colibri | 6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890

Analysis

max time kernel
120s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Size

4.9MB
MD5

98f6d1c7482e03953bd88b57feb7d6b0
SHA1

437f469f92fea1fe222fb031353065152eb4d95e
SHA256

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890
SHA512

240e23c6a92008588b5e70969bbc94b2adfb12fb74e5f31ee4d3fc3b918b160bb13868ab29f14b29029a5889f0aff635a97507c6c1ae13dcadaaa6998d6f8165
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2944	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2944	schtasks.exe	90

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/676-2-0x000000001BF10000-0x000000001C03E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1552	powershell.exe
2896	powershell.exe
2012	powershell.exe
4236	powershell.exe
116	powershell.exe
2160	powershell.exe
3560	powershell.exe
1664	powershell.exe
1612	powershell.exe
1964	powershell.exe
1820	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 30 IoCs

Processes:

tmpBEDB.tmp.exetmpBEDB.tmp.exeSystem.exetmp114.tmp.exetmp114.tmp.exeSystem.exetmp270B.tmp.exetmp270B.tmp.exeSystem.exetmp45BE.tmp.exetmp45BE.tmp.exeSystem.exetmp77BB.tmp.exetmp77BB.tmp.exeSystem.exetmpAB10.tmp.exetmpAB10.tmp.exeSystem.exetmpDD5B.tmp.exetmpDD5B.tmp.exeSystem.exetmp110D.tmp.exetmp110D.tmp.exetmp110D.tmp.exeSystem.exeSystem.exetmp4C90.tmp.exetmp4C90.tmp.exeSystem.exeSystem.exe

pid	Process
2108	tmpBEDB.tmp.exe
1892	tmpBEDB.tmp.exe
1600	System.exe
5336	tmp114.tmp.exe
5404	tmp114.tmp.exe
5804	System.exe
6136	tmp270B.tmp.exe
1472	tmp270B.tmp.exe
3600	System.exe
1980	tmp45BE.tmp.exe
1576	tmp45BE.tmp.exe
2596	System.exe
4548	tmp77BB.tmp.exe
2160	tmp77BB.tmp.exe
5348	System.exe
3388	tmpAB10.tmp.exe
5728	tmpAB10.tmp.exe
1212	System.exe
1640	tmpDD5B.tmp.exe
5856	tmpDD5B.tmp.exe
6052	System.exe
3432	tmp110D.tmp.exe
3852	tmp110D.tmp.exe
4208	tmp110D.tmp.exe
956	System.exe
1964	System.exe
1440	tmp4C90.tmp.exe
2720	tmp4C90.tmp.exe
636	System.exe
4064	System.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

tmpBEDB.tmp.exetmp114.tmp.exetmp270B.tmp.exetmp45BE.tmp.exetmp77BB.tmp.exetmpAB10.tmp.exetmpDD5B.tmp.exetmp110D.tmp.exetmp4C90.tmp.exe

description	pid	Process	procid_target
PID 2108 set thread context of 1892	2108	tmpBEDB.tmp.exe	89
PID 5336 set thread context of 5404	5336	tmp114.tmp.exe	150
PID 6136 set thread context of 1472	6136	tmp270B.tmp.exe	161
PID 1980 set thread context of 1576	1980	tmp45BE.tmp.exe	168
PID 4548 set thread context of 2160	4548	tmp77BB.tmp.exe	175
PID 3388 set thread context of 5728	3388	tmpAB10.tmp.exe	181
PID 1640 set thread context of 5856	1640	tmpDD5B.tmp.exe	187
PID 3852 set thread context of 4208	3852	tmp110D.tmp.exe	195
PID 1440 set thread context of 2720	1440	tmp4C90.tmp.exe	204

Drops file in Program Files directory 12 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\27d1bcfc3c54e0	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\69ddcba757bf72	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXD5D0.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\RCXE7DA.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Windows Mail\tmpBEDB.tmp.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Windows Mail\491b07efb32434	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE5B6.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\tmpBEDB.tmp.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

