dcrat | 99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 17:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Size

2.6MB
MD5

0e65f6863a1d4b3584d72ebef0b41202
SHA1

77bd0890113173cc2cf2b2b686eaf6b73ad039d9
SHA256

99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c
SHA512

32d4d89115441bf1b50286a600fcdf733973c1e0119e5529abda55d6d52934ac701838db4f43d521667ea4f6bea10cb34089451e4e4e178e2960639c841ce386
SSDEEP

49152:TH09JSJJJRvUIbcMEDFcJ8jKV2glUxJU08GITXS42crt5/l:r0TOJRvUHM4yfqPxEXS42cH/l

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk1.8.0_66\\include\\win32\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Vss\\Writers\\System\\csrss.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\", \"C:\\odt\\dllhost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk1.8.0_66\\include\\win32\\WmiPrvSE.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk1.8.0_66\\include\\win32\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk1.8.0_66\\include\\win32\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk1.8.0_66\\include\\win32\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\odt\\OfficeClickToRun.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	4360	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4360	schtasks.exe	52

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3992-132-0x00000000007C0000-0x0000000000A64000-memory.dmp	dcrat
behavioral2/files/0x000d00000002171d-197.dat	dcrat
behavioral2/files/0x000d00000002171d-196.dat	dcrat
behavioral2/memory/1828-198-0x0000000000E20000-0x00000000010C4000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1828	fontdrvhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\odt\\RuntimeBroker.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\MSBuild\\Microsoft\\sihost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\odt\\RuntimeBroker.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\odt\\OfficeClickToRun.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\odt\\OfficeClickToRun.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Vss\\Writers\\System\\csrss.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Vss\\Writers\\System\\csrss.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Java\\jdk1.8.0_66\\include\\win32\\WmiPrvSE.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Java\\jdk1.8.0_66\\include\\win32\\WmiPrvSE.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Mail\\fontdrvhost.exe\""	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RuntimeBroker.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Windows Mail\RCX8C5A.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCX9279.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX9598.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX9625.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Windows Mail\RCX8CD8.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCX9307.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\RCX9C44.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9F53.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\sihost.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\services.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\WmiPrvSE.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RCXA261.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\WmiPrvSE.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\7a0fd90576e088	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\Microsoft Office\Office16\c5b4cb5e9653cc	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\MSBuild\Microsoft\sihost.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\24dbde2999530e	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\RCX9BB6.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Windows Mail\fontdrvhost.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RCXA2FF.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\Windows Mail\fontdrvhost.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\MSBuild\Microsoft\66fc9ff0ee96c2	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\9e8d7a4ca61bd9	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCX89D9.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9ED5.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\Microsoft Office\Office16\services.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files\Windows Mail\5b884080fd4f94	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\RuntimeBroker.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCX895B.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\System\csrss.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File created	C:\Windows\Vss\Writers\System\886983d96e3d3e	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXA91C.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXA99A.tmp	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
File opened for modification	C:\Windows\Vss\Writers\System\csrss.exe	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3764	schtasks.exe
1644	schtasks.exe
3220	schtasks.exe
1444	schtasks.exe
4696	schtasks.exe
2056	schtasks.exe
1832	schtasks.exe
4132	schtasks.exe
4992	schtasks.exe
1980	schtasks.exe
1936	schtasks.exe
808	schtasks.exe
4300	schtasks.exe
360	schtasks.exe
2816	schtasks.exe
4476	schtasks.exe
3100	schtasks.exe
1796	schtasks.exe
3936	schtasks.exe
60	schtasks.exe
4408	schtasks.exe
3272	schtasks.exe
4252	schtasks.exe
2316	schtasks.exe
3168	schtasks.exe
2024	schtasks.exe
100	schtasks.exe
220	schtasks.exe
4384	schtasks.exe
4996	schtasks.exe
4764	schtasks.exe
692	schtasks.exe
3444	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	1828	fontdrvhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1560	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	121
PID 3992 wrote to memory of 1560	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	121
PID 3992 wrote to memory of 1420	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	122
PID 3992 wrote to memory of 1420	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	122
PID 3992 wrote to memory of 1552	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	123
PID 3992 wrote to memory of 1552	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	123
PID 3992 wrote to memory of 3108	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	125
PID 3992 wrote to memory of 3108	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	125
PID 3992 wrote to memory of 5044	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	130
PID 3992 wrote to memory of 5044	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	130
PID 3992 wrote to memory of 3216	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	129
PID 3992 wrote to memory of 3216	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	129
PID 3992 wrote to memory of 3320	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	144
PID 3992 wrote to memory of 3320	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	144
PID 3992 wrote to memory of 3948	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	143
PID 3992 wrote to memory of 3948	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	143
PID 3992 wrote to memory of 2064	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	142
PID 3992 wrote to memory of 2064	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	142
PID 3992 wrote to memory of 3256	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	134
PID 3992 wrote to memory of 3256	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	134
PID 3992 wrote to memory of 3484	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	135
PID 3992 wrote to memory of 3484	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	135
PID 3992 wrote to memory of 4760	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	136
PID 3992 wrote to memory of 4760	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	136
PID 3992 wrote to memory of 796	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	145
PID 3992 wrote to memory of 796	3992	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe	145
PID 796 wrote to memory of 4028	796	cmd.exe	147
PID 796 wrote to memory of 4028	796	cmd.exe	147
PID 796 wrote to memory of 1828	796	cmd.exe	148
PID 796 wrote to memory of 1828	796	cmd.exe	148

