colibri | 057029b10fb991791435ba26d2715749bad8114beb7652132c0e8471d0200d11

Analysis

max time kernel
118s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f604c1ca06db7206f1699e6d908a7a0N.exe
Size

4.9MB
MD5

7f604c1ca06db7206f1699e6d908a7a0
SHA1

ba7e4204908407f64ce41d867a312b970c450ca3
SHA256

057029b10fb991791435ba26d2715749bad8114beb7652132c0e8471d0200d11
SHA512

04ac0f43e282eecaedd7ca0012469145269780ff54b792d511f025851df0974ad1ae568a22e80e78e5b444431e9ebea60e3dcb77a0c9233faee7b758d5354ee8
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	1160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	1160	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

7f604c1ca06db7206f1699e6d908a7a0N.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7f604c1ca06db7206f1699e6d908a7a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7f604c1ca06db7206f1699e6d908a7a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7f604c1ca06db7206f1699e6d908a7a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2364-3-0x000000001C010000-0x000000001C13E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
432	powershell.exe
3336	powershell.exe
3276	powershell.exe
4276	powershell.exe
2084	powershell.exe
3432	powershell.exe
4704	powershell.exe
216	powershell.exe
312	powershell.exe
2336	powershell.exe
2464	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7f604c1ca06db7206f1699e6d908a7a0N.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	7f604c1ca06db7206f1699e6d908a7a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 36 IoCs

Processes:

tmpB79B.tmp.exetmpB79B.tmp.exefontdrvhost.exetmpDF54.tmp.exetmpDF54.tmp.exefontdrvhost.exetmp12D7.tmp.exetmp12D7.tmp.exefontdrvhost.exefontdrvhost.exetmp6387.tmp.exetmp6387.tmp.exetmp6387.tmp.exetmp6387.tmp.exetmp6387.tmp.exefontdrvhost.exetmp94F8.tmp.exetmp94F8.tmp.exetmp94F8.tmp.exefontdrvhost.exetmpC649.tmp.exetmpC649.tmp.exefontdrvhost.exetmpF865.tmp.exetmpF865.tmp.exefontdrvhost.exetmp2BC9.tmp.exetmp2BC9.tmp.exefontdrvhost.exetmp47AE.tmp.exetmp47AE.tmp.exefontdrvhost.exetmp79BA.tmp.exetmp79BA.tmp.exetmp79BA.tmp.exetmp79BA.tmp.exe

pid	process
4864	tmpB79B.tmp.exe
3836	tmpB79B.tmp.exe
332	fontdrvhost.exe
1580	tmpDF54.tmp.exe
1932	tmpDF54.tmp.exe
4360	fontdrvhost.exe
3384	tmp12D7.tmp.exe
4864	tmp12D7.tmp.exe
2892	fontdrvhost.exe
1972	fontdrvhost.exe
768	tmp6387.tmp.exe
4792	tmp6387.tmp.exe
2648	tmp6387.tmp.exe
4764	tmp6387.tmp.exe
2364	tmp6387.tmp.exe
1312	fontdrvhost.exe
2792	tmp94F8.tmp.exe
1876	tmp94F8.tmp.exe
1184	tmp94F8.tmp.exe
1920	fontdrvhost.exe
4540	tmpC649.tmp.exe
3428	tmpC649.tmp.exe
3404	fontdrvhost.exe
4584	tmpF865.tmp.exe
2104	tmpF865.tmp.exe
1828	fontdrvhost.exe
1728	tmp2BC9.tmp.exe
2576	tmp2BC9.tmp.exe
2756	fontdrvhost.exe
3868	tmp47AE.tmp.exe
3156	tmp47AE.tmp.exe
2380	fontdrvhost.exe
2848	tmp79BA.tmp.exe
3672	tmp79BA.tmp.exe
4872	tmp79BA.tmp.exe
4276	tmp79BA.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe7f604c1ca06db7206f1699e6d908a7a0N.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7f604c1ca06db7206f1699e6d908a7a0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7f604c1ca06db7206f1699e6d908a7a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

tmpB79B.tmp.exetmpDF54.tmp.exetmp12D7.tmp.exetmp6387.tmp.exetmp94F8.tmp.exetmpC649.tmp.exetmpF865.tmp.exetmp2BC9.tmp.exetmp47AE.tmp.exetmp79BA.tmp.exe

