dcrat | dfe9f39426e9f5c49dfd52ec6dcf91a679af24d2e5a6119a139b9bdf1525655d

Resubmissions

23/01/2025, 15:47

250123-s8nvfavjhw 10

23/01/2025, 15:44

250123-s6ya4awkgr 10

23/01/2025, 15:43

250123-s6b3vswkfl 10

Analysis

max time kernel
68s
max time network
91s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23/01/2025, 15:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

taskhostw.exe
Size

1.2MB
MD5

ac904ffc13b5f221270f475065687b59
SHA1

ed6b4383582eae7b72064a10e33cebc6fd3690e5
SHA256

963a316c03e4f88df946a43d537f6ed2d2001eaafcde40bdb52cd15104112606
SHA512

9626483209d8546c835c94cfffd89e1cf6ae813730d04dfdb9b4b4019e12ee0c9166fa76fb47426251f6e669d6c63037718ffb8c8366766cadca1a9f78c91559
SSDEEP

12288:URZ+IoG/n9IQxW3OBseUUT+tcYbqTHSOOJVu1SNEC8m+P1BAyrQ/ta3iruJtDwbD:u2G/nvxW3WieC2nOJVrj8m+aSDwbA9Nq

Score

10^/10

dcrat credential_access defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	4688	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	4688	schtasks.exe	87

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x002800000004626e-14.dat	dcrat
behavioral2/memory/4976-16-0x00000000009D0000-0x0000000000ABC000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	ComfontHost.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
2504	conhost.exe

Executes dropped EXE 7 IoCs

pid	Process
4976	ComfontHost.exe
2504	conhost.exe
4148	firefox.exe
2952	firefox.exe
1616	firefox.exe
3604	firefox.exe
3868	firefox.exe

