dcrat | b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Size

4.9MB
MD5

e5c7c10f2b2e9aae378722a84cf0f1ac
SHA1

7074fb2e95c3f318276e416d19591cd97b9aa493
SHA256

b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce
SHA512

3782809b71de3b67934d02c5d9af5d1a9ae9f0d284bef7f2e151014d1f4485e6764f577de4588f8d1f9d1e58054620f61942a0be2e2f2d6a23d2a8f65d301490
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8c:c

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2268	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2268	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2100-3-0x000000001B910000-0x000000001BA3E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
1936	powershell.exe
1360	powershell.exe
1652	powershell.exe
2928	powershell.exe
300	powershell.exe
1672	powershell.exe
2508	powershell.exe
2188	powershell.exe
2252	powershell.exe
336	powershell.exe
2288	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2044	dwm.exe
2208	dwm.exe
1732	dwm.exe
768	dwm.exe
2440	dwm.exe
896	dwm.exe
2172	dwm.exe
2724	dwm.exe
2504	dwm.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCXEE1B.tmp	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\dad904908931ce	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXE783.tmp	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXF4A4.tmp	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\RCXF8BB.tmp	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\6cb0b6c459d5d3	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\6cb0b6c459d5d3	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\tracing\winlogon.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File created	C:\Windows\tracing\cc11b995f2a76d	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Windows\tracing\RCXF6B7.tmp	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
File opened for modification	C:\Windows\tracing\winlogon.exe	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe
2556	schtasks.exe
2664	schtasks.exe
1548	schtasks.exe
2044	schtasks.exe
2028	schtasks.exe
2908	schtasks.exe
2020	schtasks.exe
2216	schtasks.exe
544	schtasks.exe
2816	schtasks.exe
1192	schtasks.exe
2668	schtasks.exe
2796	schtasks.exe
1016	schtasks.exe
1980	schtasks.exe
2752	schtasks.exe
2560	schtasks.exe
3012	schtasks.exe
1748	schtasks.exe
1044	schtasks.exe
624	schtasks.exe
2776	schtasks.exe
2008	schtasks.exe
912	schtasks.exe
2576	schtasks.exe
2720	schtasks.exe
1928	schtasks.exe
324	schtasks.exe
2144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
2288	powershell.exe
336	powershell.exe
300	powershell.exe
2508	powershell.exe
1360	powershell.exe
2252	powershell.exe
3052	powershell.exe
2188	powershell.exe
1652	powershell.exe
1936	powershell.exe
2928	powershell.exe
1672	powershell.exe
2044	dwm.exe
2208	dwm.exe
1732	dwm.exe
768	dwm.exe
2440	dwm.exe
896	dwm.exe
2172	dwm.exe
2724	dwm.exe
2504	dwm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2044	dwm.exe
Token: SeDebugPrivilege	2208	dwm.exe
Token: SeDebugPrivilege	1732	dwm.exe
Token: SeDebugPrivilege	768	dwm.exe
Token: SeDebugPrivilege	2440	dwm.exe
Token: SeDebugPrivilege	896	dwm.exe
Token: SeDebugPrivilege	2172	dwm.exe
Token: SeDebugPrivilege	2724	dwm.exe
Token: SeDebugPrivilege	2504	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 300	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	62
PID 2100 wrote to memory of 300	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	62
PID 2100 wrote to memory of 300	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	62
PID 2100 wrote to memory of 3052	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	63
PID 2100 wrote to memory of 3052	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	63
PID 2100 wrote to memory of 3052	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	63
PID 2100 wrote to memory of 2288	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	65
PID 2100 wrote to memory of 2288	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	65
PID 2100 wrote to memory of 2288	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	65
PID 2100 wrote to memory of 1652	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	66
PID 2100 wrote to memory of 1652	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	66
PID 2100 wrote to memory of 1652	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	66
PID 2100 wrote to memory of 1936	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	67
PID 2100 wrote to memory of 1936	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	67
PID 2100 wrote to memory of 1936	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	67
PID 2100 wrote to memory of 1360	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	68
PID 2100 wrote to memory of 1360	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	68
PID 2100 wrote to memory of 1360	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	68
PID 2100 wrote to memory of 336	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	71
PID 2100 wrote to memory of 336	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	71
PID 2100 wrote to memory of 336	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	71
PID 2100 wrote to memory of 2252	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	72
PID 2100 wrote to memory of 2252	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	72
PID 2100 wrote to memory of 2252	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	72
PID 2100 wrote to memory of 2188	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	73
PID 2100 wrote to memory of 2188	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	73
PID 2100 wrote to memory of 2188	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	73
PID 2100 wrote to memory of 2928	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	74
PID 2100 wrote to memory of 2928	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	74
PID 2100 wrote to memory of 2928	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	74
PID 2100 wrote to memory of 1672	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	75
PID 2100 wrote to memory of 1672	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	75
PID 2100 wrote to memory of 1672	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	75
PID 2100 wrote to memory of 2508	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	76
PID 2100 wrote to memory of 2508	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	76
PID 2100 wrote to memory of 2508	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	76
PID 2100 wrote to memory of 2044	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	86
PID 2100 wrote to memory of 2044	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	86
PID 2100 wrote to memory of 2044	2100	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe	86
PID 2044 wrote to memory of 1692	2044	dwm.exe	87
PID 2044 wrote to memory of 1692	2044	dwm.exe	87
PID 2044 wrote to memory of 1692	2044	dwm.exe	87
PID 2044 wrote to memory of 1736	2044	dwm.exe	88
PID 2044 wrote to memory of 1736	2044	dwm.exe	88
PID 2044 wrote to memory of 1736	2044	dwm.exe	88
PID 1692 wrote to memory of 2208	1692	WScript.exe	89
PID 1692 wrote to memory of 2208	1692	WScript.exe	89
PID 1692 wrote to memory of 2208	1692	WScript.exe	89
PID 2208 wrote to memory of 892	2208	dwm.exe	90
PID 2208 wrote to memory of 892	2208	dwm.exe	90
PID 2208 wrote to memory of 892	2208	dwm.exe	90
PID 2208 wrote to memory of 3028	2208	dwm.exe	91
PID 2208 wrote to memory of 3028	2208	dwm.exe	91
PID 2208 wrote to memory of 3028	2208	dwm.exe	91
PID 892 wrote to memory of 1732	892	WScript.exe	92
PID 892 wrote to memory of 1732	892	WScript.exe	92
PID 892 wrote to memory of 1732	892	WScript.exe	92
PID 1732 wrote to memory of 2764	1732	dwm.exe	93
PID 1732 wrote to memory of 2764	1732	dwm.exe	93
PID 1732 wrote to memory of 2764	1732	dwm.exe	93
PID 1732 wrote to memory of 3064	1732	dwm.exe	94
PID 1732 wrote to memory of 3064	1732	dwm.exe	94
PID 1732 wrote to memory of 3064	1732	dwm.exe	94
PID 2764 wrote to memory of 768	2764	WScript.exe	95

