dcrat | 1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ff

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Size

1.5MB
MD5

d783e97b37584c63b3b45c382b22a000
SHA1

6c3c4b8a5081304166c0a3c53930164efc09afac
SHA256

1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ff
SHA512

683396235092e51403f8699e59f7561924575116ec239fe148f321f98c8ddc31faf87c58e620fd202b1a4b49b46a0d3bcbd875ebbecabea2dcc878f34bae717d
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3752	schtasks.exe
		3804	schtasks.exe
		3252	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
		2400	schtasks.exe
		5020	schtasks.exe
		4172	schtasks.exe
		184	schtasks.exe
		3416	schtasks.exe
		4728	schtasks.exe
		4704	schtasks.exe
		3212	schtasks.exe
		2560	schtasks.exe
		1356	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\", \"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\", \"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\RepoMan\\OfficeClickToRun.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\", \"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\RepoMan\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\NarratorControlTemplates\\fontdrvhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\", \"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\RepoMan\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\NarratorControlTemplates\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\wininit.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\", \"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\RepoMan\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\NarratorControlTemplates\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\wininit.exe\", \"C:\\Windows\\System32\\wbem\\filetrace\\unsecapp.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\", \"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\", \"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\", \"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\", \"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\RepoMan\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\NarratorControlTemplates\\fontdrvhost.exe\", \"C:\\Windows\\AppReadiness\\wininit.exe\", \"C:\\Windows\\System32\\wbem\\filetrace\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	184	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3572	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3572	schtasks.exe	82

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5108	powershell.exe
1008	powershell.exe
1560	powershell.exe
3292	powershell.exe
1524	powershell.exe
2424	powershell.exe
4204	powershell.exe
1812	powershell.exe
2100	powershell.exe
2700	powershell.exe
5040	powershell.exe
716	powershell.exe
1788	powershell.exe
4460	powershell.exe
3880	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Executes dropped EXE 13 IoCs

