colibri | 95b1a76fab69f6b786489fdfad350b7165fba55ff478769be1a09d8e2987ddc0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2022 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe1aeaec6e6923437807e0bfbb189be.exe
Size

4.9MB
MD5

3fe1aeaec6e6923437807e0bfbb189be
SHA1

26c05ec60980095cd2dee6fb6d938fbf7a95150e
SHA256

95b1a76fab69f6b786489fdfad350b7165fba55ff478769be1a09d8e2987ddc0
SHA512

aa86a0632731484d730b6bb0794f0a1e4114498dcba8e2c47fac9f1ee534e125ebdef13fc9283696fee19c2ef4272c423d091b27585083ab03b70a151d2da5d7
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 evasion infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	176	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2068	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exeSppExtComObj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

Executes dropped EXE 5 IoCs

Processes:

tmpFD02.tmp.exetmpFD02.tmp.exeSppExtComObj.exetmpB517.tmp.exetmpB517.tmp.exe

pid process

2164 tmpFD02.tmp.exe
2032 tmpFD02.tmp.exe
1132 SppExtComObj.exe
1588 tmpB517.tmp.exe
4476 tmpB517.tmp.exe

pid	process
2164	tmpFD02.tmp.exe
2032	tmpFD02.tmp.exe
1132	SppExtComObj.exe
1588	tmpB517.tmp.exe
4476	tmpB517.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exeSppExtComObj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3fe1aeaec6e6923437807e0bfbb189be.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exeSppExtComObj.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ipinfo.io
36 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exe

description ioc process

File created C:\Windows\SysWOW64\explorer.exe 3fe1aeaec6e6923437807e0bfbb189be.exe

flow	ioc
35	ipinfo.io
36	ipinfo.io

description	ioc	process
File created	C:\Windows\SysWOW64\explorer.exe	3fe1aeaec6e6923437807e0bfbb189be.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmpFD02.tmp.exetmpB517.tmp.exe

description	pid	process	target process
PID 2164 set thread context of 2032	2164	tmpFD02.tmp.exe	tmpFD02.tmp.exe
PID 1588 set thread context of 4476	1588	tmpB517.tmp.exe	tmpB517.tmp.exe

Drops file in Program Files directory 28 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\38384e6a620884	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Windows Photo Viewer\e1ef82546f0b02	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Windows Photo Viewer\SppExtComObj.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files (x86)\Common Files\Services\5b884080fd4f94	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX1737.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e1ef82546f0b02	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX2A49.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\5b884080fd4f94	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Windows Mail\RCX2789.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Windows Mail\9e8d7a4ca61bd9	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\6ccacd8608530f	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX24D9.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Windows Mail\RuntimeBroker.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX350B.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCX1CB8.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\SppExtComObj.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Windows Mail\RuntimeBroker.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCX1F68.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe

Drops file in Windows directory 13 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exe

description	ioc	process
File opened for modification	C:\Windows\Downloaded Program Files\RCX2CEA.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Windows\CbsTemp\System.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Windows\CbsTemp\27d1bcfc3c54e0	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Windows\Downloaded Program Files\9e8d7a4ca61bd9	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Windows\CbsTemp\System.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\f3b6ecef712a24	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Windows\CSC\sppsvc.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXC75.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Windows\CbsTemp\RCX2219.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4460	schtasks.exe
1048	schtasks.exe
2908	schtasks.exe
224	schtasks.exe
1256	schtasks.exe
848	schtasks.exe
4804	schtasks.exe
4436	schtasks.exe
1636	schtasks.exe
4188	schtasks.exe
4980	schtasks.exe
4396	schtasks.exe
1292	schtasks.exe
212	schtasks.exe
2620	schtasks.exe
4788	schtasks.exe
4996	schtasks.exe
2288	schtasks.exe
4252	schtasks.exe
176	schtasks.exe
4884	schtasks.exe
3916	schtasks.exe
4104	schtasks.exe
4144	schtasks.exe
316	schtasks.exe
4860	schtasks.exe
2600	schtasks.exe
4200	schtasks.exe
4148	schtasks.exe
1296	schtasks.exe
5024	schtasks.exe
928	schtasks.exe
3564	schtasks.exe
4576	schtasks.exe
4472	schtasks.exe
1076	schtasks.exe
3012	schtasks.exe
4992	schtasks.exe
3452	schtasks.exe
688	schtasks.exe
3540	schtasks.exe
1968	schtasks.exe
1692	schtasks.exe
4556	schtasks.exe
4204	schtasks.exe
492	schtasks.exe
984	schtasks.exe
2604	schtasks.exe