Drops file in Windows directory 12 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

description	ioc	Process
File created	C:\Windows\Globalization\Time Zone\5940a34987c991	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Windows\Globalization\Time Zone\RCXDCD8.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXEA2C.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXDA66.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\services.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Windows\Globalization\Time Zone\dllhost.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Windows\Prefetch\ReadyBoot\services.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Windows\Prefetch\ReadyBoot\c5b4cb5e9653cc	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Windows\Globalization\Time Zone\dllhost.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Windows\RemotePackages\RemoteApps\backgroundTaskHost.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Windows\RemotePackages\RemoteApps\eddb19405b7ce1	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\backgroundTaskHost.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp270B.tmp.exetmp45BE.tmp.exetmpDD5B.tmp.exetmp110D.tmp.exetmpBEDB.tmp.exetmp114.tmp.exetmp110D.tmp.exetmp4C90.tmp.exetmp77BB.tmp.exetmpAB10.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp270B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp45BE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDD5B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp110D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBEDB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp114.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp110D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4C90.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp77BB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB10.tmp.exe

Modifies registry class 11 IoCs

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2360	schtasks.exe
2900	schtasks.exe
2400	schtasks.exe
1840	schtasks.exe
4268	schtasks.exe
1668	schtasks.exe
3684	schtasks.exe
1516	schtasks.exe
1960	schtasks.exe
4836	schtasks.exe
1364	schtasks.exe
4508	schtasks.exe
1988	schtasks.exe
392	schtasks.exe
4536	schtasks.exe
3452	schtasks.exe
2704	schtasks.exe
2532	schtasks.exe
532	schtasks.exe
2088	schtasks.exe
1624	schtasks.exe
4288	schtasks.exe
2624	schtasks.exe
2432	schtasks.exe
5028	schtasks.exe
2596	schtasks.exe
2044	schtasks.exe
2124	schtasks.exe
4176	schtasks.exe
464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid	Process
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
1820	powershell.exe
1820	powershell.exe
1964	powershell.exe
1964	powershell.exe
1664	powershell.exe
1664	powershell.exe
2896	powershell.exe
2012	powershell.exe
2012	powershell.exe
2896	powershell.exe
2160	powershell.exe
2160	powershell.exe
3560	powershell.exe
3560	powershell.exe
116	powershell.exe
116	powershell.exe
1612	powershell.exe
1612	powershell.exe
1552	powershell.exe
1552	powershell.exe
4236	powershell.exe
4236	powershell.exe
116	powershell.exe
2012	powershell.exe
1964	powershell.exe
1664	powershell.exe
1820	powershell.exe
3560	powershell.exe
1552	powershell.exe
2160	powershell.exe
2896	powershell.exe
1612	powershell.exe
4236	powershell.exe
1600	System.exe
1600	System.exe
5804	System.exe
3600	System.exe
2596	System.exe
5348	System.exe
1212	System.exe
6052	System.exe
956	System.exe
1964	System.exe
636	System.exe
4064	System.exe
4064	System.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	1600	System.exe
Token: SeDebugPrivilege	5804	System.exe
Token: SeDebugPrivilege	3600	System.exe
Token: SeDebugPrivilege	2596	System.exe
Token: SeDebugPrivilege	5348	System.exe
Token: SeDebugPrivilege	1212	System.exe
Token: SeDebugPrivilege	6052	System.exe
Token: SeDebugPrivilege	956	System.exe
Token: SeDebugPrivilege	1964	System.exe
Token: SeDebugPrivilege	636	System.exe
Token: SeDebugPrivilege	4064	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exetmpBEDB.tmp.exeSystem.exetmp114.tmp.exeWScript.exeSystem.exetmp270B.tmp.exe

