dcrat | 03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Size

1.5MB
MD5

809d07e665342266dbea6c6017c021f8
SHA1

4e51b1936b39b1df13792cb2ee0a3e2cf2c098b1
SHA256

03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26
SHA512

69908b7064f6a482820eff4e3f83c15f6e6b30dea7d155bb007aa58fecaac1902475c392627c675ea1bcd8cf0158bdcd0d23c735d1ba7f8b85823125823b5dec
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1900	schtasks.exe
		3184	schtasks.exe
		5080	schtasks.exe
		4296	schtasks.exe
		744	schtasks.exe
		3672	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\Registry.exe\", \"C:\\Windows\\System32\\dmusic\\winlogon.exe\", \"C:\\Windows\\System32\\SortServer2003Compat\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinSyncProviders\\dwm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\Registry.exe\", \"C:\\Windows\\System32\\dmusic\\winlogon.exe\", \"C:\\Windows\\System32\\SortServer2003Compat\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinSyncProviders\\dwm.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\Registry.exe\", \"C:\\Windows\\System32\\dmusic\\winlogon.exe\", \"C:\\Windows\\System32\\SortServer2003Compat\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinSyncProviders\\dwm.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\Windows\\Fonts\\fontdrvhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\Registry.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\Registry.exe\", \"C:\\Windows\\System32\\dmusic\\winlogon.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\Registry.exe\", \"C:\\Windows\\System32\\dmusic\\winlogon.exe\", \"C:\\Windows\\System32\\SortServer2003Compat\\fontdrvhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3108	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	3108	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3108	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3108	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3108	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3108	schtasks.exe	82

UAC bypass 3 TTPs 51 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4900	powershell.exe
4916	powershell.exe
2208	powershell.exe
1336	powershell.exe
3164	powershell.exe
2556	powershell.exe
3844	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Executes dropped EXE 16 IoCs

