colibri | c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186c

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Size

4.9MB
MD5

e9b2c6bac0f3a6e89f007a2c0f03ce90
SHA1

8baadb5b4824c2e3e52732a16e771f2c4d9da291
SHA256

c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186c
SHA512

02c50cc9cd5ab909239ca7077c282903a5198b56b78d48bc9a7331118ae480afb6adcdf1e9112fbea22ad7e9ebfc021ec6b10403cfc7a7b1333f540624b81799
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3872	schtasks.exe
		1588	schtasks.exe
		3444	schtasks.exe
		4780	schtasks.exe
		2628	schtasks.exe
		2584	schtasks.exe
		1540	schtasks.exe
		656	schtasks.exe
		3536	schtasks.exe
		2148	schtasks.exe
		5056	schtasks.exe
		4272	schtasks.exe
		2268	schtasks.exe
File created	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\6203df4a6bafc7		c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
		1864	schtasks.exe
		1572	schtasks.exe
		4524	schtasks.exe
		5108	schtasks.exe
		2492	schtasks.exe
File created	C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2		c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
		3592	schtasks.exe
		4244	schtasks.exe
		4048	schtasks.exe
		872	schtasks.exe
		4796	schtasks.exe
		3224	schtasks.exe
		3628	schtasks.exe
		1564	schtasks.exe
		2832	schtasks.exe
		976	schtasks.exe
		4288	schtasks.exe
		4884	schtasks.exe
		2816	schtasks.exe
		5064	schtasks.exe
		2168	schtasks.exe
		3648	schtasks.exe
		2420	schtasks.exe
		3932	schtasks.exe
		4364	schtasks.exe
		1580	schtasks.exe
		2604	schtasks.exe
		1980	schtasks.exe
		4880	schtasks.exe
		5072	schtasks.exe
		4616	schtasks.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e		c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
		2620	schtasks.exe
		3956	schtasks.exe
		4264	schtasks.exe
		4536	schtasks.exe
		2028	schtasks.exe
File created	C:\Program Files (x86)\Internet Explorer\images\29c1c3cc0f7685		c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
		2044	schtasks.exe
		4464	schtasks.exe
		4332	schtasks.exe
		3768	schtasks.exe
		1532	schtasks.exe
		3536	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
		5052	schtasks.exe
		4484	schtasks.exe
		1772	schtasks.exe
		1668	schtasks.exe
		4136	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4784	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4784	schtasks.exe	83

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2940-3-0x000000001C130000-0x000000001C25E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1388	powershell.exe
3276	powershell.exe
4028	powershell.exe
1160	powershell.exe
960	powershell.exe
1524	powershell.exe
3904	powershell.exe
4128	powershell.exe
3544	powershell.exe
4988	powershell.exe
4244	powershell.exe
5072	powershell.exe
4984	powershell.exe
2948	powershell.exe
1608	powershell.exe
4448	powershell.exe
2284	powershell.exe
1480	powershell.exe
2688	powershell.exe
4268	powershell.exe
3828	powershell.exe
2416	powershell.exe
3536	powershell.exe
3236	powershell.exe
5088	powershell.exe
2392	powershell.exe
1816	powershell.exe
3328	powershell.exe
3256	powershell.exe
1772	powershell.exe
768	powershell.exe
3192	powershell.exe
1752	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe

Executes dropped EXE 34 IoCs

pid	Process
4416	tmp9251.tmp.exe
2952	tmp9251.tmp.exe
2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2980	tmpAB15.tmp.exe
5080	tmpAB15.tmp.exe
1592	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
1248	tmpD4A5.tmp.exe
2680	tmpD4A5.tmp.exe
500	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2604	tmp74E.tmp.exe
1120	tmp74E.tmp.exe
3812	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
1744	tmp36EA.tmp.exe
4264	tmp36EA.tmp.exe
2792	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2120	tmp659B.tmp.exe
4552	tmp659B.tmp.exe
1040	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
4780	tmp94C9.tmp.exe
4480	tmp94C9.tmp.exe
3256	tmp94C9.tmp.exe
4756	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
1404	tmpAFF2.tmp.exe
232	tmpAFF2.tmp.exe
2068	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
3576	tmpDE84.tmp.exe
5076	tmpDE84.tmp.exe
2604	tmpDE84.tmp.exe
4900	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
5000	tmpD25.tmp.exe
5068	tmpD25.tmp.exe
4880	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
4892	tmp3D4D.tmp.exe
4396	tmp3D4D.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 4416 set thread context of 2952	4416	tmp9251.tmp.exe	104
PID 2980 set thread context of 5080	2980	tmpAB15.tmp.exe	151
PID 1248 set thread context of 2680	1248	tmpD4A5.tmp.exe	224
PID 2604 set thread context of 1120	2604	tmp74E.tmp.exe	260
PID 1744 set thread context of 4264	1744	tmp36EA.tmp.exe	270
PID 2120 set thread context of 4552	2120	tmp659B.tmp.exe	279
PID 4480 set thread context of 3256	4480	tmp94C9.tmp.exe	290
PID 1404 set thread context of 232	1404	tmpAFF2.tmp.exe	300
PID 5076 set thread context of 2604	5076	tmpDE84.tmp.exe	310
PID 5000 set thread context of 5068	5000	tmpD25.tmp.exe	320
PID 4892 set thread context of 4396	4892	tmp3D4D.tmp.exe	329