description	pid	Process	procid_target
PID 676 wrote to memory of 2108	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	87
PID 676 wrote to memory of 2108	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	87
PID 676 wrote to memory of 2108	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	87
PID 2108 wrote to memory of 1892	2108	tmpBEDB.tmp.exe	89
PID 2108 wrote to memory of 1892	2108	tmpBEDB.tmp.exe	89
PID 2108 wrote to memory of 1892	2108	tmpBEDB.tmp.exe	89
PID 2108 wrote to memory of 1892	2108	tmpBEDB.tmp.exe	89
PID 2108 wrote to memory of 1892	2108	tmpBEDB.tmp.exe	89
PID 2108 wrote to memory of 1892	2108	tmpBEDB.tmp.exe	89
PID 2108 wrote to memory of 1892	2108	tmpBEDB.tmp.exe	89
PID 676 wrote to memory of 4236	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	124
PID 676 wrote to memory of 4236	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	124
PID 676 wrote to memory of 1664	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	125
PID 676 wrote to memory of 1664	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	125
PID 676 wrote to memory of 3560	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	126
PID 676 wrote to memory of 3560	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	126
PID 676 wrote to memory of 1820	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	127
PID 676 wrote to memory of 1820	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	127
PID 676 wrote to memory of 2012	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	128
PID 676 wrote to memory of 2012	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	128
PID 676 wrote to memory of 2896	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	129
PID 676 wrote to memory of 2896	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	129
PID 676 wrote to memory of 1964	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	130
PID 676 wrote to memory of 1964	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	130
PID 676 wrote to memory of 1552	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	131
PID 676 wrote to memory of 1552	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	131
PID 676 wrote to memory of 1612	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	132
PID 676 wrote to memory of 1612	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	132
PID 676 wrote to memory of 116	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	133
PID 676 wrote to memory of 116	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	133
PID 676 wrote to memory of 2160	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	134
PID 676 wrote to memory of 2160	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	134
PID 676 wrote to memory of 1600	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	146
PID 676 wrote to memory of 1600	676	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	146
PID 1600 wrote to memory of 5336	1600	System.exe	148
PID 1600 wrote to memory of 5336	1600	System.exe	148
PID 1600 wrote to memory of 5336	1600	System.exe	148
PID 5336 wrote to memory of 5404	5336	tmp114.tmp.exe	150
PID 5336 wrote to memory of 5404	5336	tmp114.tmp.exe	150
PID 5336 wrote to memory of 5404	5336	tmp114.tmp.exe	150
PID 5336 wrote to memory of 5404	5336	tmp114.tmp.exe	150
PID 5336 wrote to memory of 5404	5336	tmp114.tmp.exe	150
PID 5336 wrote to memory of 5404	5336	tmp114.tmp.exe	150
PID 5336 wrote to memory of 5404	5336	tmp114.tmp.exe	150
PID 1600 wrote to memory of 5572	1600	System.exe	153
PID 1600 wrote to memory of 5572	1600	System.exe	153
PID 1600 wrote to memory of 5620	1600	System.exe	154
PID 1600 wrote to memory of 5620	1600	System.exe	154
PID 5572 wrote to memory of 5804	5572	WScript.exe	155
PID 5572 wrote to memory of 5804	5572	WScript.exe	155
PID 5804 wrote to memory of 5972	5804	System.exe	157
PID 5804 wrote to memory of 5972	5804	System.exe	157
PID 5804 wrote to memory of 6020	5804	System.exe	158
PID 5804 wrote to memory of 6020	5804	System.exe	158
PID 5804 wrote to memory of 6136	5804	System.exe	159
PID 5804 wrote to memory of 6136	5804	System.exe	159
PID 5804 wrote to memory of 6136	5804	System.exe	159
PID 6136 wrote to memory of 1472	6136	tmp270B.tmp.exe	161
PID 6136 wrote to memory of 1472	6136	tmp270B.tmp.exe	161
PID 6136 wrote to memory of 1472	6136	tmp270B.tmp.exe	161
PID 6136 wrote to memory of 1472	6136	tmp270B.tmp.exe	161
PID 6136 wrote to memory of 1472	6136	tmp270B.tmp.exe	161
PID 6136 wrote to memory of 1472	6136	tmp270B.tmp.exe	161
PID 6136 wrote to memory of 1472	6136	tmp270B.tmp.exe	161

