sality | d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c

Analysis

max time kernel
33s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Size

147KB
MD5

61d3136be3658491acae074138b0505d
SHA1

b6c6312033e310df775044301840c9b3b8e0e53f
SHA256

d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c
SHA512

f792581a068d7f0e92ac7106188050c9bde1521d413ef5c96614ffea1ebcabd71a8df8202f46fea4e293e14f09af0141915151d31d58ff64616d6ae9e127f960
SSDEEP

3072:pA/yzn2spnbZdIImXXbxxwBAf0p8xb7AwcGH/K2NxAjhg:pJnMIWFxgAf0GxXAwNyAAg

Score

10^/10

sality backdoor discovery evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	USBInfo.com

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	regedit.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	USBInfo.com

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\Driver.sys	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBInfo.vbe	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBInfo.sy_	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBSys.vbe	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBInfo.com	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\USBInfo.com	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBStor.vbe	cmd.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
224	attrib.exe
5060	attrib.exe
1196	attrib.exe
116	attrib.exe
4424	attrib.exe
1032	attrib.exe
1624	attrib.exe
1032	attrib.exe
3048	attrib.exe
4372	attrib.exe
3964	attrib.exe
880	attrib.exe
1332	attrib.exe
4836	attrib.exe
3036	attrib.exe
4896	attrib.exe
4008	attrib.exe
5084	attrib.exe
2800	attrib.exe
5088	attrib.exe
4384	attrib.exe
1908	attrib.exe
1512	attrib.exe
4972	attrib.exe
5004	attrib.exe
2320	attrib.exe
1344	attrib.exe
636	attrib.exe
2444	attrib.exe
2332	attrib.exe
1156	attrib.exe
3952	attrib.exe
4480	attrib.exe
2416	attrib.exe
1212	attrib.exe
4544	attrib.exe
3668	attrib.exe
4472	attrib.exe
3452	attrib.exe
2332	attrib.exe
2640	attrib.exe
2028	attrib.exe
1776	attrib.exe
2920	attrib.exe
4168	attrib.exe
4480	attrib.exe
1928	attrib.exe
5072	attrib.exe
5012	attrib.exe
1724	attrib.exe
3984	attrib.exe
2432	attrib.exe
3404	attrib.exe
2676	attrib.exe
2344	attrib.exe
4016	attrib.exe
1428	attrib.exe
936	attrib.exe
4456	attrib.exe
2540	attrib.exe
2564	attrib.exe
1724	attrib.exe
1892	attrib.exe
1068	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
668	USBInfo.com

Executes dropped EXE 1 IoCs

pid	Process
668	USBInfo.com

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	USBInfo.com
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\@ = "c:\\windows\\system32\\Drivers\\USBInfo.com"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\@ = "c:\\windows\\system32\\Drivers\\USBInfo.com"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\@ = "c:\\windows\\system32\\Drivers\\USBInfo.com"	regedit.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	USBInfo.com

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\\desktop.ini	cmd.exe
File created	F:\\desktop.ini	cmd.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	USBInfo.com
File opened (read-only)	\??\G:	USBInfo.com
File opened (read-only)	\??\H:	USBInfo.com
File opened (read-only)	\??\I:	USBInfo.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\\autorun.inf	cmd.exe
File opened for modification	C:\autorun.inf	attrib.exe
File created	F:\\autorun.inf	cmd.exe
File opened for modification	F:\autorun.inf	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ScreenSave.scr	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ScreenSave.scr	cmd.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4728-7-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-6-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-5-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-9-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-10-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-15-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-17-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-8-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-19-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-30-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-31-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-32-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/4728-44-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral2/memory/668-116-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-122-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-119-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-118-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-124-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-125-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-123-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-121-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-120-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-140-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-139-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-141-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-144-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-142-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral2/memory/668-145-0x0000000002370000-0x00000000033FE000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBInfo.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
4556	taskkill.exe
4536	taskkill.exe
4264	taskkill.exe
1088	taskkill.exe
4784	taskkill.exe
4364	taskkill.exe
4448	taskkill.exe
4948	taskkill.exe
4084	taskkill.exe
1440	taskkill.exe
3772	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	cmd.exe

