colibri | da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Size

4.9MB
MD5

adea3d5a416c1452e6c572b162983622
SHA1

e2ba3ad5285a08d6681c410b7e3cb313356fd6d0
SHA256

da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28
SHA512

9631b55139a134fd96ad39b3a355d10b49a20cfb00aa0ed6452dd17596815baefe0d20d89cae82933d59eea28286b02b7b92138b85257e39593ad12de8ff860a
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	3940	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	3940	schtasks.exe	85

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2204-3-0x000000001B530000-0x000000001B65E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3972	powershell.exe
3764	powershell.exe
3136	powershell.exe
3316	powershell.exe
4780	powershell.exe
3420	powershell.exe
3152	powershell.exe
1692	powershell.exe
2036	powershell.exe
4448	powershell.exe
3524	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe

Executes dropped EXE 4 IoCs

pid	Process
1712	tmpA79C.tmp.exe
3668	tmpA79C.tmp.exe
3052	tmpA79C.tmp.exe
5324	sysmon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3668 set thread context of 3052	3668	tmpA79C.tmp.exe	130

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\System.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Program Files (x86)\Windows Mail\27d1bcfc3c54e0	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Program Files\Microsoft Office\Office16\smss.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Program Files\Microsoft Office\Office16\69ddcba757bf72	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXAD2D.tmp	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\System.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCXB1E2.tmp	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\smss.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\authman\RuntimeBroker.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Windows\Setup\State\RCXB688.tmp	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Windows\Setup\State\lsass.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Windows\Microsoft.NET\authman\RuntimeBroker.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Windows\LiveKernelReports\RuntimeBroker.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Windows\LiveKernelReports\9e8d7a4ca61bd9	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Windows\Microsoft.NET\authman\9e8d7a4ca61bd9	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXAB09.tmp	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Windows\LiveKernelReports\RuntimeBroker.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File opened for modification	C:\Windows\Microsoft.NET\authman\RCXB89C.tmp	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Windows\Setup\State\lsass.exe	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
File created	C:\Windows\Setup\State\6203df4a6bafc7	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA79C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA79C.tmp.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5040	schtasks.exe
1500	schtasks.exe
3128	schtasks.exe
1248	schtasks.exe
2144	schtasks.exe
3392	schtasks.exe
3252	schtasks.exe
3612	schtasks.exe
4624	schtasks.exe
3156	schtasks.exe
4828	schtasks.exe
1864	schtasks.exe
1696	schtasks.exe
3576	schtasks.exe
4668	schtasks.exe
1348	schtasks.exe
1944	schtasks.exe
2924	schtasks.exe
1616	schtasks.exe
4172	schtasks.exe
3492	schtasks.exe
316	schtasks.exe
4652	schtasks.exe
2384	schtasks.exe
2888	schtasks.exe
472	schtasks.exe
4640	schtasks.exe
2460	schtasks.exe
956	schtasks.exe
3088	schtasks.exe
3100	schtasks.exe
3300	schtasks.exe
4616	schtasks.exe
1536	schtasks.exe
1240	schtasks.exe
2476	schtasks.exe
2184	schtasks.exe
912	schtasks.exe
4384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
4448	powershell.exe
4448	powershell.exe
3136	powershell.exe
3136	powershell.exe
3972	powershell.exe
3972	powershell.exe