Loads dropped DLL 5 IoCs

pid	Process
4148	firefox.exe
2952	firefox.exe
1616	firefox.exe
3604	firefox.exe
3868	firefox.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	conhost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui	conhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.Tests.ps1	conhost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui	conhost.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	conhost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLessThan.Tests.ps1	conhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1	conhost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat	conhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	conhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\SmallLogo.png	conhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeOfType.ps1	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\Classification\mswb70011.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\Microsoft.Ceres.DocParsing.FormatHandlers.OneNote.dll	conhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseAPToast.exe	conhost.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\Microsoft.Ceres.DocParsing.FormatHandlers.Gif.dll	conhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\Example3A.Diagnostics.Tests.ps1	conhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll	conhost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\Microsoft.Ceres.DocParsing.FormatHandlers.Docx.dll	conhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll	conhost.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui	conhost.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz	conhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.Tests.ps1	conhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll	conhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\Microsoft.Ceres.DocParsing.FormatHandlers.PointPublishing.dll	conhost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\EppManifest.dll	conhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll	conhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll	conhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	conhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll	conhost.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt	conhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll	conhost.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdfmap.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\MsSense.exe.mui	conhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Example3B.Diagnostics.Tests.ps1	conhost.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	conhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Common Files\System\wab32.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\Classification\nl7data0011_v2.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPNSSUI.dll	conhost.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmpnssui.dll.mui	conhost.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui	conhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll	conhost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1	conhost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\diagnostics\system\IEBrowseWeb\uk-UA\RS_DisableAddon.psd1	conhost.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\Globe.png	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\MSBuild.resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Drawing.Design.resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\CvtResUI.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it-IT\Microsoft.Windows.ApplicationServer.Applications.dll.mui	conhost.exe
File opened for modification	C:\Windows\Cursors\aero_nesw_xl.cur	conhost.exe
File opened for modification	C:\Windows\Cursors\size2_rl.cur	conhost.exe
File opened for modification	C:\Windows\Fonts\vga857.fon	conhost.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-black_scale-150.png	conhost.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\WindowsMediaPlayer.adml	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Xaml.Hosting.resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.xml.resources.dll	conhost.exe
File opened for modification	C:\Windows\PLA\Reports\es-ES\Report.System.Diagnostics.xml	conhost.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for SqlServer\0C0A\_dataperfcounters_shared12_neutral_d.ini	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\Microsoft.JScript.Resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web_hightrust.config.default	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\aspnet_regsql.resources.dll	conhost.exe
File opened for modification	C:\Windows\Fonts\tahoma.ttf	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.Mobile.resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\JSC.Resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MmcAspExt.dll	conhost.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-125.png	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AdoNetDiag.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Dynamic.resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\0410\mscorsecr.dll	conhost.exe
File opened for modification	C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\uk-UA\charactermap.json	conhost.exe
File opened for modification	C:\Windows\INF\hidbthle.inf	conhost.exe
File opened for modification	C:\Windows\INF\mdmnokia.inf	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Web.Extensions.resources.dll	conhost.exe
File opened for modification	C:\Windows\Boot\PCAT\zh-TW\bootmgr.exe.mui	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Runtime.WindowsRuntime.resources.dll	conhost.exe
File opened for modification	C:\Windows\PolicyDefinitions\WindowsDefenderSecurityCenter.admx	conhost.exe
File opened for modification	C:\Windows\diagnostics\system\Networking\InteractiveRes.ps1	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Runtime.Serialization.Formatters.Soap.resources.dll	conhost.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\uk-UA\CL_LocalizationData.psd1	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\ShFusRes.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	conhost.exe
File opened for modification	C:\Windows\Boot\EFI_EX\pl-PL\bootmgfw_EX.efi.mui	conhost.exe
File opened for modification	C:\Windows\INF\usbhub\0411\usbperf.ini	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Data.OracleClient.resources.dll	conhost.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\pris\resources.ja-JP.pri	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Xaml.Hosting.resources.dll	conhost.exe
File opened for modification	C:\Windows\rescache\_merged\24768367\1561052042.pri	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Dynamic.Runtime.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Web.Extensions.Design.resources.dll	conhost.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\MF_PrinterDiagnostic.ps1	conhost.exe
File opened for modification	C:\Windows\INF\msgpiowin32.inf	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.DynamicData.Design.resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\mscorees.dll	conhost.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64	conhost.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Annots.api	conhost.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrord32res.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Configuration.resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\it\WindowsBase.resources.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\aspnet_regsql.resources.dll	conhost.exe
File opened for modification	C:\Windows\Cursors\wait_rm.cur	conhost.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Bib.dll_NON_OPT	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorpe.dll	conhost.exe
File opened for modification	C:\Windows\PolicyDefinitions\RemoteAssistance.admx	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\it-IT\PresentationHost_v0400.dll.mui	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\3082\CvtResUI.dll	conhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.Writer.dll	conhost.exe
File opened for modification	C:\Windows\Boot\EFI_EX\en-GB\bootmgfw_EX.efi.mui	conhost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings	ComfontHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings	taskhostw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1640	schtasks.exe
3448	schtasks.exe
5024	schtasks.exe
936	schtasks.exe
3892	schtasks.exe
1524	schtasks.exe
2760	schtasks.exe
3996	schtasks.exe
1168	schtasks.exe
520	schtasks.exe
1924	schtasks.exe
2576	schtasks.exe
3604	schtasks.exe
3680	schtasks.exe
4944	schtasks.exe
3752	schtasks.exe
1632	schtasks.exe
4144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4976	ComfontHost.exe
4976	ComfontHost.exe
4976	ComfontHost.exe
4976	ComfontHost.exe
4976	ComfontHost.exe
2504	conhost.exe
2504	conhost.exe
2504	conhost.exe
2504	conhost.exe
2504	conhost.exe
2504	conhost.exe
2504	conhost.exe
2504	conhost.exe
2504	conhost.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	ComfontHost.exe
Token: SeDebugPrivilege	2504	conhost.exe
Token: SeDebugPrivilege	5060	firefox.exe
Token: SeDebugPrivilege	5060	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5060	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4112	4596	taskhostw.exe	82
PID 4596 wrote to memory of 4112	4596	taskhostw.exe	82
PID 4596 wrote to memory of 4112	4596	taskhostw.exe	82
PID 4112 wrote to memory of 2744	4112	WScript.exe	89
PID 4112 wrote to memory of 2744	4112	WScript.exe	89
PID 4112 wrote to memory of 2744	4112	WScript.exe	89
PID 2744 wrote to memory of 4976	2744	cmd.exe	92
PID 2744 wrote to memory of 4976	2744	cmd.exe	92
PID 4976 wrote to memory of 4556	4976	ComfontHost.exe	111
PID 4976 wrote to memory of 4556	4976	ComfontHost.exe	111
PID 4556 wrote to memory of 3716	4556	cmd.exe	113
PID 4556 wrote to memory of 3716	4556	cmd.exe	113
PID 4556 wrote to memory of 2504	4556	cmd.exe	115
PID 4556 wrote to memory of 2504	4556	cmd.exe	115
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 2816 wrote to memory of 5060	2816	firefox.exe	120
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121
PID 5060 wrote to memory of 3864	5060	firefox.exe	121