Runs regedit.exe 11 IoCs

pid	Process
2140	regedit.exe
1368	regedit.exe
980	regedit.exe
1828	regedit.exe
3616	regedit.exe
1492	regedit.exe
748	regedit.exe
3768	regedit.exe
4436	regedit.exe
392	regedit.exe
4020	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
668	USBInfo.com
668	USBInfo.com
668	USBInfo.com
668	USBInfo.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Token: SeDebugPrivilege	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 548	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	82
PID 4728 wrote to memory of 548	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	82
PID 4728 wrote to memory of 548	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	82
PID 4728 wrote to memory of 784	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	8
PID 4728 wrote to memory of 792	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	9
PID 4728 wrote to memory of 380	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	13
PID 4728 wrote to memory of 2780	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	49
PID 4728 wrote to memory of 2868	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	50
PID 4728 wrote to memory of 2984	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	52
PID 4728 wrote to memory of 3456	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	56
PID 4728 wrote to memory of 3572	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	57
PID 4728 wrote to memory of 3760	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	58
PID 4728 wrote to memory of 3848	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	59
PID 4728 wrote to memory of 3912	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	60
PID 4728 wrote to memory of 4000	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	61
PID 4728 wrote to memory of 3972	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	62
PID 4728 wrote to memory of 4452	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	75
PID 4728 wrote to memory of 4908	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	76
PID 4728 wrote to memory of 548	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	82
PID 4728 wrote to memory of 548	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	82
PID 4728 wrote to memory of 2392	4728	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe	83
PID 548 wrote to memory of 1856	548	cmd.exe	84
PID 548 wrote to memory of 1856	548	cmd.exe	84
PID 548 wrote to memory of 1856	548	cmd.exe	84
PID 548 wrote to memory of 2492	548	cmd.exe	85
PID 548 wrote to memory of 2492	548	cmd.exe	85
PID 548 wrote to memory of 2492	548	cmd.exe	85
PID 548 wrote to memory of 4240	548	cmd.exe	86
PID 548 wrote to memory of 4240	548	cmd.exe	86
PID 548 wrote to memory of 4240	548	cmd.exe	86
PID 4240 wrote to memory of 668	4240	WScript.exe	87
PID 4240 wrote to memory of 668	4240	WScript.exe	87
PID 4240 wrote to memory of 668	4240	WScript.exe	87
PID 668 wrote to memory of 2120	668	USBInfo.com	88
PID 668 wrote to memory of 2120	668	USBInfo.com	88
PID 668 wrote to memory of 2120	668	USBInfo.com	88
PID 2120 wrote to memory of 4784	2120	cmd.exe	90
PID 2120 wrote to memory of 4784	2120	cmd.exe	90
PID 2120 wrote to memory of 4784	2120	cmd.exe	90
PID 2120 wrote to memory of 4020	2120	cmd.exe	92
PID 2120 wrote to memory of 4020	2120	cmd.exe	92
PID 2120 wrote to memory of 4020	2120	cmd.exe	92
PID 2120 wrote to memory of 2336	2120	cmd.exe	93
PID 2120 wrote to memory of 2336	2120	cmd.exe	93
PID 2120 wrote to memory of 2336	2120	cmd.exe	93
PID 2120 wrote to memory of 2404	2120	cmd.exe	94
PID 2120 wrote to memory of 2404	2120	cmd.exe	94
PID 2120 wrote to memory of 2404	2120	cmd.exe	94
PID 2120 wrote to memory of 2468	2120	cmd.exe	95
PID 2120 wrote to memory of 2468	2120	cmd.exe	95
PID 2120 wrote to memory of 2468	2120	cmd.exe	95
PID 2120 wrote to memory of 3664	2120	cmd.exe	96
PID 2120 wrote to memory of 3664	2120	cmd.exe	96
PID 2120 wrote to memory of 3664	2120	cmd.exe	96
PID 2120 wrote to memory of 224	2120	cmd.exe	97
PID 2120 wrote to memory of 224	2120	cmd.exe	97
PID 2120 wrote to memory of 224	2120	cmd.exe	97
PID 2120 wrote to memory of 2624	2120	cmd.exe	98
PID 2120 wrote to memory of 2624	2120	cmd.exe	98
PID 2120 wrote to memory of 2624	2120	cmd.exe	98
PID 2120 wrote to memory of 3048	2120	cmd.exe	99
PID 2120 wrote to memory of 3048	2120	cmd.exe	99
PID 2120 wrote to memory of 3048	2120	cmd.exe	99
PID 2120 wrote to memory of 2444	2120	cmd.exe	100

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	USBInfo.com

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
672	attrib.exe
1892	attrib.exe
3364	attrib.exe
1248	attrib.exe
3720	attrib.exe
1196	attrib.exe
1068	attrib.exe
2624	attrib.exe
2800	attrib.exe
4016	attrib.exe
5072	attrib.exe
3664	attrib.exe
3948	attrib.exe
1032	attrib.exe
4456	attrib.exe
4924	attrib.exe
1032	attrib.exe
2432	attrib.exe
2540	attrib.exe
1512	attrib.exe
4504	attrib.exe
2444	attrib.exe
4972	attrib.exe
4904	attrib.exe
3952	attrib.exe
1080	attrib.exe
1472	attrib.exe
1252	attrib.exe
1332	attrib.exe
1876	attrib.exe
5060	attrib.exe
4008	attrib.exe
1776	attrib.exe
3988	attrib.exe
5088	attrib.exe
4504	attrib.exe
4544	attrib.exe
2344	attrib.exe
636	attrib.exe
4012	attrib.exe
4268	attrib.exe
5068	attrib.exe
3048	attrib.exe
2332	attrib.exe
2424	attrib.exe
3744	attrib.exe
1856	attrib.exe
1960	attrib.exe
1724	attrib.exe
3964	attrib.exe
1156	attrib.exe
1212	attrib.exe
5012	attrib.exe
4776	attrib.exe
3256	attrib.exe
3048	attrib.exe
2332	attrib.exe
4836	attrib.exe
2416	attrib.exe
936	attrib.exe
4424	attrib.exe
4480	attrib.exe
2920	attrib.exe
3036	attrib.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2868