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\lsass.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files\Windows Mail\088424020bedd6	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Common Files\System\unsecapp.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\MSBuild\spoolsv.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files\Windows Defender\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Internet Explorer\images\29c1c3cc0f7685	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\sihost.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files\Windows NT\9e8d7a4ca61bd9	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files\Windows Defender\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files\Windows Defender\1dd3405f310920	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\unsecapp.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\6203df4a6bafc7	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files\Windows Mail\conhost.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\unsecapp.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\04c1e7795967e4	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Internet Explorer\images\unsecapp.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Windows Mail\sihost.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files\Crashpad\reports\Registry.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\TrustedInstaller.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX960C.tmp	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX9820.tmp	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files\Windows Mail\conhost.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Common Files\System\29c1c3cc0f7685	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\TrustedInstaller.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\spoolsv.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\RCX91C3.tmp	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\lsass.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files\Windows NT\RuntimeBroker.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files\Crashpad\reports\ee2ad38f3d4382	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files\Windows NT\RuntimeBroker.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files\Crashpad\reports\Registry.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\RCX8D7C.tmp	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Program Files (x86)\MSBuild\f3b6ecef712a24	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\dllhost.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Windows\Prefetch\ReadyBoot\5940a34987c991	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Windows\ServiceProfiles\RuntimeBroker.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Windows\schemas\TSWorkSpace\sppsvc.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\886983d96e3d3e	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File created	C:\Windows\ServiceProfiles\9e8d7a4ca61bd9	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\dllhost.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
File opened for modification	C:\Windows\ServiceProfiles\RuntimeBroker.exe	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDE84.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDE84.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3D4D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB15.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp94C9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAFF2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp36EA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp659B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp94C9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD25.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9251.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD4A5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp74E.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3592	schtasks.exe
2028	schtasks.exe
4264	schtasks.exe
2420	schtasks.exe
1864	schtasks.exe
4880	schtasks.exe
1564	schtasks.exe
1540	schtasks.exe
2268	schtasks.exe
5056	schtasks.exe
1580	schtasks.exe
3956	schtasks.exe
2832	schtasks.exe
4524	schtasks.exe
2604	schtasks.exe
5072	schtasks.exe
3536	schtasks.exe
3932	schtasks.exe
2584	schtasks.exe
2492	schtasks.exe
2816	schtasks.exe
4796	schtasks.exe
4272	schtasks.exe
4536	schtasks.exe
1980	schtasks.exe
4252	schtasks.exe
3768	schtasks.exe
1572	schtasks.exe
1772	schtasks.exe
4288	schtasks.exe
4364	schtasks.exe
1588	schtasks.exe
4332	schtasks.exe
2628	schtasks.exe
3224	schtasks.exe
3628	schtasks.exe
3648	schtasks.exe
1596	schtasks.exe
4464	schtasks.exe
4048	schtasks.exe
4900	schtasks.exe
2944	schtasks.exe
656	schtasks.exe
2148	schtasks.exe
3444	schtasks.exe
1532	schtasks.exe
3060	schtasks.exe
3872	schtasks.exe
1812	schtasks.exe
4484	schtasks.exe
2168	schtasks.exe
4136	schtasks.exe
212	schtasks.exe
2376	schtasks.exe
2620	schtasks.exe
4848	schtasks.exe
4884	schtasks.exe
3536	schtasks.exe
5064	schtasks.exe
4780	schtasks.exe
872	schtasks.exe
2044	schtasks.exe
5052	schtasks.exe
4244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
1388	powershell.exe
1388	powershell.exe
1608	powershell.exe
1608	powershell.exe
2688	powershell.exe
2688	powershell.exe
1772	powershell.exe
1772	powershell.exe
5088	powershell.exe
5088	powershell.exe
1160	powershell.exe
1160	powershell.exe
3276	powershell.exe
3276	powershell.exe
4988	powershell.exe
4988	powershell.exe
3236	powershell.exe
3236	powershell.exe
4268	powershell.exe
4268	powershell.exe
3544	powershell.exe
3544	powershell.exe
2688	powershell.exe
3276	powershell.exe
4988	powershell.exe
4268	powershell.exe
5088	powershell.exe
1772	powershell.exe
1388	powershell.exe
1608	powershell.exe
1160	powershell.exe
3236	powershell.exe
3544	powershell.exe
2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
4028	powershell.exe
4028	powershell.exe
960	powershell.exe
960	powershell.exe
1816	powershell.exe
1816	powershell.exe
2948	powershell.exe
2948	powershell.exe
3828	powershell.exe
3828	powershell.exe
768	powershell.exe
768	powershell.exe