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
"C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
  "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2acdc90-7e60-4332-80a5-d79aa7e70b2d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
      "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ec01f7-84d8-43cf-9f94-6e0449479811.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8646abc-8eb3-410e-aa60-f55efdc241fb.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fccbb7fa-498e-480b-b883-b49025319afa.vbs"
        9⤵
        
        PID:1352
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe7db1e3-17eb-472f-9bbb-a97ed039b61c.vbs"
        11⤵
        
        PID:1476
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\181576d3-ba61-4c8e-affb-205674d39e45.vbs"
        13⤵
        
        PID:2776
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e6c7f24-d79d-408e-a5d5-1024f8c9e4f7.vbs"
        15⤵
        
        PID:2228
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82724411-0328-4fbb-b3cc-8839dfa8791a.vbs"
        17⤵
        
        PID:2168
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb39ba55-748b-4fc4-a963-51165ab33a00.vbs"
        19⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\741afc65-802d-4fb2-95c6-6531f9a2e00f.vbs"
        19⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17cc4f1c-09f4-4f1d-b449-881a247be13c.vbs"
        17⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4c42fc5-6489-4d76-9ab3-a2c20b39a38d.vbs"
        15⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e93166e-b380-463e-b3a6-88b1c235c15a.vbs"
        13⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e98a6ec8-5dc9-4ba6-85ca-f065b52a9f31.vbs"
        11⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1449cfd-e35f-4370-a8e4-73a900f4534d.vbs"
        9⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\083f9a2f-c2ee-44fd-a3f8-1e79f09afcda.vbs"
        7⤵
        
        PID:3064
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\843e6899-a816-4733-915e-c11ea9a41345.vbs"
        5⤵
        