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2984

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe
  "C:\Users\Admin\AppData\Local\Temp\d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~6B9B.bat "C:\Users\Admin\AppData\Local\Temp\d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1856
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBInfo.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Windows\SysWOW64\Drivers\USBInfo.com
        
        "C:\Windows\system32\Drivers\USBInfo.com"
        5⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Deletes itself
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:668
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~8FBD.bat "C:\Windows\system32\Drivers\USBInfo.com"
        6⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4784
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Runs regedit.exe
        
        PID:4020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h autorun.inf
        7⤵
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "$Recycle.Bin"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Documents and Settings"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "PerfLogs"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Program Files"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Program Files (x86)"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "ProgramData"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Recovery"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "System Volume Information"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Users"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Windows"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h autorun.inf
        7⤵
        Sets file to hidden
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "$RECYCLE.BIN"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "System Volume Information"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3952
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4364
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Runs regedit.exe
        
        PID:1492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4556
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Runs regedit.exe
        
        PID:748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:2028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:3668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:4480
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4448
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:2140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4536
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:3768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:4904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:3452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4836
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4264
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:1368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:1928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:2640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:1088
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:4436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:3364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:1428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4948
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:1344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:4896
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4084
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:4776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:5084
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:1440
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:1624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:3256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4456
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:3772
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:3616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6B9B.bat

Filesize
4KB

MD5
bc278224d87330dbedf84ddefdced3f1

SHA1
0a21b60897db6bd7559fef583bb095266110b653

SHA256
1d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a

SHA512
6ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
16779f5c7ce757bb839838c9cc41c40a

SHA1
010abfac68c8f9fe900dd5359f22aa7a3936866a

SHA256
9468d655aff6fc2fac39b5786f499c344e00a0cf6c1f8bac596d4b5c52866cc9

SHA512
c123411f0f0d54208908772edebc9bf1a34a5168b562b2592536f68b8cb71aa045ac5f22590c1890cfbbf187ca0980d6759f97bfe16a5c545972f35b2c78a9f4

Download Submit
C:\Windows\SysWOW64\Drivers\USBInfo.com

Filesize
147KB

MD5
61d3136be3658491acae074138b0505d

SHA1
b6c6312033e310df775044301840c9b3b8e0e53f

SHA256
d55623794bdd7431f6fc71cc01160f1ba7fa2075c0ba5089ae4f55b92151342c

SHA512
f792581a068d7f0e92ac7106188050c9bde1521d413ef5c96614ffea1ebcabd71a8df8202f46fea4e293e14f09af0141915151d31d58ff64616d6ae9e127f960

Download Submit
C:\Windows\SysWOW64\Drivers\USBInfo.vbe

Filesize
77B

MD5
54ceb8eabaff522c097e4949d39fbd09

SHA1
304fd3c274aac25477ba1f3f500ae34e6c94612d

SHA256
d2d64a938a71d1b747112176eeb345991433fc81475a397b85b6b4c3d97f8550

SHA512
3c6ce4fe30121305b176a3ccc7358343bfdd28537358e7289e4354b52f152c018acfe843659df5bd35228fca804b0285baa8350e2b6ca39719bdefdb77b2e0be

Download Submit
C:\Windows\SysWOW64\Drivers\USBStor.vbe

Filesize
20B

MD5
905d7a48a13a75ced1342bbdf0a3ace2

SHA1
3bcc021a82ed38810bcf61286eb1f4e578e3721f

SHA256
10338a72fbacb4fdf731d8937cdf23519896c5122b6a80079527cebf8406b3cd

SHA512
fe77b8b928ba1ffb1a8bf941b2a0279b3ca6512d30dd1a2e2f363f9b2be245e361fab40232bc868f0f7e79bacc476653a49b66d2cf6945ed87b0c776783db8c1