pid	Process
4440	fontdrvhost.exe
2652	fontdrvhost.exe
1528	fontdrvhost.exe
1740	fontdrvhost.exe
3656	fontdrvhost.exe
1348	fontdrvhost.exe
5096	fontdrvhost.exe
1680	fontdrvhost.exe
3496	fontdrvhost.exe
1108	fontdrvhost.exe
3860	fontdrvhost.exe
2736	fontdrvhost.exe
2268	fontdrvhost.exe
3504	fontdrvhost.exe
2492	fontdrvhost.exe
4528	fontdrvhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\SortServer2003Compat\\fontdrvhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\WinSyncProviders\\dwm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Default\\Favorites\\TextInputHost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Default\\Favorites\\TextInputHost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Fonts\\fontdrvhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Fonts\\fontdrvhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\dmusic\\winlogon.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\ProgramData\\Templates\\Registry.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\dmusic\\winlogon.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\SortServer2003Compat\\fontdrvhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\WinSyncProviders\\dwm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\ProgramData\\Templates\\Registry.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SortServer2003Compat\RCXB3E2.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\dmusic\RCXB1DD.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\dmusic\winlogon.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\dmusic\winlogon.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\dmusic\cc11b995f2a76d	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\SortServer2003Compat\5b884080fd4f94	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\WinSyncProviders\dwm.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\WinSyncProviders\6cb0b6c459d5d3	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\WinSyncProviders\RCXB5E6.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\WinSyncProviders\dwm.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\fontdrvhost.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\Fonts\5b884080fd4f94	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\Fonts\RCXB9F0.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\Fonts\fontdrvhost.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1900	schtasks.exe
3184	schtasks.exe
5080	schtasks.exe
4296	schtasks.exe
744	schtasks.exe
3672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2556	powershell.exe
3844	powershell.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2208	powershell.exe
4916	powershell.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2556	powershell.exe
4900	powershell.exe
1336	powershell.exe
4900	powershell.exe
3164	powershell.exe
3844	powershell.exe
4916	powershell.exe
4916	powershell.exe
1336	powershell.exe
1336	powershell.exe
2208	powershell.exe
2208	powershell.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3164	powershell.exe
3164	powershell.exe
3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe
4440	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	4440	fontdrvhost.exe
Token: SeDebugPrivilege	2652	fontdrvhost.exe
Token: SeDebugPrivilege	1528	fontdrvhost.exe
Token: SeDebugPrivilege	1740	fontdrvhost.exe
Token: SeDebugPrivilege	3656	fontdrvhost.exe
Token: SeDebugPrivilege	1348	fontdrvhost.exe
Token: SeDebugPrivilege	5096	fontdrvhost.exe
Token: SeDebugPrivilege	1680	fontdrvhost.exe
Token: SeDebugPrivilege	3496	fontdrvhost.exe
Token: SeDebugPrivilege	1108	fontdrvhost.exe
Token: SeDebugPrivilege	3860	fontdrvhost.exe
Token: SeDebugPrivilege	2736	fontdrvhost.exe
Token: SeDebugPrivilege	2268	fontdrvhost.exe
Token: SeDebugPrivilege	3504	fontdrvhost.exe
Token: SeDebugPrivilege	2492	fontdrvhost.exe
Token: SeDebugPrivilege	4528	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 3164	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	91
PID 3708 wrote to memory of 3164	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	91
PID 3708 wrote to memory of 2556	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	92
PID 3708 wrote to memory of 2556	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	92
PID 3708 wrote to memory of 3844	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	93
PID 3708 wrote to memory of 3844	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	93
PID 3708 wrote to memory of 4900	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	94
PID 3708 wrote to memory of 4900	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	94
PID 3708 wrote to memory of 4916	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	95
PID 3708 wrote to memory of 4916	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	95
PID 3708 wrote to memory of 2208	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	96
PID 3708 wrote to memory of 2208	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	96
PID 3708 wrote to memory of 1336	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	97
PID 3708 wrote to memory of 1336	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	97
PID 3708 wrote to memory of 4440	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	105
PID 3708 wrote to memory of 4440	3708	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	105
PID 4440 wrote to memory of 888	4440	fontdrvhost.exe	106
PID 4440 wrote to memory of 888	4440	fontdrvhost.exe	106
PID 4440 wrote to memory of 1164	4440	fontdrvhost.exe	107
PID 4440 wrote to memory of 1164	4440	fontdrvhost.exe	107
PID 888 wrote to memory of 2652	888	WScript.exe	119
PID 888 wrote to memory of 2652	888	WScript.exe	119
PID 2652 wrote to memory of 1568	2652	fontdrvhost.exe	120
PID 2652 wrote to memory of 1568	2652	fontdrvhost.exe	120
PID 2652 wrote to memory of 4532	2652	fontdrvhost.exe	121
PID 2652 wrote to memory of 4532	2652	fontdrvhost.exe	121
PID 1568 wrote to memory of 1528	1568	WScript.exe	122
PID 1568 wrote to memory of 1528	1568	WScript.exe	122
PID 1528 wrote to memory of 2876	1528	fontdrvhost.exe	123
PID 1528 wrote to memory of 2876	1528	fontdrvhost.exe	123
PID 1528 wrote to memory of 1940	1528	fontdrvhost.exe	124
PID 1528 wrote to memory of 1940	1528	fontdrvhost.exe	124
PID 2876 wrote to memory of 1740	2876	WScript.exe	127
PID 2876 wrote to memory of 1740	2876	WScript.exe	127
PID 1740 wrote to memory of 4696	1740	fontdrvhost.exe	128
PID 1740 wrote to memory of 4696	1740	fontdrvhost.exe	128
PID 1740 wrote to memory of 2624	1740	fontdrvhost.exe	129
PID 1740 wrote to memory of 2624	1740	fontdrvhost.exe	129
PID 4696 wrote to memory of 3656	4696	WScript.exe	131
PID 4696 wrote to memory of 3656	4696	WScript.exe	131
PID 3656 wrote to memory of 460	3656	fontdrvhost.exe	132
PID 3656 wrote to memory of 460	3656	fontdrvhost.exe	132
PID 3656 wrote to memory of 3452	3656	fontdrvhost.exe	133
PID 3656 wrote to memory of 3452	3656	fontdrvhost.exe	133
PID 460 wrote to memory of 1348	460	WScript.exe	134
PID 460 wrote to memory of 1348	460	WScript.exe	134
PID 1348 wrote to memory of 3936	1348	fontdrvhost.exe	135
PID 1348 wrote to memory of 3936	1348	fontdrvhost.exe	135
PID 1348 wrote to memory of 4404	1348	fontdrvhost.exe	136
PID 1348 wrote to memory of 4404	1348	fontdrvhost.exe	136
PID 3936 wrote to memory of 5096	3936	WScript.exe	137
PID 3936 wrote to memory of 5096	3936	WScript.exe	137
PID 5096 wrote to memory of 1668	5096	fontdrvhost.exe	138
PID 5096 wrote to memory of 1668	5096	fontdrvhost.exe	138
PID 5096 wrote to memory of 3884	5096	fontdrvhost.exe	139
PID 5096 wrote to memory of 3884	5096	fontdrvhost.exe	139
PID 1668 wrote to memory of 1680	1668	WScript.exe	140
PID 1668 wrote to memory of 1680	1668	WScript.exe	140
PID 1680 wrote to memory of 4624	1680	fontdrvhost.exe	141
PID 1680 wrote to memory of 4624	1680	fontdrvhost.exe	141
PID 1680 wrote to memory of 3048	1680	fontdrvhost.exe	142
PID 1680 wrote to memory of 3048	1680	fontdrvhost.exe	142
PID 4624 wrote to memory of 3496	4624	WScript.exe	143
PID 4624 wrote to memory of 3496	4624	WScript.exe	143

