dcrat | 7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Size

1.5MB
MD5

9999309dcb3eb9d4b42ad1515c3f5cd0
SHA1

f43f97d19fd1b686592e78619ba7a3152e480cef
SHA256

7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36
SHA512

0a36a29be1aef8482bd59ed339edfeda3b1ea7addefb06c48aa68dbd15094dfb12a08e64937527a76eeb38f2576fe9d0cb6209a56dc89be806aa9503824b8dc2
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WofUtil\\fontdrvhost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WofUtil\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WofUtil\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration\\OfficeClickToRun.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WofUtil\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\smartscreenps\\sihost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WofUtil\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\smartscreenps\\sihost.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WofUtil\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\smartscreenps\\sihost.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\SysmonDrv\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3276	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	3276	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3276	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3276	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	3276	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	3276	schtasks.exe	84

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4864	powershell.exe
720	powershell.exe
532	powershell.exe
212	powershell.exe
3812	powershell.exe
1480	powershell.exe
888	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 15 IoCs

pid	Process
2384	fontdrvhost.exe
972	fontdrvhost.exe
4200	fontdrvhost.exe
4020	fontdrvhost.exe
4884	fontdrvhost.exe
3128	fontdrvhost.exe
64	fontdrvhost.exe
2084	fontdrvhost.exe
3464	fontdrvhost.exe
2116	fontdrvhost.exe
2112	fontdrvhost.exe
4604	fontdrvhost.exe
1268	fontdrvhost.exe
4792	fontdrvhost.exe
1628	fontdrvhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\WofUtil\\fontdrvhost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration\\OfficeClickToRun.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\SysmonDrv\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\smartscreenps\\sihost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\SysmonDrv\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\WofUtil\\fontdrvhost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration\\OfficeClickToRun.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\smartscreenps\\sihost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\WofUtil\5b884080fd4f94	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\System32\smartscreenps\sihost.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\System32\smartscreenps\66fc9ff0ee96c2	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\System32\WofUtil\RCX739B.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\System32\smartscreenps\RCX7A35.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\System32\smartscreenps\sihost.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\System32\WofUtil\fontdrvhost.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\System32\WofUtil\fontdrvhost.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\OfficeClickToRun.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\OfficeClickToRun.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\e6c9b481da804f	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX759F.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\RCX77B3.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysmonDrv\7a0fd90576e088	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\RCX7C3A.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\SysmonDrv\RCX7EAC.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\SysmonDrv\explorer.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\22eafd247d37c3	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\SysmonDrv\explorer.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3700	schtasks.exe
3252	schtasks.exe
848	schtasks.exe
3412	schtasks.exe
3960	schtasks.exe
4880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
888	powershell.exe
888	powershell.exe
3812	powershell.exe
3812	powershell.exe
212	powershell.exe
212	powershell.exe
1480	powershell.exe
1480	powershell.exe
888	powershell.exe
720	powershell.exe
720	powershell.exe
532	powershell.exe
532	powershell.exe
4864	powershell.exe
4864	powershell.exe
720	powershell.exe
3812	powershell.exe
1480	powershell.exe
212	powershell.exe
4864	powershell.exe
532	powershell.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
2384	fontdrvhost.exe
972	fontdrvhost.exe
972	fontdrvhost.exe
972	fontdrvhost.exe
972	fontdrvhost.exe
4200	fontdrvhost.exe
4200	fontdrvhost.exe