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
"C:\Users\Admin\AppData\Local\Temp\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:676
- C:\Users\Admin\AppData\Local\Temp\tmpBEDB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBEDB.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\tmpBEDB.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpBEDB.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\tmp114.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp114.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\tmp114.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp114.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:5404
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12987da1-d751-43b2-9772-52247614f94b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5572
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5804
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b8ba1d4-881e-4943-8678-88758b19d368.vbs"
        5⤵
        
        PID:5972
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\824f3b23-56d6-407d-9eb8-7903b44c5c8f.vbs"
        7⤵
        
        PID:3440
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad72b20e-dcbd-4bea-8d08-9b871cb95e3e.vbs"
        9⤵
        
        PID:1988
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b686f23e-6495-4772-99ec-8d1897580501.vbs"
        11⤵
        
        PID:2916
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61cbab41-65da-48ed-bfbe-844bd4ff9f06.vbs"
        13⤵
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c41b8d3-f9fa-40da-80b5-89ce08390b63.vbs"
        15⤵
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11cadeb2-728f-4d71-808e-59a1b702aceb.vbs"
        17⤵
        
        PID:2532
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77ed3f83-6e70-432d-9473-eb981ccfb397.vbs"
        19⤵
        
        PID:3276
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e482be8-4bda-45fd-a5f1-8d5cbb3d26e1.vbs"
        21⤵
        
        PID:5276
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24719c13-1d91-4abe-9e98-d7e804838efc.vbs"
        23⤵
        
        PID:6048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c020f02c-9937-42b7-8de3-ab80ff5e0f56.vbs"
        23⤵
        
        PID:5976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c255f9a3-099e-4f6d-968b-00fa108556ca.vbs"
        21⤵
        
        PID:5020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a56029-2fb1-4f62-8bfd-f9d413701973.vbs"
        19⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp4C90.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4C90.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp4C90.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4C90.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78995a37-1478-41ff-9642-7c8c7291ecdd.vbs"
        17⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32808152-b8df-4477-b482-e48bbaf6c912.vbs"
        15⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp110D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp110D.tmp.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp110D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp110D.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp110D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp110D.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\141179ed-25f7-4a55-95a0-043862753ed3.vbs"
        13⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\tmpDD5B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDD5B.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmpDD5B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDD5B.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74074c22-4f8a-46d9-be67-e61e98807f32.vbs"
        11⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmpAB10.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAB10.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmpAB10.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAB10.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:5728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c20d42b-5539-4d4c-ba42-e76c453be495.vbs"
        9⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\tmp77BB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp77BB.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp77BB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp77BB.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7fef238-c7a9-4855-9324-866cfa5d8356.vbs"
        7⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp45BE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp45BE.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp45BE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp45BE.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:1576
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb39bc63-66fb-4ccf-8bbe-fb4eb46bcd93.vbs"
        5⤵
        
        PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\tmp270B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp270B.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6136
      - C:\Users\Admin\AppData\Local\Temp\tmp270B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp270B.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:1472
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a035edc-a655-4782-8e42-0ac4df566c9b.vbs"
    3⤵
    PID:5620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Time Zone\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Time Zone\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmpBEDB.tmpt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\tmpBEDB.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmpBEDB.tmp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\tmpBEDB.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmpBEDB.tmpt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\tmpBEDB.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1ca947063bf8c58838fa7455bd0b36d6

SHA1
045ce9620e4c4df8225e72dd1f5e6a3e2b977e53

SHA256
5eb2ec3df52dbc0b6404dc0fb61f76fc4cd510f56a799140fdece2e626da6142

SHA512
5e20dc999d0103d9927ab3ea3c272977e74cb0b63c0e533b9ea20094713155a4cd7d918dce6f50ccc6a3c6217439ae6bca87f44c6fc5752f9107a0e1efb8601b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\12987da1-d751-43b2-9772-52247614f94b.vbs