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComfontHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
"C:\Users\Admin\AppData\Local\Temp\taskhostw.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockBrowserWeb\73WPTP5CgKBkfusL13FoS1EalfC.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BlockBrowserWeb\JLBdH8Facv2OZKr8pY7k2gD8clI.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\BlockBrowserWeb\ComfontHost.exe
      "C:\BlockBrowserWeb\ComfontHost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4976
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hR0dus7gtM.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3716
      - C:\BlockBrowserWeb\conhost.exe
        
        "C:\BlockBrowserWeb\conhost.exe"
        6⤵
        UAC bypass
        Deletes itself
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops autorun.inf file
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\BlockBrowserWeb\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\BlockBrowserWeb\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\BlockBrowserWeb\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComfontHostC" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\ComfontHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComfontHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ComfontHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComfontHostC" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\ComfontHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\BlockBrowserWeb\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\BlockBrowserWeb\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\BlockBrowserWeb\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\BlockBrowserWeb\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\BlockBrowserWeb\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\BlockBrowserWeb\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 27137 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1c89272-d797-414f-bd68-a616fcd079ac} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" gpu
    3⤵
    PID:3864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2376 -prefsLen 27015 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba4c675b-d6e1-45e7-abef-7df883f646bf} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" socket
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a9a8892-29a4-4e0e-bf15-a8ae20b453b8} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3336 -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2676 -prefsLen 32389 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d606da6-deff-48a0-a8cc-9f39bf4af3f0} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3520 -childID 3 -isForBrowser -prefsHandle 3912 -prefMapHandle 3852 -prefsLen 32389 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c806090-0f60-4d14-baa8-c715a4f4120a} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 32389 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe39c986-22a7-4366-a580-1f949579d722} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" utility
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3868

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d4055 /state1:0x41c64e6d
1⤵
PID:5096

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockBrowserWeb\088424020bedd6

Filesize
277B

MD5
095f3d7dbc25ddc205025483405738af

SHA1
6e43de876717b626f53951777d688732e00a42c4

SHA256
23a83fe154ff3d71b9f4be8e07af1314827acbcb73c6db3a7d8e0b65fb7885e2

SHA512
c17d6e4d8939865898140afbb56dda7ff879eac9461e44308f2f6d7ff7fa9d81e5e42cf4e7178813f8cef9451bb58588a7dad507868e90277ae699699e086c47

Download Submit
C:\BlockBrowserWeb\24dbde2999530e

Filesize
554B

MD5
2498c9c851f686f3530dfcb325e63b17

SHA1
9190758c97fe349835dec8540c20979daae8e6fd

SHA256
84eac04649fd3175964f41bd8a2177a1244f4852d51d8bc97d71e4dcbc0b1edd

SHA512
003d4e5182ddcc9162e882f576a1db4b7a54416e8c4863042c6ae6c8f30dfe6e0d354e324c837d466dc9b8ef45f011018b7cb0c782af76721d615723f3c3e6d6

Download Submit
C:\BlockBrowserWeb\73WPTP5CgKBkfusL13FoS1EalfC.vbe

Filesize
230B

MD5
fdf72c94be3290267c930fab28fbd800

SHA1
a0e186ec44952baf296acd483f25327b0c6f33dd

SHA256
4eead935013d583296ca49f8fc8b70d38b7c32e1189204629f33cead574e2dd1

SHA512
a59b3fe649739e5d61d116149011f8d0f19ed8b217134aabb3f2c698dd52a5ccc4b67414209772be48fe4477158ffa7ebb2097280dccf1607955f1a95d264634