3764	powershell.exe
3764	powershell.exe
1692	powershell.exe
1692	powershell.exe
3524	powershell.exe
3524	powershell.exe
3316	powershell.exe
3316	powershell.exe
3420	powershell.exe
3420	powershell.exe
4780	powershell.exe
4780	powershell.exe
3152	powershell.exe
3152	powershell.exe
3316	powershell.exe
3152	powershell.exe
2036	powershell.exe
2036	powershell.exe
3972	powershell.exe
3764	powershell.exe
4448	powershell.exe
3136	powershell.exe
3524	powershell.exe
1692	powershell.exe
3420	powershell.exe
4780	powershell.exe
2036	powershell.exe
5324	sysmon.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	5324	sysmon.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1712	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	127
PID 2204 wrote to memory of 1712	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	127
PID 2204 wrote to memory of 1712	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	127
PID 1712 wrote to memory of 3668	1712	tmpA79C.tmp.exe	129
PID 1712 wrote to memory of 3668	1712	tmpA79C.tmp.exe	129
PID 1712 wrote to memory of 3668	1712	tmpA79C.tmp.exe	129
PID 3668 wrote to memory of 3052	3668	tmpA79C.tmp.exe	130
PID 3668 wrote to memory of 3052	3668	tmpA79C.tmp.exe	130
PID 3668 wrote to memory of 3052	3668	tmpA79C.tmp.exe	130
PID 3668 wrote to memory of 3052	3668	tmpA79C.tmp.exe	130
PID 3668 wrote to memory of 3052	3668	tmpA79C.tmp.exe	130
PID 3668 wrote to memory of 3052	3668	tmpA79C.tmp.exe	130
PID 3668 wrote to memory of 3052	3668	tmpA79C.tmp.exe	130
PID 2204 wrote to memory of 2036	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	137
PID 2204 wrote to memory of 2036	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	137
PID 2204 wrote to memory of 3136	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	138
PID 2204 wrote to memory of 3136	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	138
PID 2204 wrote to memory of 1692	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	139
PID 2204 wrote to memory of 1692	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	139
PID 2204 wrote to memory of 3764	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	140
PID 2204 wrote to memory of 3764	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	140
PID 2204 wrote to memory of 4448	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	141
PID 2204 wrote to memory of 4448	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	141
PID 2204 wrote to memory of 3316	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	142
PID 2204 wrote to memory of 3316	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	142
PID 2204 wrote to memory of 3524	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	143
PID 2204 wrote to memory of 3524	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	143
PID 2204 wrote to memory of 4780	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	144
PID 2204 wrote to memory of 4780	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	144
PID 2204 wrote to memory of 3972	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	145
PID 2204 wrote to memory of 3972	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	145
PID 2204 wrote to memory of 3420	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	146
PID 2204 wrote to memory of 3420	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	146
PID 2204 wrote to memory of 3152	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	147
PID 2204 wrote to memory of 3152	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	147
PID 2204 wrote to memory of 3380	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	155
PID 2204 wrote to memory of 3380	2204	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe	155
PID 3380 wrote to memory of 4492	3380	cmd.exe	161
PID 3380 wrote to memory of 4492	3380	cmd.exe	161
PID 3380 wrote to memory of 5324	3380	cmd.exe	164
PID 3380 wrote to memory of 5324	3380	cmd.exe	164