4200	fontdrvhost.exe
4200	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	2384	fontdrvhost.exe
Token: SeDebugPrivilege	972	fontdrvhost.exe
Token: SeDebugPrivilege	4200	fontdrvhost.exe
Token: SeDebugPrivilege	4020	fontdrvhost.exe
Token: SeDebugPrivilege	4884	fontdrvhost.exe
Token: SeDebugPrivilege	3128	fontdrvhost.exe
Token: SeDebugPrivilege	64	fontdrvhost.exe
Token: SeDebugPrivilege	2084	fontdrvhost.exe
Token: SeDebugPrivilege	3464	fontdrvhost.exe
Token: SeDebugPrivilege	2116	fontdrvhost.exe
Token: SeDebugPrivilege	2112	fontdrvhost.exe
Token: SeDebugPrivilege	4604	fontdrvhost.exe
Token: SeDebugPrivilege	1268	fontdrvhost.exe
Token: SeDebugPrivilege	4792	fontdrvhost.exe
Token: SeDebugPrivilege	1628	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 532	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	91
PID 3028 wrote to memory of 532	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	91
PID 3028 wrote to memory of 212	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	92
PID 3028 wrote to memory of 212	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	92
PID 3028 wrote to memory of 3812	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	93
PID 3028 wrote to memory of 3812	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	93
PID 3028 wrote to memory of 1480	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	94
PID 3028 wrote to memory of 1480	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	94
PID 3028 wrote to memory of 888	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	95
PID 3028 wrote to memory of 888	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	95
PID 3028 wrote to memory of 4864	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	96
PID 3028 wrote to memory of 4864	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	96
PID 3028 wrote to memory of 720	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	97
PID 3028 wrote to memory of 720	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	97
PID 3028 wrote to memory of 2976	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	105
PID 3028 wrote to memory of 2976	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	105
PID 2976 wrote to memory of 2640	2976	cmd.exe	107
PID 2976 wrote to memory of 2640	2976	cmd.exe	107
PID 2976 wrote to memory of 2384	2976	cmd.exe	108
PID 2976 wrote to memory of 2384	2976	cmd.exe	108
PID 2384 wrote to memory of 2280	2384	fontdrvhost.exe	109
PID 2384 wrote to memory of 2280	2384	fontdrvhost.exe	109
PID 2384 wrote to memory of 232	2384	fontdrvhost.exe	110
PID 2384 wrote to memory of 232	2384	fontdrvhost.exe	110
PID 2280 wrote to memory of 972	2280	WScript.exe	114
PID 2280 wrote to memory of 972	2280	WScript.exe	114
PID 972 wrote to memory of 5064	972	fontdrvhost.exe	115
PID 972 wrote to memory of 5064	972	fontdrvhost.exe	115
PID 972 wrote to memory of 1364	972	fontdrvhost.exe	116
PID 972 wrote to memory of 1364	972	fontdrvhost.exe	116
PID 5064 wrote to memory of 4200	5064	WScript.exe	120
PID 5064 wrote to memory of 4200	5064	WScript.exe	120
PID 4200 wrote to memory of 2760	4200	fontdrvhost.exe	121
PID 4200 wrote to memory of 2760	4200	fontdrvhost.exe	121
PID 4200 wrote to memory of 3700	4200	fontdrvhost.exe	122
PID 4200 wrote to memory of 3700	4200	fontdrvhost.exe	122
PID 2760 wrote to memory of 4020	2760	WScript.exe	123
PID 2760 wrote to memory of 4020	2760	WScript.exe	123
PID 4020 wrote to memory of 1576	4020	fontdrvhost.exe	124
PID 4020 wrote to memory of 1576	4020	fontdrvhost.exe	124
PID 4020 wrote to memory of 2416	4020	fontdrvhost.exe	125
PID 4020 wrote to memory of 2416	4020	fontdrvhost.exe	125
PID 1576 wrote to memory of 4884	1576	WScript.exe	128
PID 1576 wrote to memory of 4884	1576	WScript.exe	128
PID 4884 wrote to memory of 3660	4884	fontdrvhost.exe	129
PID 4884 wrote to memory of 3660	4884	fontdrvhost.exe	129
PID 4884 wrote to memory of 3572	4884	fontdrvhost.exe	130
PID 4884 wrote to memory of 3572	4884	fontdrvhost.exe	130
PID 3660 wrote to memory of 3128	3660	WScript.exe	131
PID 3660 wrote to memory of 3128	3660	WScript.exe	131
PID 3128 wrote to memory of 4720	3128	fontdrvhost.exe	132
PID 3128 wrote to memory of 4720	3128	fontdrvhost.exe	132
PID 3128 wrote to memory of 972	3128	fontdrvhost.exe	133
PID 3128 wrote to memory of 972	3128	fontdrvhost.exe	133
PID 4720 wrote to memory of 64	4720	WScript.exe	134
PID 4720 wrote to memory of 64	4720	WScript.exe	134
PID 64 wrote to memory of 4040	64	fontdrvhost.exe	135
PID 64 wrote to memory of 4040	64	fontdrvhost.exe	135
PID 64 wrote to memory of 2272	64	fontdrvhost.exe	136
PID 64 wrote to memory of 2272	64	fontdrvhost.exe	136
PID 4040 wrote to memory of 2084	4040	WScript.exe	137
PID 4040 wrote to memory of 2084	4040	WScript.exe	137
PID 2084 wrote to memory of 4552	2084	fontdrvhost.exe	138
PID 2084 wrote to memory of 4552	2084	fontdrvhost.exe	138