Download Submit
C:\BlockBrowserWeb\ComfontHost.exe

Filesize
911KB

MD5
082141e65f26ececc48552790d6c6da4

SHA1
fba9667158632e2dbfa128d1fa1bd4be282e773a

SHA256
b49adf276a5e055ef1a3685f032701b41be76177f7f9eb85dfac2d33b5fa7c9f

SHA512
cbe0fef685801d436b5637a0e08df052af119284491a382d689686735ee8352d3edaa6857754f16f022a0bb43f95039bc841e4ed1e20614ea0a9976258947946

Download Submit
C:\BlockBrowserWeb\JLBdH8Facv2OZKr8pY7k2gD8clI.bat

Filesize
47B

MD5
68411cfd82c251c57e0fd3e2b6e7af03

SHA1
26b09d13a90b0e662d57c59dc903db51dd11a177

SHA256
0f31379f24cbc2ab580f9b2f77e4fa36123a732377be53d88c28546228e106d7

SHA512
78ba2559d614ed0dbcc2e32a5f6b9ef3d3585df4cc515728ff4cccdefbd00b50f3e34774af016a5fc9f8320ff48e963bc76f9c7b04e80ad69a43eef9c18f2f2a

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
655KB

MD5
470443e44566ecfc7ac2ddbec240a73f

SHA1
27bb8d2fc02cd2bbc184d07357aaa9903d88b425

SHA256
006652da0745d8672ec56598368c1f8a4896cd4a0aa5b61499d574870f94b705

SHA512
22c9bc36874abb015a7e1a28e26f186f2abbd559aad53fdcf493f2178dbc6cfe5a7324d0acadcf4a641028e61787d2f4237a8c034a3a7a6d0a7162f31e05a618

Download Submit
C:\Program Files\Mozilla Firefox\mozglue.dll

Filesize
967KB

MD5
82958c604717fc0a15052e03a927cfa4

SHA1
829a7eb23147c31d9746ddaa30201b7127515416

SHA256
948818942a29cf21260ba389c2fdf3c001d77851500a7124c1f6a3290b8f826c

SHA512
70e5118dd760e7dc86f3641da57dad00f02b703e53230bc13e0e9e21fddcba75d3e70445d90d9f13988956e4ba20e7b54ebbdaaed18c3e7aa75a4214c2e2aff9

Download Submit
C:\Program Files\Windows Mail\c5b4cb5e9653cc

Filesize
397B

MD5
1940ada86bf63631b51064bdd74e6cc5

SHA1
383cd80049a01c3b393635f1292862bb6240ad20

SHA256
395727065e38d7d5ed40b1378a8aea6d9c04edef951c2bc0377dc914bddf01b5

SHA512
eef7e3fa59201f7129a4e854b4be01c06a1e208fe4c2ffad56d980b3452d0f6407d076190836616375d070e043cc10450ce374ce55cfe50927af6bc1b074699a

Download Submit
C:\Recovery\WindowsRE\c6e55b6041e180

Filesize
597B

MD5
789f487d2689efe14d91751ad0381fa2

SHA1
8ef35651377a3a35094d022e9abe4776abd97d6d

SHA256
c4750de13615d19044ff19c3745f6f8cea721d6fca8f574c6e9fbd5fa4c1488f

SHA512
baec634ac5a943edeca7be3349ce46b31b4d49d1467a07d8a062d51750a5980dbda70af26d095fcd296ecc560098a460351d9d50b2b2a38c82a9ffb69456c7da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComfontHost.exe.log

Filesize
1KB

MD5
fcbbff8eeb93ad014bf73143a67cbdce

SHA1
79cd0f544ba90184d14911c68dc2314f2225a020

SHA256
4f3945ae2db9e60f191a1dc16b1e156710f81037869b5515e0c8ed0b31070d01

SHA512
f5c8342c814d31d561642a0218011b86adcac40a068acdfe1870fd26c0b63927a4bcb53fedacb1bfd8f3ae6fde75ddd66ff5ed49dced4a39bfce575f51603ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hR0dus7gtM.bat

Filesize
195B

MD5
d5fceba369a1070ff233b0cd12fcc828

SHA1
282655b685e404a2f81b44351805ef6376c15a4d

SHA256
3a9d83b8797ae69199549c40adb23f00e67e96dd94644d085e41a861cd5dea24

SHA512
92450cac60ec85516e924736e8efcf1d43a96117cc25169346d6540e89b1f4b263d7b35d59d68612f96a5203464ea1642467db01c1ff912dce194237bbc2ad27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\LastCrash