System policy modification 1 TTPs 51 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
"C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Templates\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dmusic\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WinSyncProviders\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
  "C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4440
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5c8823b-739a-4744-8910-926f0b1680db.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
      C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2652
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2be982f3-5412-4ebd-8bad-c5b6be3caa85.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e43826bd-93a0-40bc-92bd-b24f029fb8b5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43f4893c-5bff-4833-8a30-20c41b76d33b.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aa9b38d-4490-4853-a322-9c1f19874070.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea4e38c4-6698-47db-8ac4-40545cc75d54.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\562b324c-7175-44ac-b26a-291c0fae17b2.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f07bc1d0-dc94-45cf-84a3-0c1cd5346824.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43740e8f-c707-4eb1-b1ea-ee4f8e2fb1fc.vbs"
        19⤵
        
        PID:3268
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d02227-3d72-4c65-8ecf-fac9f3991fb4.vbs"
        21⤵
        
        PID:4248
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a50b22-5c9e-4d36-88b6-0cadef8a1aee.vbs"
        23⤵
        
        PID:2400
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c51b770-7645-4aa4-9c9b-6e0883ee4d71.vbs"
        25⤵
        
        PID:2328
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\569d6959-bc75-43fb-8776-5e4cab15126d.vbs"
        27⤵
        
        PID:4556
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68879530-ebac-4ce5-9e82-669ec702a981.vbs"
        29⤵
        
        PID:3688
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b29cf5a6-b40b-4f11-9424-7b61819d516e.vbs"
        31⤵
        
        PID:3616
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        
        C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9699685-96a5-4dc7-9375-2d35ac8ab21e.vbs"
        33⤵
        
        PID:3668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aed1ed3c-6ef6-46e2-9624-3048663dde7e.vbs"
        33⤵
        
        PID:3824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0314a91e-538e-4cbe-9ede-f15378442801.vbs"
        31⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c33b037-6857-452a-ae3e-7d33b3caf093.vbs"
        29⤵
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aa384cb-ae11-4931-a0a4-7bf889a74a54.vbs"
        27⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9900e991-f6c5-4d3f-aa1a-7df11533ce3e.vbs"
        25⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a962450e-72ce-4ed9-90a4-a75e171e63df.vbs"
        23⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f577ab76-68bc-4947-9415-8a8d94e736e4.vbs"
        21⤵
        
        PID:4824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a99f2d-49ca-4931-a227-d50749b4f5aa.vbs"
        19⤵
        
        PID:4424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\479dd0df-3d6c-49cd-87cc-205eaeb83c78.vbs"
        17⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0a4acf0-1b24-4e86-9fbf-b0b37c14d245.vbs"
        15⤵
        
        PID:3884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecec4918-1886-4daa-840c-0b27ac9bfc03.vbs"
        13⤵
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34579d23-9985-4ed1-be7e-0cde90f04821.vbs"
        11⤵
        