description	pid	process	target process
PID 4864 set thread context of 3836	4864	tmpB79B.tmp.exe	tmpB79B.tmp.exe
PID 1580 set thread context of 1932	1580	tmpDF54.tmp.exe	tmpDF54.tmp.exe
PID 3384 set thread context of 4864	3384	tmp12D7.tmp.exe	tmp12D7.tmp.exe
PID 4764 set thread context of 2364	4764	tmp6387.tmp.exe	tmp6387.tmp.exe
PID 1876 set thread context of 1184	1876	tmp94F8.tmp.exe	tmp94F8.tmp.exe
PID 4540 set thread context of 3428	4540	tmpC649.tmp.exe	tmpC649.tmp.exe
PID 4584 set thread context of 2104	4584	tmpF865.tmp.exe	tmpF865.tmp.exe
PID 1728 set thread context of 2576	1728	tmp2BC9.tmp.exe	tmp2BC9.tmp.exe
PID 3868 set thread context of 3156	3868	tmp47AE.tmp.exe	tmp47AE.tmp.exe
PID 4872 set thread context of 4276	4872	tmp79BA.tmp.exe	tmp79BA.tmp.exe

Drops file in Program Files directory 4 IoCs

Processes:

7f604c1ca06db7206f1699e6d908a7a0N.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\sysmon.exe	7f604c1ca06db7206f1699e6d908a7a0N.exe
File opened for modification	C:\Program Files\Uninstall Information\sysmon.exe	7f604c1ca06db7206f1699e6d908a7a0N.exe
File created	C:\Program Files\Uninstall Information\121e5b5079f7c0	7f604c1ca06db7206f1699e6d908a7a0N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXB49B.tmp	7f604c1ca06db7206f1699e6d908a7a0N.exe

Drops file in Windows directory 12 IoCs

Processes:

7f604c1ca06db7206f1699e6d908a7a0N.exe

description	ioc	process
File created	C:\Windows\Cursors\dwm.exe	7f604c1ca06db7206f1699e6d908a7a0N.exe
File created	C:\Windows\IdentityCRL\INT\unsecapp.exe	7f604c1ca06db7206f1699e6d908a7a0N.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXBAD9.tmp	7f604c1ca06db7206f1699e6d908a7a0N.exe
File opened for modification	C:\Windows\Cursors\dwm.exe	7f604c1ca06db7206f1699e6d908a7a0N.exe
File opened for modification	C:\Windows\IdentityCRL\INT\unsecapp.exe	7f604c1ca06db7206f1699e6d908a7a0N.exe
File opened for modification	C:\Windows\Cursors\RCXC1A2.tmp	7f604c1ca06db7206f1699e6d908a7a0N.exe
File opened for modification	C:\Windows\IdentityCRL\INT\RCXC84C.tmp	7f604c1ca06db7206f1699e6d908a7a0N.exe
File created	C:\Windows\Panther\setup.exe\dllhost.exe	7f604c1ca06db7206f1699e6d908a7a0N.exe
File created	C:\Windows\Panther\setup.exe\5940a34987c991	7f604c1ca06db7206f1699e6d908a7a0N.exe
File created	C:\Windows\Cursors\6cb0b6c459d5d3	7f604c1ca06db7206f1699e6d908a7a0N.exe
File created	C:\Windows\IdentityCRL\INT\29c1c3cc0f7685	7f604c1ca06db7206f1699e6d908a7a0N.exe
File opened for modification	C:\Windows\Panther\setup.exe\dllhost.exe	7f604c1ca06db7206f1699e6d908a7a0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp6387.tmp.exetmp94F8.tmp.exetmp94F8.tmp.exetmpB79B.tmp.exetmpDF54.tmp.exetmp6387.tmp.exetmp79BA.tmp.exetmp6387.tmp.exetmp6387.tmp.exetmp2BC9.tmp.exetmp79BA.tmp.exetmp79BA.tmp.exetmp12D7.tmp.exetmpF865.tmp.exetmpC649.tmp.exetmp47AE.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6387.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp94F8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp94F8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB79B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDF54.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6387.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79BA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6387.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6387.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2BC9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79BA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79BA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp12D7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF865.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC649.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp47AE.tmp.exe