Modifies registry class 2 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exeSppExtComObj.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	3fe1aeaec6e6923437807e0bfbb189be.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	SppExtComObj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
2884	3fe1aeaec6e6923437807e0bfbb189be.exe
4092	powershell.exe
4092	powershell.exe
1460	powershell.exe
1460	powershell.exe
4868	powershell.exe
4868	powershell.exe
1708	powershell.exe
1708	powershell.exe
328	powershell.exe
328	powershell.exe
932	powershell.exe
932	powershell.exe
2420	powershell.exe
2420	powershell.exe
3736	powershell.exe
3736	powershell.exe
556	powershell.exe
556	powershell.exe
3696	powershell.exe
3696	powershell.exe
3624	powershell.exe
3624	powershell.exe
556	powershell.exe
4268	powershell.exe
4268	powershell.exe
4868	powershell.exe
4868	powershell.exe
4092	powershell.exe
4092	powershell.exe
1460	powershell.exe
1460	powershell.exe
328	powershell.exe
932	powershell.exe
1708	powershell.exe
1708	powershell.exe
2420	powershell.exe
3736	powershell.exe
3696	powershell.exe
3624	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2884	3fe1aeaec6e6923437807e0bfbb189be.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	1132	SppExtComObj.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SppExtComObj.exe

pid process

1132 SppExtComObj.exe

pid	process
1132	SppExtComObj.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exetmpFD02.tmp.execmd.exeSppExtComObj.exetmpB517.tmp.exe

description	pid	process	target process
PID 2884 wrote to memory of 2164	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	tmpFD02.tmp.exe
PID 2884 wrote to memory of 2164	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	tmpFD02.tmp.exe
PID 2884 wrote to memory of 2164	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	tmpFD02.tmp.exe
PID 2164 wrote to memory of 2032	2164	tmpFD02.tmp.exe	tmpFD02.tmp.exe
PID 2164 wrote to memory of 2032	2164	tmpFD02.tmp.exe	tmpFD02.tmp.exe
PID 2164 wrote to memory of 2032	2164	tmpFD02.tmp.exe	tmpFD02.tmp.exe
PID 2164 wrote to memory of 2032	2164	tmpFD02.tmp.exe	tmpFD02.tmp.exe
PID 2164 wrote to memory of 2032	2164	tmpFD02.tmp.exe	tmpFD02.tmp.exe
PID 2164 wrote to memory of 2032	2164	tmpFD02.tmp.exe	tmpFD02.tmp.exe
PID 2164 wrote to memory of 2032	2164	tmpFD02.tmp.exe	tmpFD02.tmp.exe
PID 2884 wrote to memory of 932	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 932	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 1460	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 1460	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 4868	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 4868	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 4092	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 4092	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 328	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 328	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 1708	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 1708	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 2420	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 2420	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 3736	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 3736	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 556	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 556	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 4268	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 4268	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 3624	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 3624	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 3696	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 3696	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 2884 wrote to memory of 3088	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	cmd.exe
PID 2884 wrote to memory of 3088	2884	3fe1aeaec6e6923437807e0bfbb189be.exe	cmd.exe
PID 3088 wrote to memory of 2972	3088	cmd.exe	w32tm.exe
PID 3088 wrote to memory of 2972	3088	cmd.exe	w32tm.exe
PID 3088 wrote to memory of 1132	3088	cmd.exe	SppExtComObj.exe
PID 3088 wrote to memory of 1132	3088	cmd.exe	SppExtComObj.exe
PID 1132 wrote to memory of 1588	1132	SppExtComObj.exe	tmpB517.tmp.exe
PID 1132 wrote to memory of 1588	1132	SppExtComObj.exe	tmpB517.tmp.exe
PID 1132 wrote to memory of 1588	1132	SppExtComObj.exe	tmpB517.tmp.exe
PID 1588 wrote to memory of 4476	1588	tmpB517.tmp.exe	tmpB517.tmp.exe
PID 1588 wrote to memory of 4476	1588	tmpB517.tmp.exe	tmpB517.tmp.exe
PID 1588 wrote to memory of 4476	1588	tmpB517.tmp.exe	tmpB517.tmp.exe
PID 1588 wrote to memory of 4476	1588	tmpB517.tmp.exe	tmpB517.tmp.exe
PID 1588 wrote to memory of 4476	1588	tmpB517.tmp.exe	tmpB517.tmp.exe
PID 1588 wrote to memory of 4476	1588	tmpB517.tmp.exe	tmpB517.tmp.exe
PID 1588 wrote to memory of 4476	1588	tmpB517.tmp.exe	tmpB517.tmp.exe
PID 1132 wrote to memory of 4968	1132	SppExtComObj.exe	WScript.exe
PID 1132 wrote to memory of 4968	1132	SppExtComObj.exe	WScript.exe
PID 1132 wrote to memory of 1924	1132	SppExtComObj.exe	WScript.exe
PID 1132 wrote to memory of 1924	1132	SppExtComObj.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exeSppExtComObj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