Filesize
733B

MD5
2b900cedd72d70d2e3164b4e2c3b3a60

SHA1
eebf9dbed9465c192379a08fbd88f3c3ed34671d

SHA256
c629840429146fa4c930f840683b0b5435de50e6fe257efeef5d4c77ba0a6908

SHA512
0d62d3b0549fdfa40d6b3776e6e6e30ba888c69ed224dc9a973d35548516a5a424e7deace94bf1e5d15a586d69fd2c7469600ae9b152d79945601401dd73d3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a035edc-a655-4782-8e42-0ac4df566c9b.vbs

Filesize
509B

MD5
000b429d0fa951fac885a63f27c87116

SHA1
e54f4cd9ee092aa45ddd81d2026f86c8c5e6d9df

SHA256
f7776a1e1523bc93581ffffdad9cbd72603ba9bde816ec05ee3531640526489b

SHA512
4a4eb73bd18dcb2a80b76811e68d95de761ea4563f8a51b7c467b21fe00e62e15df4f3864985bbc2f85cc7866f9930faa41887f0d716b4f5724b4bdf4ad375d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b8ba1d4-881e-4943-8678-88758b19d368.vbs

Filesize
733B

MD5
0fd2d1e9b48ea17b734524f700f78fe8

SHA1
56ac66151cac81cff48c90baf0a154d6259f9d44

SHA256
93454b0bf011f8d20e0343e29f0a371a07b6b601c8579d0a2ef6a7aeb2bb0cd7

SHA512
42717cb80905e29987a26b9ea172c4f147bcde08fdf6f72bc30abbdf4d96d261ff9f23a6b69f4f8e2515dd5b739fbdf3c58ee1d70881916597366a9abf06282f

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cbab41-65da-48ed-bfbe-844bd4ff9f06.vbs

Filesize
733B

MD5
edd51c8f27749eb7ef8c8119da79ebfe

SHA1
1182634a4d79951aa72c0add34dafd0428bc54dc

SHA256
67430f17d57e471f7d6449d07ee2e4fba97910a5f4374065f01e519317a0c802

SHA512
6515bbd933efae368f5e94bd2476ddc9a3c92a2944e7466974a53927d403af23d3b06b94c9996d78aebed8cf08f2356bd293c35443a19bb24975ae60d60e9cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c41b8d3-f9fa-40da-80b5-89ce08390b63.vbs

Filesize
733B

MD5
2dd9b8537ce42cdcd7a2d7fc0666a248

SHA1
bf5ca16a90801042fa113c0daa9d52c5a3ed9503

SHA256
8cfdc1f9ea7b0b5992b8a9ea9d01c81894b7a4b7ed7bc48c2acd4a52fdf76f36

SHA512
6b403ead43897b794819b2cf6e104b62fb0b82381e2c4fc0f1b854d42609c44fdaad3eb87774adfc1eb43cb5be71d7db73a396e9b180f6e07d271d43dfd66ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lk02ldkr.10r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad72b20e-dcbd-4bea-8d08-9b871cb95e3e.vbs

Filesize
733B

MD5
c360d60946824a0dea2efbfdf4102495

SHA1
a4a6f9a925c61bfa29ae47533c861c6f145c7b88

SHA256
685e94a6bfa0a572ca071e79829c6ad19b155516d9d4dbd39920f5755efe667f

SHA512
27171ea2eb6c554aaa9fe8c474267aaa313ecc676d09f907857e95e7980316f4affdec7b69f3188e97aa785418b9a084e4a0ef589822bc8bd803270a31f5fb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\b686f23e-6495-4772-99ec-8d1897580501.vbs

Filesize
733B

MD5
f8b63475630791058394eccd40c3b4f8

SHA1
0dc462a3563f25f3112a7ff97eb3c59f7af6ca5c

SHA256
0fa26acd89469d0b11f9b407b7eb08a1e4ff2243b6293a889c5bba2cf4f4c3a9

SHA512
31855f38ab8fca91eb183adab05195dc7181078a143b05e17edb27905e4c77baee7177f5752627968144a802b54a5f5c8f83b2e9c0eeebf41a6017f38ef2cfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEDB.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default\csrss.exe