Modifies registry class 11 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe7f604c1ca06db7206f1699e6d908a7a0N.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7f604c1ca06db7206f1699e6d908a7a0N.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4420	schtasks.exe
1584	schtasks.exe
4560	schtasks.exe
4956	schtasks.exe
732	schtasks.exe
3352	schtasks.exe
3376	schtasks.exe
4376	schtasks.exe
3996	schtasks.exe
4992	schtasks.exe
2044	schtasks.exe
3200	schtasks.exe
3612	schtasks.exe
1220	schtasks.exe
3512	schtasks.exe
4324	schtasks.exe
3660	schtasks.exe
4260	schtasks.exe
2500	schtasks.exe
212	schtasks.exe
4404	schtasks.exe
116	schtasks.exe
1964	schtasks.exe
4884	schtasks.exe
1560	schtasks.exe
5112	schtasks.exe
4396	schtasks.exe
3592	schtasks.exe
2988	schtasks.exe
4620	schtasks.exe
2816	schtasks.exe
1424	schtasks.exe
2312	schtasks.exe
3036	schtasks.exe
4648	schtasks.exe
3920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

7f604c1ca06db7206f1699e6d908a7a0N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
4276	powershell.exe
4276	powershell.exe
2464	powershell.exe
2464	powershell.exe
4704	powershell.exe
4704	powershell.exe
2084	powershell.exe
2084	powershell.exe
3336	powershell.exe
3336	powershell.exe
3276	powershell.exe
3276	powershell.exe
216	powershell.exe
216	powershell.exe
312	powershell.exe
312	powershell.exe
3432	powershell.exe
3432	powershell.exe
2464	powershell.exe
2336	powershell.exe
2336	powershell.exe
3276	powershell.exe
432	powershell.exe
432	powershell.exe
2336	powershell.exe
432	powershell.exe
4276	powershell.exe
2084	powershell.exe
4704	powershell.exe
216	powershell.exe
3336	powershell.exe
3432	powershell.exe
312	powershell.exe
332	fontdrvhost.exe
332	fontdrvhost.exe
4360	fontdrvhost.exe
2892	fontdrvhost.exe
1972	fontdrvhost.exe
1312	fontdrvhost.exe
1920	fontdrvhost.exe
3404	fontdrvhost.exe
1828	fontdrvhost.exe
2756	fontdrvhost.exe
2380	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	332	fontdrvhost.exe
Token: SeDebugPrivilege	4360	fontdrvhost.exe
Token: SeDebugPrivilege	2892	fontdrvhost.exe
Token: SeDebugPrivilege	1972	fontdrvhost.exe
Token: SeDebugPrivilege	1312	fontdrvhost.exe
Token: SeDebugPrivilege	1920	fontdrvhost.exe
Token: SeDebugPrivilege	3404	fontdrvhost.exe
Token: SeDebugPrivilege	1828	fontdrvhost.exe
Token: SeDebugPrivilege	2756	fontdrvhost.exe
Token: SeDebugPrivilege	2380	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7f604c1ca06db7206f1699e6d908a7a0N.exetmpB79B.tmp.exefontdrvhost.exetmpDF54.tmp.exeWScript.exefontdrvhost.exetmp12D7.tmp.exe