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe
"C:\Users\Admin\AppData\Local\Temp\99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\99538a6d43ec43d371b9051fac8040acc37c738d3b241bb018023b121c941e8c.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\services.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fontdrvhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\RuntimeBroker.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\sihost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\include\win32\WmiPrvSE.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bhmG93G72.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4028
- - C:\Program Files\Windows Mail\fontdrvhost.exe
    "C:\Program Files\Windows Mail\fontdrvhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.8.0_66\include\win32\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\include\win32\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.8.0_66\include\win32\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\fontdrvhost.exe

Filesize
2.6MB

MD5
c291d79e0284f2e5fc8538cc0ec7d7d5

SHA1
a123da418cd4e2b984f8f93495870d0e5bd5ab8b

SHA256
498a2bd51a92501e4a055a267e975d3072b6f5921153219109c6b051e0c949b9

SHA512
106fb9e5b14626bfd2d8f528945139bd2d3644db3976f8ef8a9f4084411d12eb46799d73497be8db79fc8464070693cbfc8b64b3fed991e6d1534e6856dd6243

Download Submit
C:\Program Files\Windows Mail\fontdrvhost.exe

Filesize
2.6MB

MD5
c291d79e0284f2e5fc8538cc0ec7d7d5

SHA1
a123da418cd4e2b984f8f93495870d0e5bd5ab8b

SHA256
498a2bd51a92501e4a055a267e975d3072b6f5921153219109c6b051e0c949b9

SHA512
106fb9e5b14626bfd2d8f528945139bd2d3644db3976f8ef8a9f4084411d12eb46799d73497be8db79fc8464070693cbfc8b64b3fed991e6d1534e6856dd6243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bhmG93G72.bat

Filesize
210B

MD5
3e7742cdf6d5a4ee24f3dc1883a5e603

SHA1
a6119873fbd17f46ed6beb66d0650d2ef645b1f0

SHA256
eeb98ce0956bb00bf683c603200f93770344218c79ba1d33557ed86732d5ceba

SHA512
67cdb3bca8ba4e7f6cd5a5b6e54006d12d2a66a628fce2a8552a180f232fa462e0f11059bc3d9a42af0d447d1f359a0c33046aed2483fd78d1e099e75985ea82

Download Submit
memory/1420-159-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/1420-152-0x00000268B81E0000-0x00000268B8202000-memory.dmp

Filesize
136KB

Download
memory/1420-193-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/1552-184-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/1552-160-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/1560-170-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/1560-190-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/1828-203-0x000000001DFF4000-0x000000001DFF7000-memory.dmp

Filesize
12KB

Download
memory/1828-213-0x000000001DFF1000-0x000000001DFF6000-memory.dmp

Filesize
20KB

Download
memory/1828-224-0x000000001DFFB000-0x000000001DFFE000-memory.dmp

Filesize
12KB

Download
memory/1828-198-0x0000000000E20000-0x00000000010C4000-memory.dmp

Filesize
2.6MB

Download
memory/1828-225-0x000000001BC8A000-0x000000001BC8D000-memory.dmp

Filesize
12KB

Download
memory/1828-223-0x000000001DFF3000-0x000000001DFF6000-memory.dmp

Filesize
12KB

Download
memory/1828-199-0x00007FFD0AA00000-0x00007FFD0B4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1828-222-0x000000001BC85000-0x000000001BC88000-memory.dmp