        PID:3028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89d4adf-d3ff-4445-9e7f-5049c4123812.vbs"
    3⤵
    PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ceb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ceb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\OSPPSVC.exe

Filesize
4.9MB

MD5
e5c7c10f2b2e9aae378722a84cf0f1ac

SHA1
7074fb2e95c3f318276e416d19591cd97b9aa493

SHA256
b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce

SHA512
3782809b71de3b67934d02c5d9af5d1a9ae9f0d284bef7f2e151014d1f4485e6764f577de4588f8d1f9d1e58054620f61942a0be2e2f2d6a23d2a8f65d301490

Download Submit
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe

Filesize
4.9MB

MD5
c0b31aaf4cab8d91663634f7465a441f

SHA1
65b1328a7f891886bcb720ad749065b0bc0a9fa1

SHA256
603f261e4e3d7368eb4891eed63a61b4010fae577766a0afc694585b4ca7c51c

SHA512
757b69d3aeec4cac18364be5dc7bd56fa984e09efa5da67d1e673bf97b41ba61559776a310b58b020f3419ede3413f2a0af36d8d993217bb971820a2bfb58b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\181576d3-ba61-4c8e-affb-205674d39e45.vbs

Filesize
737B

MD5
ab58f2173006058dff2773495494f48e

SHA1
ea80df678db1255027bce70640537e200c5ecf66

SHA256
b1dcdb04320e77d6cf78f86df0c6c49078501dacd660dcefe37520fa2097d6f8

SHA512
fc8d8da2ab1d41ed09539adaf09b206a4387b6c397eade28203549f96ecf885931597b0fe021a85f634936377ec510a2f31834080f7fe32f893ddb4a6a5c14c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e6c7f24-d79d-408e-a5d5-1024f8c9e4f7.vbs

Filesize
738B

MD5
4b82871f0af7f84c9c3b954d9417fc38

SHA1
77090fc9849619536fc22d22667e3cc2b21c9e9d

SHA256
98385cffaacbe737f040ae18c6325c67cebbadc59ffe28086fc89805f3bbb35f

SHA512
b9a8d34a708405df095c49d4763fc4e7cbf4a7dc9b2fea7d128b4433ef7f714c2dcc636f01682d8a6825104122be55fa5aec8d0c8d535f8c6c0cd70dba810ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\82724411-0328-4fbb-b3cc-8839dfa8791a.vbs

Filesize
738B

MD5
d320a820fe27d9e90f8989d57ae989a3

SHA1
8c17d616336718dc4d65b5b5e3ac748a8f2bb6af

SHA256
a667e6e6b24aa766938bd7f8c1af6aa17bf46521922bf21b46998c7828eee396

SHA512
fb48b5b975b6b425e16511ba8c973a011e7b8daf907a3ee1c1f55a73e1a61140d38bc8d77a752d448e1d74f8db1b705507112009b4e5994c0a50bd21dbc9407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2acdc90-7e60-4332-80a5-d79aa7e70b2d.vbs

Filesize
738B

MD5
d7a74ee039af6acd8838361d921fdc1e

SHA1
678268eb5a268e2936ade8d3e4c7bc5263c1e2b3

SHA256
e1582ff6fd7529ebf6c461c6d54d94cdc45f23c8b10e424977b9c23acc081780

SHA512
0837d8557e3177d4cdcdb483a1a12435854d6f86dd28c869c1b1fb93ec529a31d12446e7e595960b4b710f73dfb31f22eaab18bf42f1088df6a49608b60e3e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\d89d4adf-d3ff-4445-9e7f-5049c4123812.vbs

Filesize
514B

MD5
50ba931056f8ebc6254f918ff76dc145

SHA1
99039ae07e6a99ff44049b9e4801b235fbe5c621

SHA256
0f09c71b7d7c8a4e33e3269220308ebc51c71794235f2ad2729c94f54967cdea

SHA512
cdb8c6e5b1ab01a1837669370204d6abd834bd6c12ff46bb2e84f9d0db9a7c0fecd94cb034f8e074c691935014400148b118ffad217d1b07c3b58a1699134b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2ec01f7-84d8-43cf-9f94-6e0449479811.vbs