description	pid	process	target process
PID 2364 wrote to memory of 4864	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	tmpB79B.tmp.exe
PID 2364 wrote to memory of 4864	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	tmpB79B.tmp.exe
PID 2364 wrote to memory of 4864	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	tmpB79B.tmp.exe
PID 4864 wrote to memory of 3836	4864	tmpB79B.tmp.exe	tmpB79B.tmp.exe
PID 4864 wrote to memory of 3836	4864	tmpB79B.tmp.exe	tmpB79B.tmp.exe
PID 4864 wrote to memory of 3836	4864	tmpB79B.tmp.exe	tmpB79B.tmp.exe
PID 4864 wrote to memory of 3836	4864	tmpB79B.tmp.exe	tmpB79B.tmp.exe
PID 4864 wrote to memory of 3836	4864	tmpB79B.tmp.exe	tmpB79B.tmp.exe
PID 4864 wrote to memory of 3836	4864	tmpB79B.tmp.exe	tmpB79B.tmp.exe
PID 4864 wrote to memory of 3836	4864	tmpB79B.tmp.exe	tmpB79B.tmp.exe
PID 2364 wrote to memory of 432	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 432	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 312	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 312	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 2336	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 2336	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 2464	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 2464	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 4276	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 4276	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 2084	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 2084	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 3336	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 3336	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 3432	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 3432	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 4704	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 4704	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 216	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 216	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 3276	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 3276	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	powershell.exe
PID 2364 wrote to memory of 332	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	fontdrvhost.exe
PID 2364 wrote to memory of 332	2364	7f604c1ca06db7206f1699e6d908a7a0N.exe	fontdrvhost.exe
PID 332 wrote to memory of 2792	332	fontdrvhost.exe	WScript.exe
PID 332 wrote to memory of 2792	332	fontdrvhost.exe	WScript.exe
PID 332 wrote to memory of 4308	332	fontdrvhost.exe	WScript.exe
PID 332 wrote to memory of 4308	332	fontdrvhost.exe	WScript.exe
PID 332 wrote to memory of 1580	332	fontdrvhost.exe	tmpDF54.tmp.exe
PID 332 wrote to memory of 1580	332	fontdrvhost.exe	tmpDF54.tmp.exe
PID 332 wrote to memory of 1580	332	fontdrvhost.exe	tmpDF54.tmp.exe
PID 1580 wrote to memory of 1932	1580	tmpDF54.tmp.exe	tmpDF54.tmp.exe
PID 1580 wrote to memory of 1932	1580	tmpDF54.tmp.exe	tmpDF54.tmp.exe
PID 1580 wrote to memory of 1932	1580	tmpDF54.tmp.exe	tmpDF54.tmp.exe
PID 1580 wrote to memory of 1932	1580	tmpDF54.tmp.exe	tmpDF54.tmp.exe
PID 1580 wrote to memory of 1932	1580	tmpDF54.tmp.exe	tmpDF54.tmp.exe
PID 1580 wrote to memory of 1932	1580	tmpDF54.tmp.exe	tmpDF54.tmp.exe
PID 1580 wrote to memory of 1932	1580	tmpDF54.tmp.exe	tmpDF54.tmp.exe
PID 2792 wrote to memory of 4360	2792	WScript.exe	fontdrvhost.exe
PID 2792 wrote to memory of 4360	2792	WScript.exe	fontdrvhost.exe
PID 4360 wrote to memory of 4772	4360	fontdrvhost.exe	WScript.exe
PID 4360 wrote to memory of 4772	4360	fontdrvhost.exe	WScript.exe
PID 4360 wrote to memory of 4608	4360	fontdrvhost.exe	WScript.exe
PID 4360 wrote to memory of 4608	4360	fontdrvhost.exe	WScript.exe
PID 4360 wrote to memory of 3384	4360	fontdrvhost.exe	tmp12D7.tmp.exe
PID 4360 wrote to memory of 3384	4360	fontdrvhost.exe	tmp12D7.tmp.exe
PID 4360 wrote to memory of 3384	4360	fontdrvhost.exe	tmp12D7.tmp.exe
PID 3384 wrote to memory of 4864	3384	tmp12D7.tmp.exe	tmp12D7.tmp.exe
PID 3384 wrote to memory of 4864	3384	tmp12D7.tmp.exe	tmp12D7.tmp.exe
PID 3384 wrote to memory of 4864	3384	tmp12D7.tmp.exe	tmp12D7.tmp.exe
PID 3384 wrote to memory of 4864	3384	tmp12D7.tmp.exe	tmp12D7.tmp.exe
PID 3384 wrote to memory of 4864	3384	tmp12D7.tmp.exe	tmp12D7.tmp.exe
PID 3384 wrote to memory of 4864	3384	tmp12D7.tmp.exe	tmp12D7.tmp.exe
PID 3384 wrote to memory of 4864	3384	tmp12D7.tmp.exe	tmp12D7.tmp.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe7f604c1ca06db7206f1699e6d908a7a0N.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7f604c1ca06db7206f1699e6d908a7a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7f604c1ca06db7206f1699e6d908a7a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7f604c1ca06db7206f1699e6d908a7a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f604c1ca06db7206f1699e6d908a7a0N.exe
"C:\Users\Admin\AppData\Local\Temp\7f604c1ca06db7206f1699e6d908a7a0N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364