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe
"C:\Users\Admin\AppData\Local\Temp\da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204
- C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3DwaTFc6qk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4492
- - C:\Users\Admin\Music\sysmon.exe
    "C:\Users\Admin\Music\sysmon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5324
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44a377ca-b357-4aec-aa0c-b9c3d599e457.vbs"
      4⤵
      PID:5480
    - - C:\Users\Admin\Music\sysmon.exe
        
        C:\Users\Admin\Music\sysmon.exe
        5⤵
        
        PID:5808
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c9bd05a-7a3a-4cfe-945f-e55dab9a7b45.vbs"
        6⤵
        
        PID:5996
        
        C:\Users\Admin\Music\sysmon.exe
        
        C:\Users\Admin\Music\sysmon.exe
        7⤵
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28bcf562-0dff-4816-91a1-88d97797821d.vbs"
        8⤵
        
        PID:2396
        
        C:\Users\Admin\Music\sysmon.exe
        
        C:\Users\Admin\Music\sysmon.exe
        9⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbe57fcd-f454-4fb6-a88c-ae25739e8413.vbs"
        10⤵
        
        PID:5252
        
        C:\Users\Admin\Music\sysmon.exe
        
        C:\Users\Admin\Music\sysmon.exe
        11⤵
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76376fab-89b6-4aed-be4f-4e77179dd156.vbs"
        12⤵
        
        PID:5568
        
        C:\Users\Admin\Music\sysmon.exe
        
        C:\Users\Admin\Music\sysmon.exe
        13⤵
        
        PID:5172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\842cb26d-4732-45ad-a7d5-b2cae3cb0e63.vbs"
        14⤵
        
        PID:3520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\153d382f-a650-439a-a75c-2230a6252c5f.vbs"
        14⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmpD008.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD008.tmp.exe"
        14⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmpD008.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD008.tmp.exe"
        15⤵
        
        PID:648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a493334c-384b-4243-9028-4b6f82258905.vbs"
        12⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp673C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp673C.tmp.exe"
        12⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\tmp673C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp673C.tmp.exe"
        13⤵
        
        PID:5988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5479f1b8-e2e7-4309-a585-e545aaaee78f.vbs"
        10⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87F8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87F8.tmp.exe"
        10⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87F8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87F8.tmp.exe"
        11⤵
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb9dd207-3143-46f0-a020-6376eb2786a4.vbs"
        8⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A02.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A02.tmp.exe"
        8⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A02.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A02.tmp.exe"
        9⤵
        
        PID:4200
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22ccc8da-095b-4142-8340-85e90f03a4f3.vbs"
        6⤵
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\tmp17E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp17E8.tmp.exe"
        6⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\tmp17E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp17E8.tmp.exe"
        7⤵
        
        PID:3184
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06671956-0077-4589-8b78-c64b03aece94.vbs"
      4⤵
      PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe"
      4⤵
      PID:5624
    - - C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe"
        5⤵
        
        PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28d" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28d" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Music\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Setup\State\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\authman\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\authman\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\Idle.exe

Filesize
4.9MB

MD5
adea3d5a416c1452e6c572b162983622

SHA1
e2ba3ad5285a08d6681c410b7e3cb313356fd6d0

SHA256
da191a476056264ecf51feaa86ed3ffd997b2f9ed3cf5245427796f5c0672a28

SHA512
9631b55139a134fd96ad39b3a355d10b49a20cfb00aa0ed6452dd17596815baefe0d20d89cae82933d59eea28286b02b7b92138b85257e39593ad12de8ff860a

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
4.9MB

MD5
ae32685d86668593eabf7d6ffc6353e4

SHA1
93b6ca8ce40032a3959b53f5e3ec400390d4d0f7

SHA256
72c0d33c500229a574aa5e1987ab356be3a618d23247559752190b720f2b989d

SHA512
1ff7fbf4cd7f771649835e65e925e4f95f3782e96f982ad7d854c89ad3a3b9ea1f7e8ef0c7fb45aedad3149c85d298497da95f8425ddd0789d29785677bcf940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\06671956-0077-4589-8b78-c64b03aece94.vbs

Filesize
483B

MD5
6b2c371f1151b9c5643e2afeab2941bb

SHA1
7657af663d9ec0a16458173ce63da1bfd97cfa9c

SHA256
294529e89974959e404118f4289633194fa74a6450a0077fe7ac7659f167c220

SHA512
eadad24cfb72a8c14869c530ad592fd172ab0de3a845db2d0114510aa4c57fa1aea79c43d24c14ad5b5164baa7676e145bc80e4677a97a09ac0c0cc406a27e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\28bcf562-0dff-4816-91a1-88d97797821d.vbs

Filesize
707B

MD5
6e3bed81fc50c682e7cb8085851df652

SHA1
069be74b359aa1882172431932e1c47c2512c27f

SHA256
336ed1dae3e42a81dd98e60976791c4e216868db0be92cdd9d151f3336734633

SHA512
78950c67da2efcafdd6be8367d08710afa5d9a62604ecbc2d50d997301766cfca65f0d5a334dde22b0e74e9d5983ffd7652339f16075e2f2e9975035c84f46ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\32d9027b54454515da220baed833c502063b714c.exe