2392	powershell.exe
2392	powershell.exe
3192	powershell.exe
3192	powershell.exe
960	powershell.exe
4984	powershell.exe
4984	powershell.exe
4244	powershell.exe
4244	powershell.exe
5072	powershell.exe
5072	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	1592	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	500	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	3812	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	2792	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	1040	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	4756	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	2068	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	4900	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Token: SeDebugPrivilege	4880	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 4416	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	102
PID 2940 wrote to memory of 4416	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	102
PID 2940 wrote to memory of 4416	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	102
PID 4416 wrote to memory of 2952	4416	tmp9251.tmp.exe	104
PID 4416 wrote to memory of 2952	4416	tmp9251.tmp.exe	104
PID 4416 wrote to memory of 2952	4416	tmp9251.tmp.exe	104
PID 4416 wrote to memory of 2952	4416	tmp9251.tmp.exe	104
PID 4416 wrote to memory of 2952	4416	tmp9251.tmp.exe	104
PID 4416 wrote to memory of 2952	4416	tmp9251.tmp.exe	104
PID 4416 wrote to memory of 2952	4416	tmp9251.tmp.exe	104
PID 2940 wrote to memory of 3544	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	105
PID 2940 wrote to memory of 3544	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	105
PID 2940 wrote to memory of 1608	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	106
PID 2940 wrote to memory of 1608	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	106
PID 2940 wrote to memory of 1160	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	107
PID 2940 wrote to memory of 1160	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	107
PID 2940 wrote to memory of 4988	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	108
PID 2940 wrote to memory of 4988	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	108
PID 2940 wrote to memory of 3276	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	109
PID 2940 wrote to memory of 3276	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	109
PID 2940 wrote to memory of 1772	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	110
PID 2940 wrote to memory of 1772	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	110
PID 2940 wrote to memory of 5088	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	111
PID 2940 wrote to memory of 5088	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	111
PID 2940 wrote to memory of 4268	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	112
PID 2940 wrote to memory of 4268	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	112
PID 2940 wrote to memory of 3236	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	113
PID 2940 wrote to memory of 3236	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	113
PID 2940 wrote to memory of 2688	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	114
PID 2940 wrote to memory of 2688	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	114
PID 2940 wrote to memory of 1388	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	115
PID 2940 wrote to memory of 1388	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	115
PID 2940 wrote to memory of 2096	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	127
PID 2940 wrote to memory of 2096	2940	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	127
PID 2096 wrote to memory of 2980	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	149
PID 2096 wrote to memory of 2980	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	149
PID 2096 wrote to memory of 2980	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	149
PID 2980 wrote to memory of 5080	2980	tmpAB15.tmp.exe	151
PID 2980 wrote to memory of 5080	2980	tmpAB15.tmp.exe	151
PID 2980 wrote to memory of 5080	2980	tmpAB15.tmp.exe	151
PID 2980 wrote to memory of 5080	2980	tmpAB15.tmp.exe	151
PID 2980 wrote to memory of 5080	2980	tmpAB15.tmp.exe	151
PID 2980 wrote to memory of 5080	2980	tmpAB15.tmp.exe	151
PID 2980 wrote to memory of 5080	2980	tmpAB15.tmp.exe	151
PID 2096 wrote to memory of 3828	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	155
PID 2096 wrote to memory of 3828	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	155
PID 2096 wrote to memory of 768	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	156
PID 2096 wrote to memory of 768	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	156
PID 2096 wrote to memory of 4244	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	157
PID 2096 wrote to memory of 4244	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	157
PID 2096 wrote to memory of 4028	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	158
PID 2096 wrote to memory of 4028	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	158
PID 2096 wrote to memory of 960	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	159
PID 2096 wrote to memory of 960	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	159
PID 2096 wrote to memory of 3192	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	160
PID 2096 wrote to memory of 3192	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	160
PID 2096 wrote to memory of 5072	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	161
PID 2096 wrote to memory of 5072	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	161
PID 2096 wrote to memory of 2392	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	162
PID 2096 wrote to memory of 2392	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	162
PID 2096 wrote to memory of 4984	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	163
PID 2096 wrote to memory of 4984	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	163
PID 2096 wrote to memory of 1816	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	164
PID 2096 wrote to memory of 1816	2096	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe	164