C:\Users\Admin\AppData\Local\Temp\tmpB79B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB79B.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\tmpB79B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB79B.tmp.exe"
3⤵
- Executes dropped EXE
PID:3836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Recovery\WindowsRE\fontdrvhost.exe
"C:\Recovery\WindowsRE\fontdrvhost.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:332

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8d25b34-65f2-45a4-a679-ee777ea4fac5.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4360

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dab647f4-bd5a-40d7-b183-ce345963a1cb.vbs"
5⤵
PID:4772

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\608d6e62-82cd-4621-a7d0-dfb8b6836d9e.vbs"
7⤵
PID:3764

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc467053-6472-4708-8676-a6544574d38a.vbs"
9⤵
PID:3400

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd11fe78-4e50-4910-9c73-504021a49bea.vbs"
11⤵
PID:1968

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3346d5e-726d-4dfb-94bb-5bb5960569b4.vbs"
13⤵
PID:4432

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3404

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc03c8e-c3e2-467b-8a5f-c2f1343860e0.vbs"
15⤵
PID:1984

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\085ad14e-1749-4ac8-b0ab-5a8f3fbe6e9b.vbs"
17⤵
PID:1876

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2256dcb5-3038-4bf8-89f4-c40dada3a334.vbs"
19⤵
PID:3028

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e60407a3-11e4-4e22-bcec-0415e76aba0c.vbs"
21⤵
PID:2836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d913780-6307-4532-bace-1f7795dd1f67.vbs"
21⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp.exe"
21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848

C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp.exe"
22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3672

C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4872

C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp.exe"
24⤵
- Executes dropped EXE
PID:4276

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fa528c2-c0e9-45c0-87e6-c98396b60eda.vbs"
19⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\tmp47AE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp47AE.tmp.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3868

C:\Users\Admin\AppData\Local\Temp\tmp47AE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp47AE.tmp.exe"
20⤵
- Executes dropped EXE
PID:3156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29b70127-8d65-46b3-ab4a-0b20e16d66bb.vbs"
17⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\tmp2BC9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2BC9.tmp.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp2BC9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2BC9.tmp.exe"
18⤵
- Executes dropped EXE
PID:2576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65f3d54d-1586-44e7-a0f7-d964f7c256e8.vbs"
15⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\tmpF865.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF865.tmp.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4584

C:\Users\Admin\AppData\Local\Temp\tmpF865.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF865.tmp.exe"
16⤵
- Executes dropped EXE
PID:2104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15aa150c-dfa8-4649-9ee7-df806b1ab9fc.vbs"
13⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\tmpC649.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC649.tmp.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4540

C:\Users\Admin\AppData\Local\Temp\tmpC649.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC649.tmp.exe"
14⤵
- Executes dropped EXE
PID:3428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65f51224-3716-4f02-8456-61cbd830b275.vbs"
11⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\tmp94F8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp94F8.tmp.exe"
11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792

C:\Users\Admin\AppData\Local\Temp\tmp94F8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp94F8.tmp.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1876

C:\Users\Admin\AppData\Local\Temp\tmp94F8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp94F8.tmp.exe"
13⤵
- Executes dropped EXE
PID:1184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb8c92fe-2530-41ae-9658-f404d1692f93.vbs"
9⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe"
9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768

C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe"
10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4792

C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe"
11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648

C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4764

C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6387.tmp.exe"
13⤵
- Executes dropped EXE
PID:2364

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d48429-3c9d-4fd5-9fc2-70af2c596e62.vbs"
7⤵
PID:1132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\677a100d-260e-4b47-ac8f-cb0726a15f36.vbs"
5⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\tmp12D7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp12D7.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3384

C:\Users\Admin\AppData\Local\Temp\tmp12D7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp12D7.tmp.exe"
6⤵
- Executes dropped EXE
PID:4864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97926f4d-e57a-486d-b52f-28481f7cf828.vbs"
3⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe"
4⤵
- Executes dropped EXE
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\LocalLow\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\LocalLow\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f604c1ca06db7206f1699e6d908a7a0N7" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Videos\7f604c1ca06db7206f1699e6d908a7a0N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f604c1ca06db7206f1699e6d908a7a0N" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\7f604c1ca06db7206f1699e6d908a7a0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f604c1ca06db7206f1699e6d908a7a0N7" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\7f604c1ca06db7206f1699e6d908a7a0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\INT\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\INT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dc03c8e-c3e2-467b-8a5f-c2f1343860e0.vbs