        PID:3452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e6adeb0-ec6e-4bda-9d89-93533133639e.vbs"
        9⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9da6e88a-59d3-4b5d-a486-4276f0c69b09.vbs"
        7⤵
        
        PID:1940
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03807b98-ac06-4b62-82c3-ff0767c50725.vbs"
        5⤵
        
        PID:4532
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\193d7c00-ee28-4cb4-8c8d-4a52c05526be.vbs"
    3⤵
    PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\ProgramData\Templates\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\dmusic\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\SortServer2003Compat\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WinSyncProviders\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\01a50b22-5c9e-4d36-88b6-0cadef8a1aee.vbs

Filesize
732B

MD5
f2d9a77f796370726cdb522d0f543e54

SHA1
df05ffa0c56c9de9e0deb4c0430511c80719528a

SHA256
9f1ee4854e103635890bac353ce3af29bc5c123018a61f0b94a4951abb315306

SHA512
82fe004823acbd4ac10306516ded141e133e744f92c7a484c2478b8e3c2774d353d5e45c562859d2b42f6bfc689c10f35253ccd5d56eec6f03165ae3cadbfa09

Download Submit
C:\Users\Admin\AppData\Local\Temp\0aa9b38d-4490-4853-a322-9c1f19874070.vbs

Filesize
732B

MD5
d57fcfbe0279123457ba7da79f7296ac

SHA1
7f6d7eed6db1d9b3edc1fd0d20de0278a431df33

SHA256
5d9b31d9517053e35fe0364136a56072ff681a75e6f7ba1327b8321c6f0652d2

SHA512
0d30e6bca0c3a5c200b135f502b89a560fa195c6d2a3f490f6dad9f9be766c9fa62a085beff206e721ddb3ce3dedc954bc9e2a3fed63809d94d7bb7886d904ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\193d7c00-ee28-4cb4-8c8d-4a52c05526be.vbs

Filesize
508B

MD5
0068672f11f9d01753e3aa42db1d11b3

SHA1
02004595ad63c5f78113ecdaf62bbffd9b694de9

SHA256
cf857f3cfdabc3a5bd78f922d0df12281f541e677b5c77711dde48e6266cbcf1

SHA512
001438e063e0bb85dc674d7a30f14393a7fd045cfbcc3e60b0f5d68d2b6f79d073478ec192f71c19f3731afdb7f0f851f8668ba801a1b80362e3ef254ca952ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2be982f3-5412-4ebd-8bad-c5b6be3caa85.vbs

Filesize
732B

MD5
21e69335276c3a0bfb47ffd276f5a1a5

SHA1
af5d2ba40885486abe037a67a611280a6024aecd

SHA256
09fa7397fcaf33177547d7c23a5f11f88d2dbee76e141d41634bc0ad3f5ae9a0

SHA512
126b5444902d21859c3e523a741b68c32dbd00c5aa31ad08ca0ba07f060837529f271f2803c1c3cd299f98d42ff54ca24e8534d2fc83b725158adc9c224ecd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\43740e8f-c707-4eb1-b1ea-ee4f8e2fb1fc.vbs

Filesize
732B

MD5
1f61361ef66bb43962a49b523cc09c54

SHA1
1a8e393eddf2f7e0b920616c6a3c9b7e9fccd749

SHA256
3bf13e541efac806bf92576d9d9be46000eda6b4d9e18a8f1e464a62aee95f04

SHA512
dfcb0049dba09e41158977e6d18419c780be498b243536ed012f99742c4a69b9dd9545265ba871cdcbf5fa774a04833d381a7f9e04ce9b10d6e7bb7315f75016

Download Submit
C:\Users\Admin\AppData\Local\Temp\43f4893c-5bff-4833-8a30-20c41b76d33b.vbs

Filesize
732B

MD5
55e1798c781d5efb766994996a54d2fc

SHA1
622121488e1939087858654564641168f6bef00c

SHA256
575fdd4e340da3ec3496cf33a5c41afa94c9ac105559a261529b0bb9588e301c

SHA512
dc818c41802c8b6fb1fe34972b222701532e82d5c85311a8598e372c6d08fa5a8f83afb04f27bca73fcfbdfe495d8924ba82fff66ad207818e4b1b5626e08786