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
"C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WofUtil\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\smartscreenps\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysmonDrv\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UrWoh7dOMO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2640
- - C:\Windows\System32\WofUtil\fontdrvhost.exe
    "C:\Windows\System32\WofUtil\fontdrvhost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2384
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f9c8ef2-323f-4cca-bc9e-769ecfb8c6eb.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:972
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25e68fa1-70b3-46c0-86d9-0f699ce65785.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fbdcab0-3d2a-4aa8-a4b6-1ac67364eb88.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4f491f0-76b8-4071-ac5e-167a0b2a8058.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4add2dca-c14d-4e0e-a15b-7d85fe10e161.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fbe5be-ee23-4b9d-ad56-87cbfd359ed2.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:64
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49dbe796-c053-4eba-a5be-a2f3790a4d1d.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02125547-722c-4d7a-8766-ecd3c9b6d0ce.vbs"
        18⤵
        
        PID:4552
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\681f9ec4-e6b7-4d39-9cc3-1bee1a2260eb.vbs"
        20⤵
        
        PID:1680
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a787a14b-71ce-4a4b-b5e1-142057dfa929.vbs"
        22⤵
        
        PID:4524
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e458720-e08a-4953-b9c3-0d0e1918c969.vbs"
        24⤵
        
        PID:3356
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfa83d76-db32-4b46-b1a5-f33e87baa06f.vbs"
        26⤵
        
        PID:3112
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0a66897-6360-4302-80a6-071db9bef357.vbs"
        28⤵
        
        PID:2864
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb49e639-450e-48ac-be73-c9a49dee30e9.vbs"
        30⤵
        
        PID:5100
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        
        C:\Windows\System32\WofUtil\fontdrvhost.exe
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca6a02e-0ce3-4f69-b927-3c312ba6098a.vbs"
        32⤵
        
        PID:4236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95cbde67-00b8-497e-b91f-7a43a161837a.vbs"
        32⤵
        
        PID:3728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc42b84a-2766-4b89-b0fd-6c7c34d2ced6.vbs"
        30⤵
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d6c1014-8a2c-49d1-9f20-4c93e9d7ecfb.vbs"
        28⤵
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab9b06eb-f2b7-460f-bea1-dc81f80bbb4d.vbs"
        26⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6f53e30-ccba-43d8-8d64-05cddc24a970.vbs"
        24⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e9e9c2a-f200-482f-b921-7cb81d95a85f.vbs"
        22⤵
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15a8005d-4f7e-40b1-9d2e-7efec40ab92e.vbs"
        20⤵
        
        PID:3480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96780a98-f5de-4a17-a04d-9d27f8aec995.vbs"
        18⤵
        
        PID:3532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f03162a-9956-4240-9994-c8bcac45f5dd.vbs"
        16⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a371899b-a8f2-436e-af4a-2d5cb3c122e5.vbs"
        14⤵
        
        PID:972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3116e7ef-45c3-48fe-ac7b-c98410f26f82.vbs"
        12⤵
        
        PID:3572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ea7f933-6b2a-4dda-8901-f4347acb7efc.vbs"
        10⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce62380-cd97-4901-a223-c9a43b61a16b.vbs"
        8⤵
        
        PID:3700
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49b7a5d1-6e0a-4c6b-894f-407376caefe2.vbs"
        6⤵
        
        PID:1364
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a1e9aa5-1400-4fe0-898b-dc2bc99303cf.vbs"
      4⤵
      PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\WofUtil\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\smartscreenps\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SysmonDrv\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\02125547-722c-4d7a-8766-ecd3c9b6d0ce.vbs