Filesize
713B

MD5
56250aa7916a3588f51d3a4ea1e8a42e

SHA1
ae6f2f553ee9fe3fdd48d250518bb68fe39ace87

SHA256
b6eee01c10589d21231a2568ca183638d6805cd2c73873f4567306f7aea4bc20

SHA512
259beeb1d5d9819e4a53b73681dc90aaa36c4952077c864e214409f82fcc95675b9a5352b8d42ec90cd7313c8eb839b92c6f114e06e513cb8e7bd7dac56f300d

Download Submit
C:\Users\Admin\AppData\Local\Temp\608d6e62-82cd-4621-a7d0-dfb8b6836d9e.vbs

Filesize
713B

MD5
a863079bd723a6e684f8d5bd3d18f712

SHA1
810f8570a2b9826c62dc315be5e37de7ebf05b67

SHA256
45c2dc53a1a723921f335463ca38a89ca6ea37508694347bcf37aba43e8874c5

SHA512
84dc94c697c93b7ced73b1538674a712abe2cc3aeb6ec93b16ed090ed82bda44be0c3239825d13dba74383cd048c79edcbb61de15c873e5a9ad40d652b751b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\97926f4d-e57a-486d-b52f-28481f7cf828.vbs

Filesize
489B

MD5
5341ddbf736d6b89e144a1e61c2d8266

SHA1
f3387bef498780e71585fc7972644c9a738e6f04

SHA256
024f3f597c945833810e9c302815516bb5d2fbc0749228610f96c3bce6af4c43

SHA512
d477f9c9db159edb6d4981b75c6ba9ffbc48244d1f0bfa0e6646f3031e14f82433455c509e27c3b239f48dad7ecaa94543305ab7fab0c985819481db39bfa4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijv2rfp2.gki.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8d25b34-65f2-45a4-a679-ee777ea4fac5.vbs

Filesize
712B

MD5
7b72a4f22aa7a23275a55fd70840f378

SHA1
5ee36435dd14b87700ea76d1796645cda3e4a184

SHA256
221b7b57ae865969cda90b4cf424e468756911dfbc6050e6a0153b4943a9579d

SHA512
f5bd86c858eee80250f5f2dd81c88027aed88302859102c6165302fc2847dd4eb4599d9be794a172d94589a3006f30a2bf20b5db69a8f52624b28fc1cab55599

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc467053-6472-4708-8676-a6544574d38a.vbs

Filesize
713B

MD5
39fecfecc4d7ed879d0350c59bcf0468

SHA1
59f3812715ab23452bfb5e5ec58a564034ab85c5

SHA256
d9dae2dbefdf1828cc53b143240afef9a1542c232eb0b72928c6089d6f9c8ab6

SHA512
7307bb5fa3dd62d5db39d70f6b4868749873fa67e22086dfc9533776df60f47b5442e7d1bdf188e8dde305ba44c63222c63182bc88b3db5a7a59a619fff82880

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd11fe78-4e50-4910-9c73-504021a49bea.vbs

Filesize
713B

MD5
f70725095e2ce1d114315ee89fb197d0

SHA1
529580e2d91524c685100799bfa918b9bc859ba4

SHA256
4f31a0908b3ad18e3771eca809804fc4ad2c174b63945a554234df84458cead0

SHA512
481df7e93c1ca9a9fd8825024cb47aa8db7d059ae760184f13298356ccf08b6952ce1059043a2bf8c999837ffb628527d529d0c7522501dc9459438c9ab6e0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dab647f4-bd5a-40d7-b183-ce345963a1cb.vbs

Filesize
713B

MD5
04681ae634623bc60747765b6dcb2cf6

SHA1
0657ed9298f111b9edceaea2c18984316476ef3a

SHA256
b7eafafd9087d7a82bf59f2711478c4005f80768f461b226e2b5afc152994176

SHA512
8eefb378856910d60b97ff0df74820c5e374a48322bc0d59d247828c6095954c2d96a508a2f614333b1fac4af19ebf0457fa5fdabdf3bb192761d5c30635465b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3346d5e-726d-4dfb-94bb-5bb5960569b4.vbs