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
"C:\Users\Admin\AppData\Local\Temp\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2940
- C:\Users\Admin\AppData\Local\Temp\tmp9251.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9251.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\tmp9251.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9251.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
  "C:\Users\Admin\AppData\Local\Temp\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\tmpAB15.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpAB15.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\tmpAB15.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpAB15.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:5080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X0wWkAbGaQ.bat"
    3⤵
    PID:1872
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
      "C:\Users\Admin\AppData\Local\Temp\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1248
      - C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fi3GuRHdIz.bat"
        5⤵
        
        PID:2880
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2832
      - C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        
        "C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a70605c6-80ff-4398-9afd-bcebc9485f05.vbs"
        7⤵
        
        PID:1988
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d698e7a8-d43a-4d0a-98c3-7c44e87bddff.vbs"
        9⤵
        
        PID:1532
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3df1d86-453b-407c-8636-8420eee693f0.vbs"
        11⤵
        
        PID:2896
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c71db32-56ca-4ff9-b66f-c32258216118.vbs"
        13⤵
        
        PID:1980
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7f173bf-6d62-4747-85c2-bf18dcb28498.vbs"
        15⤵
        
        PID:3020
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08ec649c-c527-42b6-a855-ea4720eadf05.vbs"
        17⤵
        
        PID:4484
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd633487-901f-43c5-9c14-5e70276cc65c.vbs"
        19⤵
        
        PID:2776
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        
        C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\896f82fb-6d08-4310-b8a9-dd4f910aa86b.vbs"
        21⤵
        
        PID:4016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0556b158-c1e9-4b7b-9c8f-15c12963a2db.vbs"
        21⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\873f3804-ded3-4872-b14b-a016435ad858.vbs"
        19⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmpD25.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD25.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmpD25.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD25.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c80b955-e09d-4e09-be89-75d8f8afb604.vbs"
        17⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de7bdd62-db39-4ec9-b281-f6fb748f5801.vbs"
        15⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmpAFF2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAFF2.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmpAFF2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAFF2.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\256324b0-e2c7-4bc0-b3d1-66847ebad987.vbs"
        13⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp94C9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp94C9.tmp.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp94C9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp94C9.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp94C9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp94C9.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5baffad-60ac-4751-998a-ba2b2cca0925.vbs"
        11⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp659B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp659B.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp659B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp659B.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a810840-234d-4bd8-948e-d31ffa531706.vbs"
        9⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp36EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp36EA.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp36EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp36EA.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f2ab13-8d6e-40b4-929b-35babb65554f.vbs"
        7⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp74E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp74E.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmp74E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp74E.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cNc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cNc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cNc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cNc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\reports\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe

Filesize
4.9MB

MD5
e9b2c6bac0f3a6e89f007a2c0f03ce90

SHA1
8baadb5b4824c2e3e52732a16e771f2c4d9da291

SHA256
c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186c

SHA512
02c50cc9cd5ab909239ca7077c282903a5198b56b78d48bc9a7331118ae480afb6adcdf1e9112fbea22ad7e9ebfc021ec6b10403cfc7a7b1333f540624b81799

Download Submit
C:\Program Files (x86)\Windows Mail\sihost.exe

Filesize
4.9MB

MD5
d77d97a532954c2c0cf31dfefb552631

SHA1
9d05f18467e5dcbe3cee57d09f8da8d604a7b4c1

SHA256
dd162d307c05a4055902ced2e89a96abd250b529c2f050f15f47c5b64bae1f85

SHA512
0b1d7080d7d55028858cfab317c41781f07c524f54ad93ea089b470520b136b265d7e68f098cb097039e5c7e08e784f3589de600785f40cfcd655028da3582cb

Download Submit
C:\Recovery\WindowsRE\886983d96e3d3e

Filesize
383B

MD5
5da20e17fdbd90e085c09705c3e6da70

SHA1
abdfa71c1fc19ba252898a40fe04ef113b1d2c41

SHA256
4c8fb1d5cf236974e723e48c165d317a2ccda0601a5c16123da68bbdab42a46e

SHA512
6d9b033d1238247a54432d2d77243191887bb934c0c0710afa456cf44a201b3f6209513ed6841ae156a563f27a34976cc7a49fb6206c221d924aefc42f647e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c7b54b14e4285a906edb247e52ef72a380e33a86f1de016b278b2877d715186cN.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
92075279f2dbcaa5724ee5a47e49712f

SHA1
8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb

SHA256
fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442

SHA512
744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e59140d6693b6a0f6a8617b45bdef9fe

SHA1
7157a22b2533d10fe8ed91d2c5782b44c79bbcde

SHA256
baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

SHA512
117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
63aec5618613b4be6bd15b82345a971e

SHA1
cf3df18b2ed2b082a513dd53e55afb720cefe40e

SHA256
f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

SHA512
a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8846686b7f2d146c0baa27459eedbd8d

SHA1
c953a3d1c7870a9d7ded709301f3ae7f1ea94e61

SHA256
33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65

SHA512
3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7a451cd1316d70a65910773fee8c3a43