Filesize
10B

MD5
0f32adb95aeda2c06f76ba9de17bd21f

SHA1
46e2b05efb2e03f5f65f3d988aa9a855c832d28c

SHA256
5e23d1c7911f0d8176843888ac2cca634773ac2d3d214dce02f187f12b6b8ea5

SHA512
e850bc5a2cac22eb4861cbb6acd20c028bc6e25bc41f1252a82cc360bea71d07d62c2fce02b1ed5f2cc5897fe5204bca5ead14a80a6ab34e628260b33d4d9cb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\AlternateServices.bin

Filesize
6KB

MD5
495087b32e8a908e1590e08043b4b8a8

SHA1
753ac669a1704e41b6cd8c400ae9e55ddd109efd

SHA256
c49cc664ead6ceeaa3a7ce4f245e5957d0195f4ebd1ac88f256968c55a0567f7

SHA512
d38457f54b4b7ac1a3130aecbef35a03af8de65be60c1f659af40cd1c88b3fc3426c18a4f9897319558e582594e106d2b071dce4bc9fe4cd92d9d38ca839c995

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\SiteSecurityServiceState.bin

Filesize
858B

MD5
46f7a5dd41e7d7d584107f63634b2fa5

SHA1
899e13caccf2102170e68dbc615d74163540b9f9

SHA256
748112d811b22f1bcf53282ccc720ad8b2e7301af5ace1e6d407f2b5dbd98646

SHA512
f553049b008122d417f91cb871b3cef9aa728aee409b925d95b63b65b92a6cacbe6884f5689a56a443654dd3ca2152695ddd963b85563b249c275cf3d1b07ead

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\content-prefs.sqlite

Filesize
256KB

MD5
b5acd9cf58ba89e643e7b2e839e0707e

SHA1
82c2b9cbea4acb50b446b786818287be7b0b8b61

SHA256
4d4fd87f1cdccc9f826ab7de2b3980db6fe4ed328f079ceb24f680557da9667e

SHA512
1fdaf5173a2fa956e3793b3643b44d928a4c81a1599bdf4b057396bfca5948ce1097194dbb5f528959c8cf4e34d058922828236c6060b41510e9ea2cb9ed424b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\crashes\events\90a79891-83d7-4734-9f71-70622e02ee30

Filesize
9KB

MD5
70e6a752d971caabe7d9c162e59d3681

SHA1
bfe953012cefa3e62ab2773b7bc48b7976d97f7e

SHA256
f7e1eb0b148a2cb41a77d6c881c6a672aa2eca2b721f5a23fda16a2304e6533d

SHA512
cb4542db4da3fb2f0e2a7541bebfa6405f04ad1247023e27e8fa360b0ef9ecddcbc22bf10de818ceeb75a50b2fcfae6c0f7a926d3e60fe63c0bf05f16191c3b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\db\data.safe.bin

Filesize
5KB

MD5
24084f6dd14fda27caecf6d3c109ad72

SHA1
d341a2d943762c0633903bac646e47ee945b6c92

SHA256
8bb0ce80904e9998773821149ed91745022a926b6c2df2ac66088421a7f6db13

SHA512
9fab6d9b23423ea1b78cd2d06fb58e1b614ec0f7658222ba94f03a469ececa3c2264c0f9a3f9557fc78d308839f00d7f368d0328e980ac763ff1f3e93c697990

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
c3a1ebb35e17626d72907b11f4b5b683

SHA1
a2922a1ee067e9d9854ced41dc57b5764b699ae0

SHA256
7979613b8f8b4f20515cfd7fe0b2fd00e14a763aa0ee420220e5b45fc634afb6

SHA512
807891b390b1bf7f36f38b2472ca5ef2ce1724210bd35497dbdca976338b57885bed6d6ccd4dc15eacff090bd868c4e8e10619e3b5324081b6a75f454b090da1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
19beb3114276454ba2e79a0a2b2be12f

SHA1
5a181ba0b832f47fcbcd2e8183dab5e0aaa5399c

SHA256
f96b00f3a25d447a8721cc2f0901fc578ec1c369a453b42b7322e6ae658924ca

SHA512
3fedd163b673ebf75293caafc70b40ac1df47f3686ed7eabfc97cb97d99b6a997b2e3af7f481423f6cc67b425b6f71c3d4887cd858164b64ad64948d7712f1b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c4d36654f28bd409c59f88e47af6bb37