pid	Process
1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2632	fontdrvhost.exe
768	fontdrvhost.exe
2144	fontdrvhost.exe
1372	fontdrvhost.exe
112	fontdrvhost.exe
516	fontdrvhost.exe
3024	fontdrvhost.exe
2912	fontdrvhost.exe
1856	fontdrvhost.exe
4196	fontdrvhost.exe
5116	fontdrvhost.exe
1852	fontdrvhost.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\KBDSORST\\SppExtComObj.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\ModemLogs\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\NarratorControlTemplates\\fontdrvhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\filetrace\\unsecapp.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\Speech_OneCore\\Engines\\SppExtComObj.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\StructuredQuery\\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\ModemLogs\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\RepoMan\\OfficeClickToRun.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\AppReadiness\\wininit.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\filetrace\\unsecapp.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\RepoMan\\OfficeClickToRun.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\NarratorControlTemplates\\fontdrvhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\AppReadiness\\wininit.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\KBDSORST\e1ef82546f0b02	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\System32\NarratorControlTemplates\5b884080fd4f94	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\System32\wbem\filetrace\unsecapp.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\System32\wbem\filetrace\unsecapp.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\System32\KBDSORST\SppExtComObj.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\System32\KBDSORST\SppExtComObj.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\System32\wbem\filetrace\29c1c3cc0f7685	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\System32\KBDSORST\RCXA8D8.tmp	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan\OfficeClickToRun.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan\e6c9b481da804f	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan\RCXB261.tmp	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan\OfficeClickToRun.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\088424020bedd6	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\SppExtComObj.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\ModemLogs\StartMenuExperienceHost.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\ModemLogs\55b276f4edf653	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\55b276f4edf653	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\ModemLogs\RCXAFDF.tmp	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\ModemLogs\StartMenuExperienceHost.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\AppReadiness\56085415360792	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\Speech_OneCore\Engines\e1ef82546f0b02	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\RCXA451.tmp	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SppExtComObj.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\RCXAD5E.tmp	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\AppReadiness\wininit.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\AppReadiness\wininit.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2400	schtasks.exe
4704	schtasks.exe
184	schtasks.exe
3804	schtasks.exe
4172	schtasks.exe
3212	schtasks.exe
1356	schtasks.exe
4728	schtasks.exe
3416	schtasks.exe
3252	schtasks.exe
3752	schtasks.exe
5020	schtasks.exe
2560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
1788	powershell.exe
1788	powershell.exe
1524	powershell.exe
1524	powershell.exe
1560	powershell.exe
1560	powershell.exe
5108	powershell.exe
5108	powershell.exe
2700	powershell.exe
2700	powershell.exe
3292	powershell.exe
3292	powershell.exe
2424	powershell.exe
2424	powershell.exe
716	powershell.exe
716	powershell.exe
1008	powershell.exe
1008	powershell.exe
2100	powershell.exe
2100	powershell.exe
5108	powershell.exe
1008	powershell.exe
2424	powershell.exe
2100	powershell.exe
1788	powershell.exe
1524	powershell.exe
1560	powershell.exe
3292	powershell.exe
2700	powershell.exe
716	powershell.exe
1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	2632	fontdrvhost.exe
Token: SeDebugPrivilege	768	fontdrvhost.exe
Token: SeDebugPrivilege	2144	fontdrvhost.exe
Token: SeDebugPrivilege	1372	fontdrvhost.exe
Token: SeDebugPrivilege	112	fontdrvhost.exe
Token: SeDebugPrivilege	516	fontdrvhost.exe
Token: SeDebugPrivilege	3024	fontdrvhost.exe
Token: SeDebugPrivilege	2912	fontdrvhost.exe
Token: SeDebugPrivilege	1856	fontdrvhost.exe
Token: SeDebugPrivilege	4196	fontdrvhost.exe
Token: SeDebugPrivilege	5116	fontdrvhost.exe
Token: SeDebugPrivilege	1852	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 5108	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	92
PID 3080 wrote to memory of 5108	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	92
PID 3080 wrote to memory of 1008	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	93
PID 3080 wrote to memory of 1008	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	93
PID 3080 wrote to memory of 1560	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	94
PID 3080 wrote to memory of 1560	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	94
PID 3080 wrote to memory of 3292	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	95
PID 3080 wrote to memory of 3292	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	95
PID 3080 wrote to memory of 2100	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	96
PID 3080 wrote to memory of 2100	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	96
PID 3080 wrote to memory of 1524	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	97
PID 3080 wrote to memory of 1524	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	97
PID 3080 wrote to memory of 2424	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	98
PID 3080 wrote to memory of 2424	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	98
PID 3080 wrote to memory of 716	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	99
PID 3080 wrote to memory of 716	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	99
PID 3080 wrote to memory of 1788	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	100
PID 3080 wrote to memory of 1788	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	100
PID 3080 wrote to memory of 2700	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	101
PID 3080 wrote to memory of 2700	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	101
PID 3080 wrote to memory of 1644	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	112
PID 3080 wrote to memory of 1644	3080	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	112
PID 1644 wrote to memory of 4680	1644	cmd.exe	114
PID 1644 wrote to memory of 4680	1644	cmd.exe	114
PID 1644 wrote to memory of 1064	1644	cmd.exe	118
PID 1644 wrote to memory of 1064	1644	cmd.exe	118
PID 1064 wrote to memory of 4460	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	124
PID 1064 wrote to memory of 4460	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	124
PID 1064 wrote to memory of 3880	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	125
PID 1064 wrote to memory of 3880	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	125
PID 1064 wrote to memory of 4204	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	126
PID 1064 wrote to memory of 4204	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	126
PID 1064 wrote to memory of 1812	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	127
PID 1064 wrote to memory of 1812	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	127
PID 1064 wrote to memory of 5040	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	128
PID 1064 wrote to memory of 5040	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	128
PID 1064 wrote to memory of 2632	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	134
PID 1064 wrote to memory of 2632	1064	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	134
PID 2632 wrote to memory of 4984	2632	fontdrvhost.exe	135
PID 2632 wrote to memory of 4984	2632	fontdrvhost.exe	135
PID 2632 wrote to memory of 4332	2632	fontdrvhost.exe	136
PID 2632 wrote to memory of 4332	2632	fontdrvhost.exe	136
PID 4984 wrote to memory of 768	4984	WScript.exe	139
PID 4984 wrote to memory of 768	4984	WScript.exe	139
PID 768 wrote to memory of 212	768	fontdrvhost.exe	140
PID 768 wrote to memory of 212	768	fontdrvhost.exe	140
PID 768 wrote to memory of 2732	768	fontdrvhost.exe	141
PID 768 wrote to memory of 2732	768	fontdrvhost.exe	141
PID 212 wrote to memory of 2144	212	WScript.exe	144
PID 212 wrote to memory of 2144	212	WScript.exe	144
PID 2144 wrote to memory of 1616	2144	fontdrvhost.exe	145
PID 2144 wrote to memory of 1616	2144	fontdrvhost.exe	145
PID 2144 wrote to memory of 3464	2144	fontdrvhost.exe	146
PID 2144 wrote to memory of 3464	2144	fontdrvhost.exe	146
PID 1616 wrote to memory of 1372	1616	WScript.exe	147
PID 1616 wrote to memory of 1372	1616	WScript.exe	147
PID 1372 wrote to memory of 3764	1372	fontdrvhost.exe	148
PID 1372 wrote to memory of 3764	1372	fontdrvhost.exe	148
PID 1372 wrote to memory of 4636	1372	fontdrvhost.exe	149
PID 1372 wrote to memory of 4636	1372	fontdrvhost.exe	149
PID 3764 wrote to memory of 112	3764	WScript.exe	150
PID 3764 wrote to memory of 112	3764	WScript.exe	150
PID 112 wrote to memory of 1048	112	fontdrvhost.exe	151
PID 112 wrote to memory of 1048	112	fontdrvhost.exe	151