SHA1
d2db32d5037153dd1d94565b51b5b385817a3c3d

SHA256
862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

SHA512
60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9451a6b9669d49bd90704dff21beb85

SHA1
5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

SHA256
b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

SHA512
06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d9ecfe610b58440e18d2bffe5167d71

SHA1
7afeed064042ef5e614228f678a0c595699c3d84

SHA256
2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

SHA512
017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
369695513ad290fab64e6eb93ddf3778

SHA1
05ee4dae57530ac4b740643c30c7fe0e222ded99

SHA256
618fcdccd10360caeab3f7cf64d9caa8d738de270246d9ab3e442b42a9d82194

SHA512
6f132fb1901105fc032db2fd5c5ad4afc0dd949dff5d2e961caeae59bd3465e14d5c46ef847afed3e13aeb9f4d418b090449d15a21cd3607621c3494d72bef65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce0c2fd0f881d4c57e9df4944f8acd84

SHA1
1343d3d9f85973a1f7918dd612d0e70bdf962ffc

SHA256
66851f3b3d4cce3c4cdd691ef09f62f19181a6a1e194b9d96a2f0e82f12076ee

SHA512
e78794c65f82308e7b7ea8a13ea4b5422523613fe8282998a4ed426fb815d06f96e76f54aaca7cf5c0198ff1018ebdfce548953d729347ca25d06fedbdb2cbca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3505effaead0f06d098f1aec01836881

SHA1
94bafdbeb2f5adbd8cec709574df5b8dbcc5eba3

SHA256
5d39a25ff8842c7c14aa14f99c5e3e1606fb7516c57f03dc41069df3c3de0517

SHA512
934d8eab5bc2ec20e800c668f3c3434829feade4771918a22d712f7ba39f91f93877a1e9dc1beac966646af0c9dd2cf118041535143b3abc585fea8dfb1299f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3b6cc0fbea08a0831f0026a696db8b8

SHA1
4e32202d4700061cfd80d55e42798131c9f530d4

SHA256
3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

SHA512
6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\X0wWkAbGaQ.bat

Filesize
268B

MD5
cd92d26614c739e8bd4e6b4b00c890a0

SHA1
8cea1e80d71ac8a4c9788d6f9777ded26b6349d8

SHA256
5ea43e234ade6a707b56755ed367790bc1090a64232db654d54aa74ac55ffb12

SHA512
f32e2d32bf16c3a1c24b14d6592f8119d6bc772f2061fb3c8b3b8e2c7261e9cf14636d804c869310edde7bc6c301f4a6ed448989488e8d1770ee6768b93dc0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mjgrxylf.fdw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a70605c6-80ff-4398-9afd-bcebc9485f05.vbs

Filesize
766B

MD5
43a19422e17625458ebc5ec4da8aef11

SHA1
77640cc49bf15b67bc456c44362884081adcd386

SHA256
5dfc127a9a753cf0060b252d1a971a28f134a5d320b825dd720275fac9a7e0cf

SHA512
5ff2812b399660eb5d695c6550943658d7b41453ca8de9ef3ef2ee2a08730d835fb79a4c121dd77984f7a9740d204b2f0e84d76415fb67f826d854729395df3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0f2ab13-8d6e-40b4-929b-35babb65554f.vbs

Filesize
543B

MD5
927ee825a396b5c96ae23e444713ec1c

SHA1
a0f14b22a7975a5ff574dce447f819160b079ddc

SHA256
0eea940c72431b8725e49abfd1dde9a5f7e64f7ed293b5b6073bd0716a970a53

SHA512
380b720525878e430ee5dc35a039917507fafe9e741a89bd0f9cc559973be1aab631d54700e4a8f98317e43b49eaf4cd33494d93021ffe38dfd43f4f2d343919

Download Submit
C:\Users\Admin\AppData\Local\Temp\d698e7a8-d43a-4d0a-98c3-7c44e87bddff.vbs