SHA1
efd3dc13592146ee4535e6ebc4a27d6b1324f8ed

SHA256
00ff0d343f4b71861e82130f6c299f80384087000f0f5173ed01c63abea0a1ea

SHA512
34cba9895287d97b4e18780753879986de829c15de4092c7bed1c56f21ca77a35134eaefb5825b32a7f3600eb39c240740650956ada7c6259735b1d346d9e731

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\events\events

Filesize
104B

MD5
defbf00981795a992d85fe5a8925f8af

SHA1
796910412264ffafc35a3402f2fc1d24236a7752

SHA256
db353ec3ecd2bb41dfbe5ed16f68c12da844ff82762b386c8899601d1f61031d

SHA512
d01df9cab58abf22ff765736053f79f42e35153e6984c62a375eb4d184c52f233423bb759a52c8eed249a6625d5b984a575ca4d7bf3a0ed72fc447b547e4f20a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\28e2d05e-03c2-4677-9262-396bcc4c96c6

Filesize
982B

MD5
eb75522c9a385fbcc147c378c072b5c2

SHA1
8f99cae6d1caed91faf4b320c8f230b20d69ec27

SHA256
242f99b323a9a70743ec5302a104fba37c5d1210efa1a11f25627e870a1a23f1

SHA512
e6bf3f913f4f41163add6d541e3ce21931d6f9b5a803f3d237a9f8e17391bfbf6a8134db852e613c99177130857b0617ff86e999b74b26ec30f0a9473dc72614

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\8b21e9ac-4e8e-4ec3-86bc-1172c001041a

Filesize
671B

MD5
c29d8b21c0f08d6add75dcd9b54fc9d5

SHA1
1d105a417db3ba93cb75697234ca8296aa6b5e42

SHA256
574f0cb681901d812137f152cd104ceda53c4b82520c3135102d70a3ff3cbd1f

SHA512
22da2bd6d5819a8fc489b01cdce29e7ceb69171c20112ad5e099f52431694ba50604dd0bdb68a3492edd4e56331ee5f78d8b42fb6a495a6e8b90964fc5e6023f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\d1408d7b-88c1-4f2b-b80d-7603346b9851

Filesize
25KB

MD5
06fa4948ae183311d9126a6a1dc1c565

SHA1
6516ed76e105593645843e804ca036c467ce4f2f

SHA256
6678cd46f7acfdbcf31fee1c56006d903c5c161c16af3bd299488a2a9de9805b

SHA512
cde2a539dfc3f9afdade7e64c78ddf4e58dc093d1c74d2dfb66b7f59ef87c90a2337305fbba45201c6e3e61cd350ccd24c80e7972b5e82cc228c5746902fc7fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\extensions.json

Filesize
29KB

MD5
26804f577174e095a1e619c8c72c3083

SHA1
1ea9abd9ecd123b7d21fc1d368c1dca28fe99c27

SHA256
0b6408d11c7665d54aff3e089f58deb99880433fef22faad900225103261c1ed

SHA512
282288f0f8c5b13ff31769f924d8b0a10eb0aaa4634f67845fd6d0a15ca0dc9808f3634b1ead2dc43c4dfddd48aebc61b27051682c9b6320e9074c33156d8059

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\minidumps\90a79891-83d7-4734-9f71-70622e02ee30.dmp

Filesize
639KB

MD5
55fae6178e99f476b33f925d1ac47c55

SHA1
47680ac04b056ec48d44ed29874aad657b4eef81

SHA256
8e93c1c8c00a3bb7ab99c4d09711bb036b05551d23935f86cb4daa76d6c1b530

SHA512
3456513d12aca383f08b5abe0909a4ba730a367dd3febb119c38e51ed46d591fec832db7c86945b1ec4342947e9f3f01c03c22d6021d109cd400ce16490fc2e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\minidumps\90a79891-83d7-4734-9f71-70622e02ee30.extra