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
"C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\StructuredQuery\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDSORST\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GFT00JSx5l.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4680
- - C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\wininit.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\filetrace\unsecapp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5040
  - - C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
      "C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\473ceb55-4091-4476-a189-f62fed423d0e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7844a2eb-3550-4b24-9123-590420849026.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0cbc03b-a2ab-4388-8ba7-19c72e4855b7.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08d14d6d-8f01-4f47-baf8-cd9df82d813a.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eea8f467-e5ac-409b-bb62-e631638406a5.vbs"
        13⤵
        
        PID:1048
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0c52987-5fc2-499b-8652-015d09add61b.vbs"
        15⤵
        
        PID:5044
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dba0624b-a898-4b9f-ab80-0b498a289068.vbs"
        17⤵
        
        PID:2072
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e850aa05-80d9-4765-b6b7-5699aea282e8.vbs"
        19⤵
        
        PID:948
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ad597da-6d75-429f-b93d-23890385a58f.vbs"
        21⤵
        
        PID:2472
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\225d39b7-754d-4406-a2de-b12658f1544e.vbs"
        23⤵
        
        PID:1548
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca0e7c5b-e136-4189-9b47-96345f73c870.vbs"
        25⤵
        
        PID:5092
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        
        C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30b8a90a-93bb-420a-b085-75fdb0b59d5b.vbs"
        27⤵
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbe0713e-7754-491a-811d-0b6c5f6dc5aa.vbs"
        27⤵
        
        PID:4968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ba9909c-88b0-4f76-b638-ca566aa12f1f.vbs"
        25⤵
        
        PID:4180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3944c5ab-9c54-4190-98ac-ac5f18cdf2c8.vbs"
        23⤵
        
        PID:452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d533fef0-607c-4429-bf9a-cfbf21a4255c.vbs"
        21⤵
        
        PID:808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\233e2121-f042-4552-8121-b70cc0d637eb.vbs"
        19⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\308be4ab-c805-4c3c-95dc-d8e53b6b3f25.vbs"
        17⤵
        
        PID:3516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12711b49-fbe6-4809-9020-0c0330bcd485.vbs"
        15⤵
        
        PID:3136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\130ee553-857a-4335-ab66-0b2b4dc1401c.vbs"
        13⤵
        
        PID:3568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f755f44d-1501-4c60-a15f-ee31c88e21b9.vbs"
        11⤵
        
        PID:4636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\968a2d0d-5f5f-46c4-a414-e54bb99504d5.vbs"
        9⤵
        
        PID:3464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb6774cd-1709-470e-ba79-92e07429ebe9.vbs"
        7⤵
        
        PID:2732
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de30bff0-7571-4bfd-aa7b-16547c20f872.vbs"
        5⤵
        
        PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\StructuredQuery\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\KBDSORST\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\NarratorControlTemplates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\AppReadiness\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\filetrace\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4bf0bc0ee50f611e59dc831fbe4bec43