Filesize
3.9MB

MD5
5175b466ac6ed4a33a9d6220ecdd8a53

SHA1
a01f233ced9dcdb4d5d2e851a0aed261520d5d73

SHA256
ef979aba52fcdf23c6783b129cb1fc147e43bb8c932464099a0728784cf579f0

SHA512
b3cdf2a9878fc23e0faa2f1dd63c9daf5cf64295978f34e526ac5b8fcc363fdfe45113d6d4cf0ea9c4b66514a0a583795685273c5fce0514eac2be11f558d3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\32d9027b54454515da220baed833c502063b714c.exe

Filesize
3.1MB

MD5
757bb5681b6f637ea0809292a1ae5bf1

SHA1
f42526a726cfe19471fc7f59a17caf765156a65c

SHA256
e4ff57504302a4e5e4ea847b7b2ca7bec78741023d97179240311e9686444028

SHA512
f3eba005cf867482e2cac817955e47f325d3ff589e26e260e6d1940a7f1ef3134df51203f45cd6e08b8930589d3bbe786ee66d964720e29c1367064a8c84723f

Download Submit
C:\Users\Admin\AppData\Local\Temp\32d9027b54454515da220baed833c502063b714c.exe

Filesize
1.4MB

MD5
eec947d322cc520d4954b61c64eac863

SHA1
060de80261009ae01a7795393745563034c9236c

SHA256
a93a8a858b821ce0fb3594477b5ee2b53184d38249da0d943a06ba6543637b6f

SHA512
5493abf656550ae038c0ac139d828fd8e56c8e7585b0b1acdd896231df934ac69c758af4a7b62b1d0373996882bd8b8e6330d7d913f8900c30b55cfdb1338080

Download Submit
C:\Users\Admin\AppData\Local\Temp\32d9027b54454515da220baed833c502063b714c.exe

Filesize
150KB

MD5
5b7d9289507489ce51de62f710a297f2

SHA1
7ee9f8e790872793847bf6a12262b847c2def80d

SHA256
e8e67b1572b7dab24048a57676fbe93618cdc55ab64b75938fb034ce653be647

SHA512
ecf7fdb789e3b58743993566bc1884927169059bb242833e883458595a3d6a42a72171df04a0d9326b6b91dee60d1cf7df0e89908a7807f5be2272b388b19a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DwaTFc6qk.bat

Filesize
196B

MD5
32c43a9adfb4db50a89b1636854040d6

SHA1
707a2806cebd89479781a3de0c15048b37bc2929

SHA256
024813de571ad7bc3197097e43972b4198ad355e8574eabd31608737e30c2121

SHA512
860f0b98193ce11c12d604621667b2203c6a6b017b2ea5bfd8611b40e9f75cb3b367b4bc8c272cb344b5e9c155053407d275410fafb125d624378b31173bcf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\44a377ca-b357-4aec-aa0c-b9c3d599e457.vbs

Filesize
707B

MD5
225d9c82e6805a5342e4ce610e4c2093

SHA1
9a1d2acbc67c302d0d543f77952c66528a902815

SHA256
4972cc6e1103c8e2c1be4cbce4f137b36a86eb9433aab51612eb195e90eb6ab7

SHA512
ca75d6c7286fd704108e4fd15c835ba52a3ea3449976303ff3ebeb7182e060fc5c703be36bda2e9dc3b493b88be5a66a46cb797735fe62c9244ee150989e4794

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c9bd05a-7a3a-4cfe-945f-e55dab9a7b45.vbs