C:\Users\Admin\AppData\Local\Temp\3fe1aeaec6e6923437807e0bfbb189be.exe
"C:\Users\Admin\AppData\Local\Temp\3fe1aeaec6e6923437807e0bfbb189be.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2884

C:\Users\Admin\AppData\Local\Temp\tmpFD02.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpFD02.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\tmpFD02.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpFD02.tmp.exe"
3⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KWrLEt72B2.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2972

C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
"C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1132

C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.exe"
5⤵
- Executes dropped EXE
PID:4476

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6b17758-4f0a-4fb4-8229-c15a5064effa.vbs"
4⤵
PID:4968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f7c7119-e55a-4a44-81b8-c96fa42a6910.vbs"
4⤵
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\CbsTemp\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\CbsTemp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
Filesize
4.9MB

MD5
459c2a4065196a8430baebab88d18f0c

SHA1
314c2a4ed7600f44e9c2191c498b3627155ab65c

SHA256
8d6d0e091c21f125548d2615281d773c2f86938a6d5d1ef2ec4668be0d7321a0

SHA512
9f450f3e6bcfd920eab0351ebdf9d119261bf3736c6f747ff78be78591a4f1531267442ed1ef5e48ff9598defc18469f56ef8c22ea05f2c5170de309a8193782

Download Submit
C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
Filesize
4.9MB

MD5
459c2a4065196a8430baebab88d18f0c

SHA1
314c2a4ed7600f44e9c2191c498b3627155ab65c

SHA256
8d6d0e091c21f125548d2615281d773c2f86938a6d5d1ef2ec4668be0d7321a0

SHA512
9f450f3e6bcfd920eab0351ebdf9d119261bf3736c6f747ff78be78591a4f1531267442ed1ef5e48ff9598defc18469f56ef8c22ea05f2c5170de309a8193782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f7c7119-e55a-4a44-81b8-c96fa42a6910.vbs
Filesize
506B

MD5
efc2f6457683ecdcf8061a35470a79bb

SHA1
ffade4d0b0f07ab78f1def16304bb045c31dbfaa

SHA256
c4c06eeb1530760e8f20a5928490d90825d44a98cafe55e38149762c08c3fe89

SHA512
ceb7067089daad527238f5fef2dc3b5ed49560958a7f28e414dd3a7a57cde11d3537bdc25213085da797bf7681b13e3add68b8907ba88051f2c8185f3a86219e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWrLEt72B2.bat
Filesize
219B

MD5
efae3bae70096cef2127cc674812fa77

SHA1
398b78fbe9a9de9042b8d793f41349213dd4564b

SHA256
7d2b9cc0bbfb36edd25a14050205e67179be823494e8a501a78f5e1fbb5623e8

SHA512
30767ccc3aea0afaf4b15fb3c4dbd6d0b106128866b812a2cac6140b0bccb4ad2a14c9df851b4b1a8f96855fc9f7da9b1add55cc66f615d03363286be30629ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6b17758-4f0a-4fb4-8229-c15a5064effa.vbs
Filesize
730B