Filesize
719B

MD5
8e7f8a302d255ecee4bd04a01367f03f

SHA1
7fc719a541ba33eafa8779ad4f17a3ebb29cb470

SHA256
b1cb0afa7a9473fa22b59ff3099fb472a0a872f11077c0d77fc7c89dfa3b9572

SHA512
132953258d713055797470e3d896394e460308865891119a3f4f5ca44cee21c26e1366f3a9e607930e82b36cbe1c35af12a1e3a9f0112446f92edaea6d827f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f9c8ef2-323f-4cca-bc9e-769ecfb8c6eb.vbs

Filesize
719B

MD5
4234bf28290e5b95e088af1a58338273

SHA1
e343f51f4a29e8d5f2e533bc3fde66aa99b87fc5

SHA256
7110dca740d8f071d04dc591b41a3fc988dc5932b175852a94f71a8708abddbb

SHA512
23e6cb9cc4a46217497aa8558872c97344954b6a3efa8bc195c1b3dbcaad0aa7e9d60d5d7307109df52f643bb8ca6823b6ca6483405d1e5383c31594870e7283

Download Submit
C:\Users\Admin\AppData\Local\Temp\25e68fa1-70b3-46c0-86d9-0f699ce65785.vbs

Filesize
718B

MD5
dd365022092c4414fa283919d53e5058

SHA1
813d6c885ac1f6e82b47b45a9b7547fdc8669ecf

SHA256
259b2269ac62f0ff829d018c04749018e171f9d594d7b6969861f0691ef3b570

SHA512
f71a937c1e0ead2be0f8f68790e725e87f2213f62aa2ddff22a8d8fafdcce344907ca0298a2901bed9601d9bc5658e7a96913613fa8b20621424876b7ab40687

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fbdcab0-3d2a-4aa8-a4b6-1ac67364eb88.vbs

Filesize
719B

MD5
5024c0ca93a950b99a28dee7bd4d16fb

SHA1
e5ca05a8c20b02702cf5e99a5d169544dafd29f5

SHA256
68e2cf9f542d16b7c4ac96b991021fb11d697d74cb13933c9fe245a98306aa48

SHA512
083012455df21e68916c2c7087670877c12021d5f14b9c4b2f94dd3e3ecc32339d656fe39c1d64fb515042c2b4e730353f41a4fb0844fba8c95ad9db300a1924

Download Submit
C:\Users\Admin\AppData\Local\Temp\49dbe796-c053-4eba-a5be-a2f3790a4d1d.vbs

Filesize
717B

MD5
3d81fe32947c66ba20f55caefaebd504

SHA1
da45b884d9973e4c4e6cf54861cc6386d65ea781

SHA256
cc16d10db27ef58245dc3dcaee75f877337381404ea427dcfab40f3073f541d3

SHA512
ad199cb44392eb25c402369f2d41d0e1dd7add736bb85f25ba6bcb8cf620d8baf7690ef8d188f5a94e3b8ce1ec565d5d3b2172252cb40217a2d9b58840a5559c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4add2dca-c14d-4e0e-a15b-7d85fe10e161.vbs

Filesize
719B

MD5
7b0ff742b43c9184fa0c03ee954a4ec8

SHA1
f3431376cd98eef1029a5d66d712358966312659

SHA256
6e74caf55449340300e6469b656b586f39ce6c07ebbaf201136c84e96f248119

SHA512
2a83e6e69f14106300ffdad49adedfda1e63a3af524697796e7f9b80b938e6871c35de4389d9ec79093caa15fa305d9a62f80b00b4868df6ef5b75b76a47d8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\681f9ec4-e6b7-4d39-9cc3-1bee1a2260eb.vbs

Filesize
719B

MD5
eb94953f03f6ca26ffd562ee4e569073

SHA1
e9ded92c7bf0e3a4744220ea8f99d33e634ee201

SHA256
9fc2954fc449e7878a43aa3e1b4820feac07b3288dcb4ad3c60a9ddc9e19bbb9

SHA512
39057f254b3e1c75a842d8015437e96dd728b5cb2afc30ed5cd0064e0f70faecc7606e922763e8c1231c3f706284d93b1a2a90b7c855be467c566f4020f5f6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a1e9aa5-1400-4fe0-898b-dc2bc99303cf.vbs