Filesize
707B

MD5
f2b79566a75daf81930833371ce63b6f

SHA1
a25ac27d0f205150e2d178d801093d90e27611aa

SHA256
d14ebaaaa764827c58b1ff05d4b222c6b918e5db5035de00302232bd82f4d6cc

SHA512
fc26adf03d8c0c3bf93007ef8afabe63f50c4ec3d29614ea0cbbd17923bc6a9102a7552dd8d49cc9ebcd2272f645fb4e250806dd2cd901810523f0d88fe9b5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\76376fab-89b6-4aed-be4f-4e77179dd156.vbs

Filesize
707B

MD5
fbc5818640e55c2d387d568e422f8629

SHA1
ba8a870d9491ce7b6a34b4a4b337648ef02c0a17

SHA256
1b206a9bd96556f35120f05428be2dfea64fada3901a4a568cf1c4b415255ab9

SHA512
3882805d0e5dcb484a67228956104943b47032a8391f51ed7fb511ee064b508ffd88e851974c9876aed83f2637c3a05c1e2d2538909c30181041aff8cbf0348b

Download Submit
C:\Users\Admin\AppData\Local\Temp\842cb26d-4732-45ad-a7d5-b2cae3cb0e63.vbs

Filesize
707B

MD5
b8f252652a86f568c9e1a267487e70f0

SHA1
7b6371e1b33921bbcf22bab147a613d9cad5fd9b

SHA256
e36211a6258043f05c28fb0f218f6f77f1f9593cbfbf89595df841a5a8eb1b4d

SHA512
5c2e3b110fbe774b8df41e0e51f1d81a76d936527e45576f3ceec204e4f460a575a333b71436f9ebc10acc284d35abfa1a54ec26d85e27158648aa115876aa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjlwrjpw.fy2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbe57fcd-f454-4fb6-a88c-ae25739e8413.vbs

Filesize
707B

MD5
1ffaa522b9b8bac6639894bf33c6aa8f

SHA1
9f5e47a12a722a84924f3dd4ee9df6326e5f7db8

SHA256
ba8d46f4c00a6b6add9f4f7d6e3aa235c6d4422254dc0217e491ad20ef2d373e

SHA512
de32cefc1484fc5b60e5b386db353f7f569f048f3179b39afbf342326de208bd121a083397d5f6dc8f130e648091c6c7a52027074f1945b5fb619c24da00f41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA79C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\Music\sysmon.exe

Filesize
4.4MB

MD5
4a39f750422ebdcc63b00dc2789404cb

SHA1
d064ede63bde6377d943671e50e27ae444aab57e

SHA256
01e3c3e5fc79b9c90461eedf4efddec10a6284c86d83e9d68d25afac3ee3129b

SHA512
4460b23a7d19546aee987186006f8273a6c04941fd507798825ada7251ae31efdd5706e3704372676b2409c06be811d5c17583943dc0b5c3e3e705cff5b1ed55

Download Submit
C:\Users\Admin\Music\sysmon.exe

Filesize
3.6MB

MD5
79f1d5554780955af36a2dc0de2f2b65

SHA1
951a312fa94b230310487a24040703a985bf56ea

SHA256
a5798ce34ca25796ab7d7cd3e468cb7b2c4346aa580850cfdc6ba3beba0fb847

SHA512
fd16f803901bcbd7901615b1be71a326354d1796bbcdfc40636392435c6de18a6edca3f82313b699dfc9f2146eeafd5bb3254c15f1de49593a87d755ce3e903d

Download Submit
C:\Users\Admin\Music\sysmon.exe

Filesize
1.4MB

MD5
86ec30a35bce00cbbca6ab404736668c

SHA1
9dec7b74bcea9cbdc99d23f67ecdaafbd02d8c10

SHA256
b0fb1d28fdd205ad0d5ca9588defeed6d5aca7b266ee8f6f8d04e30dc6dfcb81

SHA512
cf4aacff468a1db7b069041cefc789878241c6b79dd93377fcacf63517c02800149fc31395e933b486988a204b26c95127a8f855d77cdfdad0605f4077d31e69