Filesize
12KB

Download
memory/1828-221-0x000000001BC8A000-0x000000001BC8E000-memory.dmp

Filesize
16KB

Download
memory/1828-200-0x000000001BC89000-0x000000001BC8F000-memory.dmp

Filesize
24KB

Download
memory/1828-220-0x000000001DFF2000-0x000000001DFF6000-memory.dmp

Filesize
16KB

Download
memory/1828-219-0x000000001DFF1000-0x000000001DFF6000-memory.dmp

Filesize
20KB

Download
memory/1828-218-0x000000001DFFB000-0x000000001DFFE000-memory.dmp

Filesize
12KB

Download
memory/1828-217-0x000000001BC8A000-0x000000001BC8E000-memory.dmp

Filesize
16KB

Download
memory/1828-216-0x000000001DFFB000-0x000000001DFFE000-memory.dmp

Filesize
12KB

Download
memory/1828-202-0x000000001DFF0000-0x000000001DFF4000-memory.dmp

Filesize
16KB

Download
memory/1828-215-0x000000001BC85000-0x000000001BC88000-memory.dmp

Filesize
12KB

Download
memory/1828-214-0x000000001DFFC000-0x000000001DFFF000-memory.dmp

Filesize
12KB

Download
memory/1828-204-0x00007FFD0AA00000-0x00007FFD0B4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1828-212-0x000000001DFF7000-0x000000001DFFC000-memory.dmp

Filesize
20KB

Download
memory/1828-211-0x000000001BC8A000-0x000000001BC8E000-memory.dmp

Filesize
16KB

Download
memory/1828-206-0x000000001DFF7000-0x000000001DFFC000-memory.dmp

Filesize
20KB

Download
memory/1828-210-0x000000001DFFB000-0x000000001DFFE000-memory.dmp

Filesize
12KB

Download
memory/1828-209-0x000000001DFFC000-0x000000001DFFF000-memory.dmp

Filesize
12KB

Download
memory/1828-208-0x000000001DFF4000-0x000000001DFF7000-memory.dmp

Filesize
12KB

Download
memory/1828-205-0x000000001BC89000-0x000000001BC8F000-memory.dmp

Filesize
24KB

Download
memory/1828-207-0x000000001DFF0000-0x000000001DFF4000-memory.dmp

Filesize
16KB

Download
memory/2064-188-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/2064-167-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3108-185-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3108-161-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3216-192-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3216-164-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3256-187-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3256-169-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3320-165-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3320-191-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3484-189-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3948-186-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3948-166-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3992-132-0x00000000007C0000-0x0000000000A64000-memory.dmp

Filesize
2.6MB

Download
memory/3992-157-0x000000001DC84000-0x000000001DC87000-memory.dmp

Filesize
12KB

Download
memory/3992-139-0x000000001DC87000-0x000000001DC8A000-memory.dmp

Filesize
12KB

Download
memory/3992-138-0x000000001DC84000-0x000000001DC87000-memory.dmp

Filesize
12KB

Download
memory/3992-137-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3992-136-0x000000001DC80000-0x000000001DC84000-memory.dmp

Filesize
16KB

Download
memory/3992-133-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3992-156-0x000000001DC80000-0x000000001DC84000-memory.dmp

Filesize
16KB

Download
memory/3992-158-0x000000001DC87000-0x000000001DC8A000-memory.dmp

Filesize
12KB

Download
memory/3992-135-0x00000000011F9000-0x00000000011FF000-memory.dmp

Filesize
24KB

Download
memory/3992-154-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/3992-134-0x000000001D110000-0x000000001D638000-memory.dmp

Filesize
5.2MB

Download
memory/3992-155-0x00000000011F9000-0x00000000011FF000-memory.dmp

Filesize
24KB

Download
memory/4760-171-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/4760-201-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/5044-194-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download
memory/5044-162-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp

Filesize
10.8MB

Download