Download Submit
C:\Users\Admin\AppData\Local\Temp\562b324c-7175-44ac-b26a-291c0fae17b2.vbs

Filesize
732B

MD5
1965d31a5d2b420a3a0b2b8e07e2785e

SHA1
0c36189831a822703c45c059f9aeeb1f752f26db

SHA256
8b63a935398277e8976f12e52b45276c7a3f86722345965cb0dd57bd1ed845d4

SHA512
a1bc4d064fcefdb7e5c989285efba1b9dea27e7882ea2c1517555e8d086749d4c3d5e578f00447bd3035f8900f91f6c3b8d2b3a29c1379cd93d83291b3f2eaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\569d6959-bc75-43fb-8776-5e4cab15126d.vbs

Filesize
732B

MD5
15fb975b2d800068b516f8271ef4767d

SHA1
d10baffb37f85243337a5ef220a30171ee753519

SHA256
eb09d4b296147d52047a9da322bd601ca0f5f61323b47c501ad461958bc36ff7

SHA512
ca6d74cda0a32548e17728c95561c4aaa2f413bb61876b235e80dacd5d0ad8426d3f84b263ad220d9c5b67b0b4946b13ef4f54bc9bd44146970a2662f34a1e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\68879530-ebac-4ce5-9e82-669ec702a981.vbs

Filesize
732B

MD5
70cf2daa8a324f0c3bd22ceed31671d6

SHA1
f2c6861b02a05c0f31bf471265c3c2de90cb94fe

SHA256
fb9ab3cfc54ae30b59935d129c0d233e1937c9a7ea9731af362e4e8a4b8d1a4d

SHA512
738d25a0be502c542af4f4763df59cfe1c8bf0a2211c9fac939cf096c490dfbb5aa8774724cabd7d804ae255aaf4c771a989c857edde695b64e31e37a1a79fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c51b770-7645-4aa4-9c9b-6e0883ee4d71.vbs

Filesize
732B

MD5
05be38e3b4e554f661e9334ca1fdae9d

SHA1
d069e29d281141df513bfbe648d6e2b0279fa437

SHA256
13558e103f2b0e7258002eecab1a51712082765e0ea2df2068fce08691be74d5

SHA512
ce2be9062e88aab87cdf4488a9e0c79b84c33c97f9f0936a5e5c071ce24005f9183b8e10ff7963a9153f898b5a571d6daa53867682f1d9aa1b3f41d044e81a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_in1q2s22.gtx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1d02227-3d72-4c65-8ecf-fac9f3991fb4.vbs

Filesize
732B

MD5
645243fed5e8c2f985b3739029ad6e78

SHA1
b1f9683ade07864d0872ebb93cecbf65a237e072

SHA256
0f0c7ce135d02aee6494d49486328018b4de17293d22c3559fe04e9d0e5813fd

SHA512
b750a68d1c212fae18a2ce205769280aa94be08e15be9fe0c3d78ec3f36abfc320b7341b75a2d1696fb6203a609beb99fbcbc0a1b6b352cdaa8977ddac2551f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5c8823b-739a-4744-8910-926f0b1680db.vbs

Filesize
732B

MD5
bd573ddc9f8ade2d87dbcff0cc0e6faf

SHA1
391676d069e2e8d225b256d134c9ae1c10a9ab2e

SHA256
a438e339c081a3c2576ace23808eb73118049ebc1157eef76c379c3a4bea6d97

SHA512
2c1ae8326444ef60c7583b2e7b9a090e8b02f3e5d49de689b28d67b8ecf334610034874c2e4ae315e15a7f7732b3b6d525d237e03a5a13d954615cf017f81749

Download Submit
C:\Users\Admin\AppData\Local\Temp\e43826bd-93a0-40bc-92bd-b24f029fb8b5.vbs

Filesize
732B

MD5
e5f8bb74f3c6fa907a10a303ac522262

SHA1
aef183def39706f6aa7172d5e80b1fea603ceff3

SHA256
03ae906d75da6e979605aaef21d0fe56262cf4bd12fc93fe41c1deb19e714b7a

SHA512
dde7295e8c03920843625c7c658f9c59879145039bcc9db4005ccd1cdc0d583059d27dd07712105a576f00674e807076bc9a4ce08febed01206a3f9d06213713