Filesize
713B

MD5
9d39529432769b607fcce6abc18c2eff

SHA1
04840cc9abec3ceaae0ba8015ea7965bc495b06b

SHA256
0261f761b2934db8eda6e3a8ee016b18278bc557dd841ac4b83e96db60c4c91e

SHA512
ee23336d1f9ce3b2466ee75a91b42360d6ed2254181a86f70add861fc3e2cf278978373668ff938a21d9ef08d91ee878f97dfd5ca4cfbb8f085ee8fdf9bd8f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB79B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\Searches\RCXCA61.tmp

Filesize
4.9MB

MD5
8f8484af5b354d84b93630f4e0ff0764

SHA1
8d2f2d1def0661e24d8412e672a759ac6b77e402

SHA256
23b8f0c359e0c937fe778b4c8ff81c60a03c8ba776c2d92dcc1d0ae9c409516a

SHA512
b1e8d2d4ccfc79a7c15c2b37f9059858726720b31b970a1fb35bd975fa0134e72d2a3a16148daa294d94c9265d8ee61882cc5b595a371660bedd9ae19059beb1

Download Submit
C:\Users\Default\Videos\7f604c1ca06db7206f1699e6d908a7a0N.exe

Filesize
4.9MB

MD5
7f604c1ca06db7206f1699e6d908a7a0

SHA1
ba7e4204908407f64ce41d867a312b970c450ca3

SHA256
057029b10fb991791435ba26d2715749bad8114beb7652132c0e8471d0200d11

SHA512
04ac0f43e282eecaedd7ca0012469145269780ff54b792d511f025851df0974ad1ae568a22e80e78e5b444431e9ebea60e3dcb77a0c9233faee7b758d5354ee8

Download Submit
memory/332-301-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/2364-6-0x00000000032A0000-0x00000000032A8000-memory.dmp

Filesize
32KB

Download
memory/2364-18-0x000000001C7A0000-0x000000001C7AC000-memory.dmp

Filesize
48KB

Download
memory/2364-188-0x00007FFB88243000-0x00007FFB88245000-memory.dmp

Filesize
8KB

Download
memory/2364-16-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

Filesize
32KB

Download
memory/2364-15-0x000000001BFE0000-0x000000001BFEE000-memory.dmp

Filesize
56KB

Download
memory/2364-300-0x00007FFB88240000-0x00007FFB88D01000-memory.dmp

Filesize
10.8MB

Download
memory/2364-12-0x000000001CCC0000-0x000000001D1E8000-memory.dmp

Filesize
5.2MB

Download
memory/2364-17-0x000000001C790000-0x000000001C798000-memory.dmp

Filesize
32KB

Download
memory/2364-13-0x000000001BFC0000-0x000000001BFCA000-memory.dmp

Filesize
40KB

Download
memory/2364-14-0x000000001BFD0000-0x000000001BFDE000-memory.dmp

Filesize
56KB

Download
memory/2364-1-0x0000000000D10000-0x0000000001204000-memory.dmp

Filesize
5.0MB

Download
memory/2364-2-0x00007FFB88240000-0x00007FFB88D01000-memory.dmp

Filesize
10.8MB

Download
memory/2364-9-0x0000000003490000-0x00000000034A0000-memory.dmp

Filesize
64KB

Download
memory/2364-10-0x000000001BFA0000-0x000000001BFAA000-memory.dmp

Filesize
40KB

Download
memory/2364-11-0x000000001BFB0000-0x000000001BFC2000-memory.dmp

Filesize
72KB

Download
memory/2364-8-0x000000001BF80000-0x000000001BF96000-memory.dmp

Filesize
88KB

Download
memory/2364-0-0x00007FFB88243000-0x00007FFB88245000-memory.dmp

Filesize
8KB

Download
memory/2364-7-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/2364-5-0x000000001C740000-0x000000001C790000-memory.dmp

Filesize
320KB

Download
memory/2364-4-0x0000000003460000-0x000000000347C000-memory.dmp

Filesize
112KB

Download
memory/2364-3-0x000000001C010000-0x000000001C13E000-memory.dmp

Filesize
1.2MB

Download
memory/2464-207-0x000001CB6ADC0000-0x000001CB6ADE2000-memory.dmp

Filesize
136KB

Download
memory/3404-464-0x000000001B960000-0x000000001B972000-memory.dmp

Filesize
72KB

Download
memory/3836-76-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download