SHA1
07f72e5d6a281be0dba1e3ef97dfdf37f799bab8

SHA256
786a7b226dd73b5fd37e113170a5fe9a3de6f7dcca5f07b526d06ccb9ee1e810

SHA512
695252ef0552cfefa8ef6b882f45912d03247983c4b9bbc30a1d6122b1a74ba736c8eef339a2230fbc98deafee9cf41410169ff62f8eab6b7590868215feb39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\08d14d6d-8f01-4f47-baf8-cd9df82d813a.vbs

Filesize
736B

MD5
328950ecaa6e82363f92a15428b0e5c3

SHA1
b017125115894b903988ba406f96e50b99a109a0

SHA256
2d8ef3bafae39f74584b3eb8c919c8d765fa2ab017c399ed99b77bce5aeaee0c

SHA512
edde79bacb2d5112085a6f29948812493ed386abc998d0d52a04f4f9a2205e8b1e674f72e4c63b7a9d826cd872f8ef825354e5eafb4bd56f7e7ae5e9e4442060

Download Submit
C:\Users\Admin\AppData\Local\Temp\225d39b7-754d-4406-a2de-b12658f1544e.vbs

Filesize
736B

MD5
65884e64484a1f779af3abf4e1b30b6a

SHA1
6ebf5dd55e9097853e91566416574ee66de1cd51

SHA256
3822ee9a4de1e9da67d4d3603c97d7ca676b1f62d56016edd2523f23d7c1efbd

SHA512
9dde850fd20db43806d1848ef73bed4e6f8f6ed4f6031e673b892661ca243c11deaeb75c46edc30dc3f9869ab0da4c8f206eecd9336033e409de6c7078167869

Download Submit
C:\Users\Admin\AppData\Local\Temp\473ceb55-4091-4476-a189-f62fed423d0e.vbs

Filesize
736B

MD5
9081dc3e7e51520eaaa0ead1168224e4

SHA1
fb7eca416ecddbf6f8a2c16bb3bc0fc2a77668bc

SHA256
c5955b6905866cce5e5e3a5e43b98ec08f7d6eab5f37d568fded3522a052d795

SHA512
cf2091afcfe14831f7fe152ddc6c0ae4067dae8f885d425c92207c64f2e51744bb00016bc6e95e4dd4b45fbe104f8b22d7ac427aa021ceec9b3d970dd9da2f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7844a2eb-3550-4b24-9123-590420849026.vbs

Filesize
735B

MD5
9efd5b3c9c0695d8a82d825a86d11f5b

SHA1
7bc8817775b263e5cdd25b7290c926757a49c11b

SHA256
e09f052801319f322b29d8f2b0626b85b4a700765d06cf3f0cac8acfc683aaca

SHA512
b48f5bbaaf3737c635e000e536dca211aa3aaa06da09b49623fc2a427dad0189b2ca54c9513cd787961c4541d392a2c46e8ec196fecc7f019e8570239b27c5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ad597da-6d75-429f-b93d-23890385a58f.vbs

Filesize
736B

MD5
dc60b01d880edd352927e64e0b79029a

SHA1
c75dde4d36727672a64240296435ece4f3b5beae

SHA256
9c28d2a02456c6017d856b3229db60d4ba43fc36f510f3178446b0d406af35bf

SHA512
74c4d73f0426ee8cf5f5034cc39e05baa17b1f5ed91ad66eb239e259f9ec6a5ee9f9fe9090381881a23976a9f2f2a96181444085116b935a10049026dbd642ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\GFT00JSx5l.bat

Filesize
267B

MD5
54f84ad98b640535e46941dbe6cafa8c

SHA1
84f2a179c8736022deb02127106ca4eb953a2379

SHA256
f9bd836260176dbe8cf787c7b0af07a8739c5af09eb3f744a7695c778eb36573

SHA512
592bdaa4fcc1c38639f59881b37cbb9fccbb16fa72c9b891caea67069b90d7a83aa829479195b69b957cc8e98e62534be049df82e9b949444cb76e9767fb6a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3zbvb0f.0u5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0c52987-5fc2-499b-8652-015d09add61b.vbs