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea4e38c4-6698-47db-8ac4-40545cc75d54.vbs

Filesize
732B

MD5
1c19a614e679c1805485827f5aeabaa1

SHA1
4f81ccf36ee454257a1c43da16a34486b113519d

SHA256
626ac8eb7f7b8ceb1b7925b278bde3017f34bd20f589600b4ed6c4a11eae41c8

SHA512
5ae077dab99497aaac0739bbdd9a99e6583fc3e714a31f5dff56f0bd3cbae1bd1de83e38c4465ffbdf61437fa7191e3c01a5cd8e4bef5ae01c4fdbb7178c135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f07bc1d0-dc94-45cf-84a3-0c1cd5346824.vbs

Filesize
732B

MD5
009ed0ab32af8d72bc2c1905cacd397b

SHA1
f3e945dedf9b8ea93572e25271db451ad1ca7951

SHA256
e4b33e4dde4d5bf66a325ffa0c506c6d7424e6013ad0c8f294fd40afdde2749f

SHA512
7cb2ea1ff12d139db7a21ec06637b091ef2ea0d7cc814ec2f24b62597743482e6ff5be170fc09a0cca2ca4500fe0ff477a5b7fa73ccd3b5b7f3b68e5ba5ce68b

Download Submit
C:\Users\Default\Favorites\TextInputHost.exe

Filesize
1.5MB

MD5
809d07e665342266dbea6c6017c021f8

SHA1
4e51b1936b39b1df13792cb2ee0a3e2cf2c098b1

SHA256
03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26

SHA512
69908b7064f6a482820eff4e3f83c15f6e6b30dea7d155bb007aa58fecaac1902475c392627c675ea1bcd8cf0158bdcd0d23c735d1ba7f8b85823125823b5dec

Download Submit
memory/1348-277-0x00000000017C0000-0x00000000017D2000-memory.dmp

Filesize
72KB

Download
memory/2736-345-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/3656-265-0x00000000031F0000-0x0000000003202000-memory.dmp

Filesize
72KB

Download
memory/3708-13-0x000000001B140000-0x000000001B14A000-memory.dmp

Filesize
40KB

Download
memory/3708-0-0x00007FFFE6FD3000-0x00007FFFE6FD5000-memory.dmp

Filesize
8KB

Download
memory/3708-1-0x0000000000430000-0x00000000005AE000-memory.dmp

Filesize
1.5MB

Download
memory/3708-25-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/3708-2-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/3708-24-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/3708-21-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/3708-20-0x000000001B1B0000-0x000000001B1BC000-memory.dmp

Filesize
48KB

Download
memory/3708-18-0x000000001B1A0000-0x000000001B1A8000-memory.dmp

Filesize
32KB

Download
memory/3708-17-0x000000001B180000-0x000000001B18C000-memory.dmp

Filesize
48KB

Download
memory/3708-16-0x000000001B170000-0x000000001B178000-memory.dmp

Filesize
32KB

Download
memory/3708-15-0x000000001B160000-0x000000001B16A000-memory.dmp

Filesize
40KB

Download
memory/3708-14-0x000000001B150000-0x000000001B15C000-memory.dmp

Filesize
48KB

Download
memory/3708-205-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/3708-12-0x000000001B130000-0x000000001B138000-memory.dmp

Filesize
32KB

Download
memory/3708-11-0x000000001B120000-0x000000001B130000-memory.dmp

Filesize
64KB

Download
memory/3708-10-0x000000001B110000-0x000000001B120000-memory.dmp

Filesize
64KB

Download
memory/3708-3-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/3708-9-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/3708-8-0x000000001B0F0000-0x000000001B0F8000-memory.dmp

Filesize
32KB

Download
memory/3708-7-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/3708-6-0x000000001B0C0000-0x000000001B0CA000-memory.dmp

Filesize
40KB

Download
memory/3708-5-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

Filesize
48KB

Download
memory/3708-4-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/3844-150-0x0000011A28300000-0x0000011A28322000-memory.dmp

Filesize
136KB

Download
memory/4440-213-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/5096-289-0x0000000001980000-0x0000000001992000-memory.dmp

Filesize
72KB

Download