Download Submit
C:\Windows\SysWOW64\Drivers\USBSys.vbe

Filesize
19B

MD5
322866ac1312f3bc0dd8685949f35b6a

SHA1
dc3f64764aa99595ee48721142d2301ebbe07aec

SHA256
5417fd3704beb2760ed54c38048ae44d2cd49312be2a8f104e542bbd5bbc88d6

SHA512
1b5c2320beaeb34895a1d11882566463d365a128db4d260189850990e1215ce737334ee96b43ecd2c018f040548209cc6f11328a5a9b9eb5f57fc6ac61afe03d

Download Submit
C:\Windows\SysWOW64\drivers\USBInfo.sy_

Filesize
1KB

MD5
e3f32bf45469d18567e23485109ffdd4

SHA1
2e207b073a4237e05b5da89f9ca2e9771757620c

SHA256
e41ad345599c751ed8b124229df31681f2c44d322d092f85c2205b97f09c8a81

SHA512
e8ab034c883c747d6a093d1221e080adf84a1c3662e4469c59cf49f693561262d435c28eede60e18151222fd9562abc6c81b6a57fa5587032cbc2d0b74a0c0e5

Download Submit
C:\autorun.inf

Filesize
149B

MD5
babb9292822f6963475088494e446a00

SHA1
d0f96ea279562a899f24b5a6905065de029877b0

SHA256
bff5694d6d4c8a41217fa9d98d95c355a6f63ef939a4ef89bc45d1cf443a1f9d

SHA512
b96daa0a52867f7f0454c8b35d85682aa22c3ac59495760c95204cc1cfc419bd88b5cc59d92dfab5a6343f8f86659e35e2f38cda0c1ea014d2377ab5e525fd5b

Download Submit
C:\desktop.ini

Filesize
150B

MD5
ec4064ac609dc25d680be76463282759

SHA1
e811243e6946ab739afe39f79e7e010c5d3aa646

SHA256
5f7b66850209b68edce639f55db86876840969a4302143811f5953b643f45dae

SHA512
e65ad34b719c46d97729167cd0c8ed0ba8a9ee567b67a4663ddc48873735914c28315428b8415ced78a7608165910dcb4583222b08e3e1a7cabf7b3e9339401f

Download Submit
C:\rhltq.pif

Filesize
100KB

MD5
a97da289144c8f660b44e560ca25ee15

SHA1
49930c8aff3f64ca12dcf0c9cb044fb92912a1a7

SHA256
ec1ad9503fce0dc579e4e98da8c253dbb3f2899b4a95fb9f1f2043c1af84e1a3

SHA512
98099180128de508025bf9077c8a375de629974a4a92315c01e573ab3eb1a481e5ad0740b4a1af169ca64d43aeefe992271841c7cac1c74ca8a5c12a4a3162eb

Download Submit
F:\desktop.ini

Filesize
41B

MD5
fc58af21d2445196d228547ba36ce949

SHA1
f5eade25a4c478faa988d62ad7f93679a148e511

SHA256
93bd2fd7de32217b93b299ccf87fe53d47f5c1f1b44dbcfa3921f10d405d026e

SHA512
eabe18f6d152fd1f4450d618ed0084990f90071cc18d42812a68339d3fd55c8b4a4ce03fb575730a2188a8ce3bfb15c275ad6a00820902a3737723220fdd4427

Download Submit
memory/548-40-0x0000000000800000-0x0000000000802000-memory.dmp

Filesize
8KB

Download
memory/548-20-0x0000000000800000-0x0000000000802000-memory.dmp

Filesize
8KB

Download
memory/548-14-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/548-22-0x0000000000800000-0x0000000000802000-memory.dmp

Filesize
8KB

Download
memory/668-140-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-116-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-127-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/668-132-0x0000000004240000-0x0000000004242000-memory.dmp

Filesize
8KB

Download
memory/668-125-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-124-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-121-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-120-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-139-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-123-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-118-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-119-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-122-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-141-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-144-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-142-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-145-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/668-112-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2120-133-0x0000000002FC0000-0x0000000002FC2000-memory.dmp

Filesize
8KB

Download
memory/2120-129-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/4372-135-0x0000000000D70000-0x0000000000D72000-memory.dmp

Filesize
8KB

Download
memory/4372-131-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4372-134-0x0000000000D70000-0x0000000000D72000-memory.dmp

Filesize
8KB

Download
memory/4728-12-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/4728-47-0x0000000003A30000-0x0000000003A32000-memory.dmp

Filesize
8KB

Download
memory/4728-31-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-32-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4728-19-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-8-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-11-0x0000000003A30000-0x0000000003A32000-memory.dmp

Filesize
8KB

Download
memory/4728-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4728-30-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-44-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-16-0x0000000003A30000-0x0000000003A32000-memory.dmp

Filesize
8KB

Download
memory/4728-17-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-15-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-18-0x0000000003A30000-0x0000000003A32000-memory.dmp

Filesize
8KB

Download
memory/4728-10-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-9-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-5-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-6-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/4728-7-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download