Filesize
735B

MD5
cb50c318ce21fb9c95c728cd215506ee

SHA1
7ab08ed9d351f89f65043c39836db84c60ed62a2

SHA256
5a79e0baa5c3749d8a700a3e7bb6e37b86ed951ce42be9d85378acfe13432ebe

SHA512
bef9e4c1a904350777a27bdf1675e1d34ae99416770d3537acee40d2ec4e991f79a18111ee06871ecea21822e13a88de9a38705e1d81bb3787763a3c341c4bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca0e7c5b-e136-4189-9b47-96345f73c870.vbs

Filesize
736B

MD5
678d645f076ad33ce8b0b92a545cdf6f

SHA1
ce680b776f690bd005425ba1a1ca41aff698bacc

SHA256
8774f160f1768a927270404890f4b1b248d70839fef91e43ea88d902f319a071

SHA512
13cc9b06ce5b8ed96223d76f184cb93ac31c972553351b9d31f964f955aa4e19c8639053d2cdc501d07b067d7a4b05aab9c2a59b1cbb4b39818c41ce254b6ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dba0624b-a898-4b9f-ab80-0b498a289068.vbs

Filesize
736B

MD5
b2ceb239246e22997da2c702b257dad8

SHA1
5288ac4ff55057e0ba855558cf7e6647d88b1b76

SHA256
8ca79dfbee1f4fc7027403e853a48ee0ca62283291032c9f22a5f0e2fdfdcd59

SHA512
964e68cf265ba1a7df833bdd296155277212e0a45402e92891addd5d51bbaa77aabc3f4291988815e2a2eab28b92da4b1fbab1dd80a82525ae1755f9fce68b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\de30bff0-7571-4bfd-aa7b-16547c20f872.vbs

Filesize
512B

MD5
c00b324418abfc5cb499eb41389f4d5e

SHA1
85a9771939b7f9a75c513d605ccd4a0c60ad63fb

SHA256
af5a00c3541884dce3b2ed4b2fef9ff2083b84ee45a01be8e9fd2cd4b7614ec6

SHA512
1f19abaa67fcf7eb4d27c90f338151facea2fdfd9e7772faebb00ce594f0652b52fe00d8f201c64e6b662eda39d4a02eb97d47f0b3db795c3a3138db76d6ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbc03b-a2ab-4388-8ba7-19c72e4855b7.vbs

Filesize
736B

MD5
b385cb032d26da286790a2d6de36eb43

SHA1
e4add0820f82ba8908697c78cfc82fa25a9e5ef3

SHA256
47ee13e1231a850b488756a38becc1c4ee54bb444c4bcf9f7b22fc4879689883

SHA512
c7a0ad7f347a94fe55d430dbcfc9409e38acda0d172b9ba18ab5a42fcbd49e17df7cc4968b002476fb5e770c85e33e756abb95fbf610fd15bef0e7eb26150ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e850aa05-80d9-4765-b6b7-5699aea282e8.vbs

Filesize
736B

MD5
a3a27026b1b33bef80060ba90ce64e8a

SHA1
ee862fd2f2aba16f3a8315c5ef38a712017006e6

SHA256
fbd2e53b565c3924580353bc7cf4ff0e9367a4aa82a16a6d503c49f8055e59cc

SHA512
508cfb52d50b6c86fade24a0c2e3e238b3f41097309000729e0a43964274512c1c5d57991ce9b050d6db0f5827816eccebffaeed1f099d3883f7645cd57e852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eea8f467-e5ac-409b-bb62-e631638406a5.vbs

Filesize
735B

MD5
bc363046021ca87f8abf47bf5857acf2

SHA1
f7761074b4193731e4b13930632777db91e31dff

SHA256
617c764b8116c1f2dddf978e4f6631f6c6be33c7fe6fc3e29751c2b8bc18adfd

SHA512
289d5de6876cb2db3004d38f402d666e335486dc44a2856440b807717902d25f0620bc94dd28a528e9fbd53be6a0509cea925d053311389b8baf4ece58693d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
456B

MD5
d600ff0c51637c878d7d533260c20d38

SHA1
202f3beb86ba29d2d22e251f40ba83da0bbfdbc3

SHA256
edc32373f272f71a12a5ebe9233eb8e20c2fe2bb6dbddb1c70a6fd22ebe92f11

SHA512
eb281141efb77e6baf5b2c5c40624dd492cc846756a362505990221641fb61d84c8912edff1d11d3ce0eac70e206f6bcad8e39a2e32d6984462c89e7ab576cdf