Filesize
767B

MD5
d37b903788b066056bf10a653087397a

SHA1
edd0454c28f8507018717760182004521b862c75

SHA256
985a8f8d70e01efd51e5a16e3313a818c7e4887227fd9f6a82fdc4342086a7f1

SHA512
833ab40fe52cf5dbc3afc10103bd0d6bf9f172e499c5d921d270f144a6fff8ffcb03de80fff7029a05bec4bd043b0bc57a3fe687124f5a8fa716faa5edc27344

Download Submit
C:\Users\Admin\AppData\Local\Temp\fi3GuRHdIz.bat

Filesize
256B

MD5
c0e0c2e9a54fa072a70c1199d8b798c4

SHA1
6de1de4a922f8632baeb2e79f0a74d62915e816a

SHA256
00cb5d30946d6b09e9f0a2bf732ead03260c0697391aded536037b4ad497db8b

SHA512
702cb9d29e94631f9d5ef1c873ebe426e93532629a3608b4ed83d6da63201273cc97a2b169a25443a499d8ffc8e03b76822d064d06fa618121a7885edfeaad92

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9251.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/500-566-0x000000001C370000-0x000000001C382000-memory.dmp

Filesize
72KB

Download
memory/1592-378-0x0000000003590000-0x00000000035A2000-memory.dmp

Filesize
72KB

Download
memory/2096-191-0x000000001B600000-0x000000001B612000-memory.dmp

Filesize
72KB

Download
memory/2940-12-0x000000001CDD0000-0x000000001D2F8000-memory.dmp

Filesize
5.2MB

Download
memory/2940-14-0x000000001C110000-0x000000001C11E000-memory.dmp

Filesize
56KB

Download
memory/2940-1-0x0000000000E00000-0x00000000012F4000-memory.dmp

Filesize
5.0MB

Download
memory/2940-2-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

Filesize
10.8MB

Download
memory/2940-13-0x000000001C100000-0x000000001C10A000-memory.dmp

Filesize
40KB

Download
memory/2940-16-0x000000001C270000-0x000000001C278000-memory.dmp

Filesize
32KB

Download
memory/2940-17-0x000000001C280000-0x000000001C288000-memory.dmp

Filesize
32KB

Download
memory/2940-10-0x00000000035B0000-0x00000000035BA000-memory.dmp

Filesize
40KB

Download
memory/2940-11-0x0000000003610000-0x0000000003622000-memory.dmp

Filesize
72KB

Download
memory/2940-15-0x000000001C260000-0x000000001C26E000-memory.dmp

Filesize
56KB

Download
memory/2940-190-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

Filesize
10.8MB

Download
memory/2940-0-0x00007FFB290C3000-0x00007FFB290C5000-memory.dmp

Filesize
8KB

Download
memory/2940-18-0x000000001C8A0000-0x000000001C8AC000-memory.dmp

Filesize
48KB

Download
memory/2940-9-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/2940-8-0x0000000003580000-0x0000000003596000-memory.dmp

Filesize
88KB

Download
memory/2940-6-0x0000000003410000-0x0000000003418000-memory.dmp

Filesize
32KB

Download
memory/2940-7-0x0000000003570000-0x0000000003580000-memory.dmp

Filesize
64KB

Download
memory/2940-5-0x00000000035C0000-0x0000000003610000-memory.dmp

Filesize
320KB

Download
memory/2940-4-0x00000000033F0000-0x000000000340C000-memory.dmp

Filesize
112KB

Download
memory/2940-3-0x000000001C130000-0x000000001C25E000-memory.dmp

Filesize
1.2MB

Download
memory/2952-64-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4900-680-0x000000001B920000-0x000000001B932000-memory.dmp

Filesize
72KB

Download
memory/5088-97-0x000001AD29F90000-0x000001AD29FB2000-memory.dmp

Filesize
136KB

Download