Filesize
4.9MB

MD5
98f6d1c7482e03953bd88b57feb7d6b0

SHA1
437f469f92fea1fe222fb031353065152eb4d95e

SHA256
6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890

SHA512
240e23c6a92008588b5e70969bbc94b2adfb12fb74e5f31ee4d3fc3b918b160bb13868ab29f14b29029a5889f0aff635a97507c6c1ae13dcadaaa6998d6f8165

Download Submit
memory/676-16-0x000000001CB70000-0x000000001CB82000-memory.dmp

Filesize
72KB

Download
memory/676-20-0x000000001C670000-0x000000001C67A000-memory.dmp

Filesize
40KB

Download
memory/676-1-0x0000000000C10000-0x0000000001104000-memory.dmp

Filesize
5.0MB

Download
memory/676-2-0x000000001BF10000-0x000000001C03E000-memory.dmp

Filesize
1.2MB

Download
memory/676-3-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/676-4-0x0000000001A00000-0x0000000001A1C000-memory.dmp

Filesize
112KB

Download
memory/676-8-0x000000001C820000-0x000000001C830000-memory.dmp

Filesize
64KB

Download
memory/676-25-0x000000001C6C0000-0x000000001C6CC000-memory.dmp

Filesize
48KB

Download
memory/676-55-0x00007FFC0D293000-0x00007FFC0D295000-memory.dmp

Filesize
8KB

Download
memory/676-65-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/676-7-0x0000000001AC0000-0x0000000001AC8000-memory.dmp

Filesize
32KB

Download
memory/676-6-0x000000001BEB0000-0x000000001BF00000-memory.dmp

Filesize
320KB

Download
memory/676-24-0x000000001C6B0000-0x000000001C6B8000-memory.dmp

Filesize
32KB

Download
memory/676-290-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/676-9-0x000000001CA50000-0x000000001CA66000-memory.dmp

Filesize
88KB

Download
memory/676-23-0x000000001C6A0000-0x000000001C6A8000-memory.dmp

Filesize
32KB

Download
memory/676-22-0x000000001C690000-0x000000001C69E000-memory.dmp

Filesize
56KB

Download
memory/676-21-0x000000001C680000-0x000000001C68E000-memory.dmp

Filesize
56KB

Download
memory/676-19-0x000000001D140000-0x000000001D668000-memory.dmp

Filesize
5.2MB

Download
memory/676-0-0x00007FFC0D293000-0x00007FFC0D295000-memory.dmp

Filesize
8KB

Download
memory/676-13-0x000000001C940000-0x000000001C94A000-memory.dmp

Filesize
40KB

Download
memory/676-10-0x000000001C830000-0x000000001C840000-memory.dmp

Filesize
64KB

Download
memory/1600-291-0x0000000002E00000-0x0000000002E12000-memory.dmp

Filesize
72KB

Download
memory/1892-87-0x00000000006C0000-0x00000000006EC000-memory.dmp

Filesize
176KB

Download
memory/1892-35-0x00000000006C0000-0x00000000006EC000-memory.dmp

Filesize
176KB

Download
memory/1892-33-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1964-186-0x000002AAFCCC0000-0x000002AAFCCE2000-memory.dmp

Filesize
136KB

Download
memory/2108-36-0x00000000006C0000-0x00000000006EC000-memory.dmp

Filesize
176KB

Download
memory/2108-31-0x00000000006C4000-0x00000000006C5000-memory.dmp

Filesize
4KB

Download
memory/2108-32-0x00000000006C0000-0x00000000006EC000-memory.dmp

Filesize
176KB

Download
memory/2596-384-0x000000001BEC0000-0x000000001BED2000-memory.dmp

Filesize
72KB

Download