Filesize
738B

MD5
e930b7d297e073166b5d693b4d39e709

SHA1
1b58fc5a4a5f5e19e31060df10c368acef21d5d3

SHA256
51f4a55417baf2fb437738ba7c660477fd3be7c7f91a7dfdb4f41674284d5ef3

SHA512
635308ae2910cc6dd6f3876f2346de8d99a9deb2ae9b0136a5a4ef5dd44a05c9df6f885ffc7d94944cdba8729cdce52df37e1772c4eed9c47c4a6866a7e31443

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8646abc-8eb3-410e-aa60-f55efdc241fb.vbs

Filesize
738B

MD5
38cc43e836f92c95eba83f2981c8eeee

SHA1
cbf25bba7886a810baca0646928c0fb47ba81205

SHA256
fd8efe03a10317f016bef87b98d52c92222f4357fcb1dd5462d8f1fd672d9ff5

SHA512
da5dcb85f0745ce98e8baa7449088a53ac2a277e7a949a922903a7db1fea8ea79ad028455ac849b6ade9635691c756494d080f9739f3f17fd8cafe93e74cc059

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb39ba55-748b-4fc4-a963-51165ab33a00.vbs

Filesize
738B

MD5
b4f4911ba50f463b6c2febb5300cbeac

SHA1
c78a4df470418975664b86e1933193e42e0acd52

SHA256
ba1517acda6f8389173a6ec9a834adc39a294b0d5ae957e9a91dafbf97ecff17

SHA512
83805fcb47f6fd3ef6ad0ea14094669f76fde9d66eb2f02691d845436bad9b349351a95457aed48585f4186d4069bd080b004bf8e37be013c0423185437849c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fccbb7fa-498e-480b-b883-b49025319afa.vbs

Filesize
737B

MD5
78addc630a3ee747be5491f6d1b11381

SHA1
9cf6a3e981e1227f0b6d8e4650e5dfd4497a5d58

SHA256
9f9a75df6feee99d9788e76cd6d8d3e46d0ab7daa3b09e8f1833906838195d2e

SHA512
9ebc92252a18875f130bbdd2facb94298699bd91f712439ad46ebda90a63e43d25678ec6a750bec5e7472647163f7ca0f7f33ea04d4def914d9c31384449937f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe7db1e3-17eb-472f-9bbb-a97ed039b61c.vbs

Filesize
738B

MD5
0a7d2f902208b0afab5c52895323e5ac

SHA1
b82ec3ee72a885617d2e3c4fa47ecfd55bc71971

SHA256
4845334cdbbe9ad4d1f2a8edf376500edba722f6a2fabe87cc7354a1457a3e3c

SHA512
ecb0d8b96e1bc13ffb6ea2ee4c9eceb8847dd2c95c24c3d77be85e54193fef6ec7558f34b7046db32b1e4cdcd9a71e1b08566c9386373409d9a70688f7ea4b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12D5.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6934d6db7a3a5c0bff448be75789c77e

SHA1
56499dfe638bd9d925280144005ce39ae7f275fc

SHA256
74b64fb759e458123be171710e85731597f84e484c19f65c2d8f66bdf32fb168

SHA512
e6ad770fa55425035dc77ffef101778bbca4fa0d6131e71c71059605704f8798d287021dca93e1f3f9999ea2c5f60de564905d36116266bf81a1176715579dd9

Download Submit
memory/768-221-0x0000000000260000-0x0000000000754000-memory.dmp

Filesize
5.0MB

Download
memory/896-251-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download
memory/1360-136-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1732-206-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/1732-205-0x0000000001090000-0x0000000001584000-memory.dmp

Filesize
5.0MB

Download
memory/2044-177-0x0000000000CA0000-0x0000000001194000-memory.dmp

Filesize
5.0MB

Download
memory/2100-167-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/2100-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/2100-9-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/2100-176-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-1-0x0000000000190000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download
memory/2100-10-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/2100-7-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/2100-11-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/2100-15-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2100-16-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2100-8-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/2100-5-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/2100-6-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2100-13-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2100-2-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-12-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/2100-14-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2100-4-0x00000000006A0000-0x00000000006BC000-memory.dmp

Filesize
112KB

Download
memory/2100-3-0x000000001B910000-0x000000001BA3E000-memory.dmp

Filesize
1.2MB

Download
memory/2172-266-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/2288-137-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2440-236-0x0000000000830000-0x0000000000D24000-memory.dmp

Filesize
5.0MB

Download
memory/2504-297-0x0000000000330000-0x0000000000824000-memory.dmp

Filesize
5.0MB

Download
memory/2724-281-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/2724-282-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download