Download Submit
C:\Windows\System32\KBDSORST\SppExtComObj.exe

Filesize
1.5MB

MD5
d783e97b37584c63b3b45c382b22a000

SHA1
6c3c4b8a5081304166c0a3c53930164efc09afac

SHA256
1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ff

SHA512
683396235092e51403f8699e59f7561924575116ec239fe148f321f98c8ddc31faf87c58e620fd202b1a4b49b46a0d3bcbd875ebbecabea2dcc878f34bae717d

Download Submit
memory/112-409-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/112-420-0x000000001C2A0000-0x000000001C3A2000-memory.dmp

Filesize
1.0MB

Download
memory/516-422-0x0000000003000000-0x0000000003012000-memory.dmp

Filesize
72KB

Download
memory/516-433-0x000000001C6C0000-0x000000001C7C2000-memory.dmp

Filesize
1.0MB

Download
memory/768-370-0x00000000018C0000-0x00000000018D2000-memory.dmp

Filesize
72KB

Download
memory/768-381-0x000000001C6F0000-0x000000001C7F2000-memory.dmp

Filesize
1.0MB

Download
memory/1064-226-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download
memory/1372-396-0x00000000033C0000-0x00000000033D2000-memory.dmp

Filesize
72KB

Download
memory/1372-407-0x000000001C780000-0x000000001C882000-memory.dmp

Filesize
1.0MB

Download
memory/1788-120-0x00000234C7CD0000-0x00000234C7CF2000-memory.dmp

Filesize
136KB

Download
memory/1856-459-0x00000000016E0000-0x00000000016F2000-memory.dmp

Filesize
72KB

Download
memory/2144-383-0x0000000002C70000-0x0000000002C82000-memory.dmp

Filesize
72KB

Download
memory/2144-394-0x000000001C1F0000-0x000000001C2F2000-memory.dmp

Filesize
1.0MB

Download
memory/2912-447-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/3024-445-0x000000001BFB0000-0x000000001C0B2000-memory.dmp

Filesize
1.0MB

Download
memory/3080-0-0x00007FFB0A653000-0x00007FFB0A655000-memory.dmp

Filesize
8KB

Download
memory/3080-10-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/3080-15-0x00000000028F0000-0x00000000028FA000-memory.dmp

Filesize
40KB

Download
memory/3080-14-0x00000000028E0000-0x00000000028EC000-memory.dmp

Filesize
48KB

Download
memory/3080-17-0x0000000002920000-0x000000000292C000-memory.dmp

Filesize
48KB

Download
memory/3080-13-0x00000000028D0000-0x00000000028DA000-memory.dmp

Filesize
40KB

Download
memory/3080-18-0x0000000002940000-0x0000000002948000-memory.dmp

Filesize
32KB

Download
memory/3080-20-0x0000000002950000-0x000000000295C000-memory.dmp

Filesize
48KB

Download
memory/3080-12-0x00000000028C0000-0x00000000028C8000-memory.dmp

Filesize
32KB

Download
memory/3080-21-0x00000000029D0000-0x00000000029D8000-memory.dmp

Filesize
32KB

Download
memory/3080-11-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/3080-16-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/3080-8-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/3080-9-0x0000000002890000-0x000000000289C000-memory.dmp

Filesize
48KB

Download
memory/3080-6-0x00000000010A0000-0x00000000010AA000-memory.dmp

Filesize
40KB

Download
memory/3080-7-0x0000000002870000-0x000000000287C000-memory.dmp

Filesize
48KB

Download
memory/3080-5-0x0000000002860000-0x000000000286C000-memory.dmp

Filesize
48KB

Download
memory/3080-24-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

Filesize
10.8MB

Download
memory/3080-25-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

Filesize
10.8MB

Download
memory/3080-4-0x0000000001090000-0x00000000010A2000-memory.dmp

Filesize
72KB

Download
memory/3080-110-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

Filesize
10.8MB

Download
memory/3080-3-0x0000000001080000-0x0000000001088000-memory.dmp

Filesize
32KB

Download
memory/3080-2-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

Filesize
10.8MB

Download
memory/3080-1-0x00000000005B0000-0x000000000072E000-memory.dmp

Filesize
1.5MB

Download