Filesize
9KB

MD5
5ba10eedbff43a01cc3d5011bb09e3e3

SHA1
a47b28dc582f9d9aaf443811a87dc1f1ab8f2636

SHA256
5e841be3179a213bcb5387200d51203166bfe0a489c860c1f8ea86c6444f179a

SHA512
fad46714031e31b35468e1e42990b455f3ae9b717099d1079ce12c25601a3293ba2cf34547d062aa512417672bdb46624b240d9aabe20db7de45bfb62100250f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\prefs.js

Filesize
9KB

MD5
2dab1a1cd60fa82841ccbf7cc53acc11

SHA1
acc2a4ba3f7be7733210b68603bdec9f59e4f725

SHA256
a53ba4518128d207f65ec8eacab239cfb5ec012ec86fc7ca4db0021e5132ca22

SHA512
012ebec7e14eb717e8df608a42197e99350dff63e3b859c44c10f274bcc012798bb4511abf133d11d4ebd041dcf1ce8cb37f32111f5971bc0413b7d37e631539

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\protections.sqlite

Filesize
64KB

MD5
d7e5433a87ae3a30de4ab9adc47023bf

SHA1
4edaec48083abd90bc532ba8dd015fe209b0e439

SHA256
c2da29c9c40900e9ae211f9083849b86355850faa503062d14ced549563f273e

SHA512
9b28c36dbe02dff99519fac684c8cb88b8a40b06454524ebf79e576bd22cd94ae0eabb2655aba32bc118767f645d4e12da06764ca5d73c4e42fc2c2e0c343961

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Default\56085415360792

Filesize
901B

MD5
1f08850795d37584801f97133d6a1fef

SHA1
332932c7628839df7dac4821628121e4359402dc

SHA256
b9cb717f53c99c080dd98f52d57d9c5e736e00c5cbed39cd6c695374328224f4

SHA512
653819ef22c4abc643cc21c3495c071962a01fd35084b4a28b52c9f26988077250d075c9cd1de1e4149e2a41bfff451a2564028bf4b5cb0eab37e9a991306920

Download Submit
memory/4976-18-0x0000000001180000-0x000000000118C000-memory.dmp

Filesize
48KB

Download
memory/4976-17-0x0000000001170000-0x000000000117A000-memory.dmp

Filesize
40KB

Download
memory/4976-16-0x00000000009D0000-0x0000000000ABC000-memory.dmp

Filesize
944KB

Download
memory/4976-15-0x00007FFF8B173000-0x00007FFF8B175000-memory.dmp

Filesize
8KB

Download
memory/5040-349-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-342-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-334-0x0000023B2C4C0000-0x0000023B2C4C1000-memory.dmp

Filesize
4KB

Download
memory/5040-338-0x0000023B2C4D0000-0x0000023B2C4D1000-memory.dmp

Filesize
4KB

Download
memory/5040-337-0x0000023B2C4D0000-0x0000023B2C4D1000-memory.dmp

Filesize
4KB

Download
memory/5040-332-0x0000023B2C380000-0x0000023B2C381000-memory.dmp

Filesize
4KB

Download
memory/5040-297-0x0000023B24050000-0x0000023B24060000-memory.dmp

Filesize
64KB

Download
memory/5040-339-0x0000023B2C4D0000-0x0000023B2C4D1000-memory.dmp

Filesize
4KB

Download
memory/5040-344-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-346-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-313-0x0000023B24150000-0x0000023B24160000-memory.dmp

Filesize
64KB

Download
memory/5040-348-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-347-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-345-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-343-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-336-0x0000023B2C4C0000-0x0000023B2C4C1000-memory.dmp

Filesize
4KB

Download
memory/5040-350-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-341-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-351-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-340-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-352-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-354-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-353-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-357-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-356-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-355-0x0000023B2C4F0000-0x0000023B2C4F1000-memory.dmp

Filesize
4KB

Download
memory/5040-360-0x0000023B2C510000-0x0000023B2C511000-memory.dmp

Filesize
4KB

Download
memory/5040-359-0x0000023B2C500000-0x0000023B2C501000-memory.dmp

Filesize
4KB

Download
memory/5040-358-0x0000023B2C500000-0x0000023B2C501000-memory.dmp

Filesize
4KB

Download
memory/5040-362-0x0000023B2C570000-0x0000023B2C571000-memory.dmp

Filesize
4KB

Download
memory/5040-361-0x0000023B2C570000-0x0000023B2C571000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads