c217cb81e2cc97f8ebc223aba3c8a9d5

SHA1
c46d0a68e4fa77a32dbd5b2e5132dd640fc430bc

SHA256
2f97202f6e2065f7dcdd841801cbe102643e1c9c7f682a9e1d98f81fb2e47ae7

SHA512
5b3b0308416b8004e5a7059c134c34b05a3b7a692284469247a3f6e4cbbb88801353b145f60f7a5a89729dfcee7e4757548076662fcc868cda7a62612c363870

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD795.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\taskhostw.exe

Filesize
4.9MB

MD5
2768bbd26e08d16c8bc0111c6b962c55

SHA1
ea84458cc54bbe73237165c4bc9dc107a01224e2

SHA256
ad62cbf2a37ea48eed714d8d5f57a8b2c7eb9dad63164ff2e70db933b21291a8

SHA512
23068d1b66cd92555ca861888b4d0fc854d6632862340359db9643252a5cbaa6a2a7149e456035b35f0a883908cc21ab74faecaa36bafaf715e52fc3a54f0267

Download Submit
C:\Users\Default\unsecapp.exe

Filesize
4.9MB

MD5
b0cae33b9c6d513565cffdde8ce50632

SHA1
4ef0e9fe78968a8bf9162c3da1837f4037dc9cd7

SHA256
97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64

SHA512
31cef15772189762adcafd268dabeebd8ddde988a8503652fa9d5409d13a6e1ed1a624908e26943c28b9dc5a49477f080eb5d234a9aa68b89f95ee6f01d183e9

Download Submit
memory/1008-15-0x000000001BF30000-0x000000001BF3E000-memory.dmp

Filesize
56KB

Download
memory/1008-17-0x000000001BF50000-0x000000001BF58000-memory.dmp

Filesize
32KB

Download
memory/1008-11-0x00000000030F0000-0x0000000003102000-memory.dmp

Filesize
72KB

Download
memory/1008-10-0x00000000030E0000-0x00000000030EA000-memory.dmp

Filesize
40KB

Download
memory/1008-18-0x000000001C5C0000-0x000000001C5CC000-memory.dmp

Filesize
48KB

Download
memory/1008-148-0x00007FF995B40000-0x00007FF996601000-memory.dmp

Filesize
10.8MB

Download
memory/1008-12-0x000000001CAF0000-0x000000001D018000-memory.dmp

Filesize
5.2MB

Download
memory/1008-16-0x000000001BF40000-0x000000001BF48000-memory.dmp

Filesize
32KB

Download
memory/1008-309-0x00007FF995B40000-0x00007FF996601000-memory.dmp

Filesize
10.8MB

Download
memory/1008-13-0x0000000003100000-0x000000000310A000-memory.dmp

Filesize
40KB

Download
memory/1008-14-0x000000001BF20000-0x000000001BF2E000-memory.dmp

Filesize
56KB

Download
memory/1008-1-0x0000000000B20000-0x0000000001014000-memory.dmp

Filesize
5.0MB

Download
memory/1008-2-0x00007FF995B40000-0x00007FF996601000-memory.dmp

Filesize
10.8MB

Download
memory/1008-0-0x00007FF995B43000-0x00007FF995B45000-memory.dmp

Filesize
8KB

Download
memory/1008-140-0x00007FF995B43000-0x00007FF995B45000-memory.dmp

Filesize
8KB

Download
memory/1008-9-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/1008-8-0x00000000030B0000-0x00000000030C6000-memory.dmp

Filesize
88KB

Download
memory/1008-5-0x000000001C570000-0x000000001C5C0000-memory.dmp

Filesize
320KB

Download
memory/1008-6-0x0000000001880000-0x0000000001888000-memory.dmp

Filesize
32KB

Download
memory/1008-7-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/1008-4-0x0000000003080000-0x000000000309C000-memory.dmp

Filesize
112KB

Download
memory/1008-3-0x000000001BDF0000-0x000000001BF1E000-memory.dmp

Filesize
1.2MB

Download
memory/1016-203-0x0000023C3BEF0000-0x0000023C3BF12000-memory.dmp

Filesize
136KB

Download
memory/3344-71-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4572-443-0x000000001B720000-0x000000001B732000-memory.dmp

Filesize
72KB

Download
memory/4756-554-0x000000001C0D0000-0x000000001C0E2000-memory.dmp

Filesize
72KB

Download