Download Submit
C:\Users\Admin\Music\sysmon.exe

Filesize
386KB

MD5
4eb3f5438aa4bcaae8e8aed6b6d3fb2c

SHA1
2c8c0cb0f064ead16b235d9a340306f99bd5e641

SHA256
ef17f7abb1c34f4d9893829cfe265175b1fb4654d34e065e45609b11a854723b

SHA512
99b29bea256f117ad66f1e055a3d0cff05214672caeca9e94934e7d10463122734f4efea15d8f016b22a02867a6a0ab16ab415603024a174358e861bd5dfe80f

Download Submit
memory/1692-283-0x000001836AC40000-0x000001836ADAA000-memory.dmp

Filesize
1.4MB

Download
memory/2036-292-0x000001F4E93E0000-0x000001F4E954A000-memory.dmp

Filesize
1.4MB

Download
memory/2204-13-0x000000001BB60000-0x000000001BB6A000-memory.dmp

Filesize
40KB

Download
memory/2204-10-0x0000000002820000-0x000000000282A000-memory.dmp

Filesize
40KB

Download
memory/2204-1-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download
memory/2204-2-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2204-3-0x000000001B530000-0x000000001B65E000-memory.dmp

Filesize
1.2MB

Download
memory/2204-4-0x00000000027A0000-0x00000000027BC000-memory.dmp

Filesize
112KB

Download
memory/2204-158-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2204-7-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/2204-151-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2204-143-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

Filesize
8KB

Download
memory/2204-9-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2204-8-0x00000000027F0000-0x0000000002806000-memory.dmp

Filesize
88KB

Download
memory/2204-6-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/2204-5-0x000000001BBB0000-0x000000001BC00000-memory.dmp

Filesize
320KB

Download
memory/2204-11-0x000000001B510000-0x000000001B522000-memory.dmp

Filesize
72KB

Download
memory/2204-17-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

Filesize
32KB

Download
memory/2204-18-0x000000001BD00000-0x000000001BD0C000-memory.dmp

Filesize
48KB

Download
memory/2204-12-0x000000001C130000-0x000000001C658000-memory.dmp

Filesize
5.2MB

Download
memory/2204-16-0x000000001BB90000-0x000000001BB98000-memory.dmp

Filesize
32KB

Download
memory/2204-0-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

Filesize
8KB

Download
memory/2204-14-0x000000001BB70000-0x000000001BB7E000-memory.dmp

Filesize
56KB

Download
memory/2204-15-0x000000001BB80000-0x000000001BB8E000-memory.dmp

Filesize
56KB

Download
memory/3052-67-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3136-291-0x000002BF74DB0000-0x000002BF74F1A000-memory.dmp

Filesize
1.4MB

Download
memory/3152-262-0x00000226FA020000-0x00000226FA18A000-memory.dmp

Filesize
1.4MB

Download
memory/3316-274-0x000002674FF80000-0x00000267500EA000-memory.dmp

Filesize
1.4MB

Download
memory/3420-293-0x000001D6CDF80000-0x000001D6CE0EA000-memory.dmp

Filesize
1.4MB

Download
memory/3524-272-0x000001B5ADBB0000-0x000001B5ADD1A000-memory.dmp

Filesize
1.4MB

Download
memory/3764-275-0x000002672C250000-0x000002672C3BA000-memory.dmp

Filesize
1.4MB

Download
memory/3972-278-0x00000161F08D0000-0x00000161F0A3A000-memory.dmp

Filesize
1.4MB

Download
memory/4448-273-0x000001FEC4A20000-0x000001FEC4B8A000-memory.dmp

Filesize
1.4MB

Download
memory/4448-170-0x000001FEAC5A0000-0x000001FEAC5C2000-memory.dmp

Filesize
136KB

Download
memory/4780-284-0x0000018336620000-0x000001833678A000-memory.dmp

Filesize
1.4MB

Download
memory/5324-297-0x000000001C0D0000-0x000000001C0E2000-memory.dmp

Filesize
72KB

Download
memory/5808-322-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download