Filesize
495B

MD5
fcf322ee0b2cb918266d4ac3d49dbae0

SHA1
38b64d3ebfac993aa9d105cbed4e76fc6c648572

SHA256
4dbcacd7ceca29f2e86a813839ade276e2df514c2bade8ecfd38cb16816dd3ee

SHA512
6266b65aa17e46bed54180af302999c94daeb21950fe6a76ab18c9ca72de090bfbe9fe25357369641c8909efd08e7d6eeb689e475f6293c3e81a0cf256dc4d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e458720-e08a-4953-b9c3-0d0e1918c969.vbs

Filesize
719B

MD5
226b436475f6d405cc351cbeb4c3a633

SHA1
2550d908173b98fe61dc00602300660dbc9eebd6

SHA256
e29a23301aa23900de3747d0e7e5827d984ff84a899c4b2455fee4a659ba12c4

SHA512
959ddd1586e3929dbe3c63defe4574accf757aa4f395dc4747003e06dab75e35e0242ce5165c861814166e78d10340b9ab1a98510b66b0fa5c4e974e9b655fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UrWoh7dOMO.bat

Filesize
207B

MD5
220cbb23a0dc6b3f7a73cb45b1d3618d

SHA1
67540852e7c2a521a39c52a4d6dcdc5e2443fa5c

SHA256
a99b7a4ebee90ff7f65bf3989fbc7815357a238176737317a7ab28c4c4602ee9

SHA512
47d3fe53af12da971dd0c630ad4638cb36a7b76f0fb52815b162fd8d2d4fb4832e65c1384173a51a86019fd8a832e4a73a565b7b7d3f60a0bd1c78115eba7d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ggkuid2i.vw0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0a66897-6360-4302-80a6-071db9bef357.vbs

Filesize
719B

MD5
5085fc45847fcce0e57555f2c5c5d6d5

SHA1
7c0f8168718804d2d8589dd86e027ac9ace2926a

SHA256
c66db4da9f2b10491c6ad75b7a9e8cee2c8fed2a4293517467700ec5966afb14

SHA512
d3ca22b23ec90756585b34aa230e0a26a64aadba7aa56f2c96e88c01e2b323e1f4f070b003ed199258c3d0ad5fa7978d24448dfc0ea222ce15441ad821d8f57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a787a14b-71ce-4a4b-b5e1-142057dfa929.vbs

Filesize
719B

MD5
ae9d1bd83c21b70e504961ade7b82723

SHA1
49026662859c6672bf973929af85b258c16ad043

SHA256
f72f074a98a42b36f2d117bb2cc9178676640eaa8b74f23b1c4982707b4f5285

SHA512
da33cddc4b710f5d064391237ee3dce73f7277b608e8e9b44aeff6a9a9b5d9def86cc423815615c6068b9d98a5474dcfa41a81009d0fe06620f8df794e89a818

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb49e639-450e-48ac-be73-c9a49dee30e9.vbs

Filesize
719B

MD5
8297336ba838aa3193248af843e71b22

SHA1
90b4e765676da823e85e12c30fe5855010a6ad61

SHA256
1170bdcf212df2a43867f517ede81f9714f751f6ac962b9c05a2c6be39f370f1

SHA512
922087b7380ed17f75fc8afda0394c38a973fe198088aef6d281aa8a7ade1ac4c9b78b27b57d9deb964e2f2ae3d012f57e8fde8f05741cd22f0e3bcdfe386cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfa83d76-db32-4b46-b1a5-f33e87baa06f.vbs

Filesize
719B

MD5
e1702135c92f290e25132704195b465a

SHA1
f518485f3bca1b754788dafa1d063b9c06afe05b

SHA256
029195f884a622009e176141359be5a2bcfddee7a1144a2d09fbdc75702b8ca6

SHA512
4e5cb7b0e9f6d3d8469f85671e25045d88326c4090796bffd62d31db07d96222d5f95db9024d951fc0b8ef69ba03ec917d7ed47fea73b8c503976ca49524753e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4f491f0-76b8-4071-ac5e-167a0b2a8058.vbs

Filesize
719B

MD5
d32cd366f2667c37fcd29e0944acb23f

SHA1
ac867108e2745f0252dcc8e86a48210fc351c0df

SHA256
b3bbfbada4c7c26a23ea65dff589262ff87b6a53a1b77ceb87a8e304970a0a9b

SHA512
d8a30042d0f461b36341d9fd9a9e3123520fd0b913335c6fb6137f8fc7999597c9bb1de66bc3a0415f7afa4746d3dc7338596e75e13b8cc5c04b43f27d0c8d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4fbe5be-ee23-4b9d-ad56-87cbfd359ed2.vbs