MD5
85438e1a32822b92308a30fa9a385ee8

SHA1
d547c668ebb245c91c3810cb44ec5d2bb6651876

SHA256
f89082909e2201e5ce78d5b97eb3ca0ec728b1a3b0c958bf12ce4f8fe75a0da0

SHA512
89d6d3c14811ae58aa284f9ed6c2f2642b0d9708a8d0681774b49a9070e07c98ef6d3f97a8c7416453bd4c39594f176e18fa679374e583ad3df47e26a62728e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD02.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD02.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD02.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/328-150-0x0000000000000000-mapping.dmp

Download
memory/328-183-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/328-165-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/556-154-0x0000000000000000-mapping.dmp

Download
memory/556-175-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/556-168-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/932-187-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/932-146-0x0000000000000000-mapping.dmp

Download
memory/932-161-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/1132-216-0x00007FFDE5950000-0x00007FFDE6411000-memory.dmp

Filesize
10.8MB

Download
memory/1132-215-0x000000001E720000-0x000000001E8E2000-memory.dmp

Filesize
1.8MB

Download
memory/1132-198-0x0000000000000000-mapping.dmp

Download
memory/1132-202-0x00007FFDE5950000-0x00007FFDE6411000-memory.dmp

Filesize
10.8MB

Download
memory/1132-201-0x00000000003F0000-0x00000000008E4000-memory.dmp

Filesize
5.0MB

Download
memory/1460-147-0x0000000000000000-mapping.dmp

Download
memory/1460-160-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/1460-158-0x00000245E7750000-0x00000245E7772000-memory.dmp

Filesize
136KB

Download
memory/1460-186-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/1588-206-0x00000000011E0000-0x00000000011E3000-memory.dmp

Filesize
12KB

Download
memory/1588-203-0x0000000000000000-mapping.dmp

Download
memory/1708-151-0x0000000000000000-mapping.dmp

Download
memory/1708-166-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/1708-210-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/1924-212-0x0000000000000000-mapping.dmp

Download
memory/2032-140-0x0000000000000000-mapping.dmp

Download
memory/2032-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2032-145-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2032-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2164-136-0x0000000000000000-mapping.dmp

Download
memory/2164-139-0x000000000104B000-0x0000000001051000-memory.dmp

Filesize
24KB

Download
memory/2420-193-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/2420-152-0x0000000000000000-mapping.dmp

Download
memory/2420-167-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/2884-162-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/2884-132-0x0000000000A80000-0x0000000000F74000-memory.dmp

Filesize
5.0MB

Download
memory/2884-144-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/2884-135-0x000000001DA80000-0x000000001DFA8000-memory.dmp

Filesize
5.2MB

Download
memory/2884-134-0x000000001D500000-0x000000001D550000-memory.dmp

Filesize
320KB

Download
memory/2884-133-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/2972-173-0x0000000000000000-mapping.dmp

Download
memory/3088-159-0x0000000000000000-mapping.dmp

Download
memory/3624-195-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/3624-156-0x0000000000000000-mapping.dmp

Download
memory/3624-174-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/3696-192-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/3696-172-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/3696-157-0x0000000000000000-mapping.dmp

Download
memory/3736-189-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/3736-153-0x0000000000000000-mapping.dmp

Download
memory/3736-170-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/4092-164-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/4092-184-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/4092-149-0x0000000000000000-mapping.dmp

Download
memory/4268-171-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/4268-155-0x0000000000000000-mapping.dmp

Download
memory/4268-197-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/4476-207-0x0000000000000000-mapping.dmp

Download
memory/4868-163-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/4868-185-0x00007FFDE5690000-0x00007FFDE6151000-memory.dmp

Filesize
10.8MB

Download
memory/4868-148-0x0000000000000000-mapping.dmp

Download
memory/4968-211-0x0000000000000000-mapping.dmp

Download