Filesize
719B

MD5
95ec7bfe3240837febbc763cc70c926a

SHA1
a8c0433fcc47e9df6c91bd1bf84e0dd92697972f

SHA256
7dd75c03250038a1efd8af99b40e0b8754db8d06d1f474fb18d0b9b48ac69d82

SHA512
13bb3aaafca09b0d155a70f41c66717cde9c83ecc7e201616cc8fce485b7607e49a3c0f0ea75a23cd30e76c8fba0f81a0dcf70db68f29cd7269eb71996e2f1db

Download Submit
C:\Windows\System32\smartscreenps\RCX7A35.tmp

Filesize
1.5MB

MD5
ec822ac1b253a1065f48f24c91116e10

SHA1
365abc2269162b0a91474a56a028142ef112c156

SHA256
f2779b2fb5eb31f153eea5c89419a6dd66fc865d9d55814270ce25cebff9ab45

SHA512
8af8e2e5d532e5a3ad8c5862b9835d2516ddad5338a4d74c11a1cdc4bfc3d1d0b69b1ebe43a7349321d3de5544ace58be5943450d1e37379cb4720e5270f16f3

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe

Filesize
1.5MB

MD5
9999309dcb3eb9d4b42ad1515c3f5cd0

SHA1
f43f97d19fd1b686592e78619ba7a3152e480cef

SHA256
7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36

SHA512
0a36a29be1aef8482bd59ed339edfeda3b1ea7addefb06c48aa68dbd15094dfb12a08e64937527a76eeb38f2576fe9d0cb6209a56dc89be806aa9503824b8dc2

Download Submit
memory/64-240-0x0000000002630000-0x0000000002642000-memory.dmp

Filesize
72KB

Download
memory/888-90-0x00000297FE340000-0x00000297FE362000-memory.dmp

Filesize
136KB

Download
memory/972-182-0x0000000001550000-0x0000000001562000-memory.dmp

Filesize
72KB

Download
memory/2384-169-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/3028-14-0x000000001B070000-0x000000001B07C000-memory.dmp

Filesize
48KB

Download
memory/3028-7-0x000000001B000000-0x000000001B00C000-memory.dmp

Filesize
48KB

Download
memory/3028-25-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3028-24-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3028-21-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

Filesize
32KB

Download
memory/3028-16-0x000000001B090000-0x000000001B098000-memory.dmp

Filesize
32KB

Download
memory/3028-20-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

Filesize
48KB

Download
memory/3028-18-0x000000001B7C0000-0x000000001B7C8000-memory.dmp

Filesize
32KB

Download
memory/3028-17-0x000000001B0A0000-0x000000001B0AC000-memory.dmp

Filesize
48KB

Download
memory/3028-12-0x000000001B050000-0x000000001B058000-memory.dmp

Filesize
32KB

Download
memory/3028-13-0x000000001B060000-0x000000001B06A000-memory.dmp

Filesize
40KB

Download
memory/3028-1-0x0000000000340000-0x00000000004BE000-memory.dmp

Filesize
1.5MB

Download
memory/3028-0-0x00007FFBB9E73000-0x00007FFBB9E75000-memory.dmp

Filesize
8KB

Download
memory/3028-2-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3028-15-0x000000001B080000-0x000000001B08A000-memory.dmp

Filesize
40KB

Download
memory/3028-11-0x000000001B040000-0x000000001B050000-memory.dmp

Filesize
64KB

Download
memory/3028-10-0x000000001B030000-0x000000001B040000-memory.dmp

Filesize
64KB

Download
memory/3028-9-0x000000001B020000-0x000000001B02C000-memory.dmp

Filesize
48KB

Download
memory/3028-8-0x000000001B010000-0x000000001B018000-memory.dmp

Filesize
32KB

Download
memory/3028-95-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3028-6-0x000000001AFE0000-0x000000001AFEA000-memory.dmp

Filesize
40KB

Download
memory/3028-3-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/3028-4-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/3028-5-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

Filesize
48KB

Download
memory/4020-206-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download
memory/4200-194-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download