dcrat | 91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
Size

1.3MB
MD5

32e1b0bf75950d5889638f0e030f70c0
SHA1

46452b2a92fc30511ebe60c7daf946e039240985
SHA256

91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f
SHA512

2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b
SSDEEP

24576:h/DBENpV4Ttrg7k+F9P8w7YomZunmGKgPL+0Ha:9DKpVoaJQkmUnbhL/

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	1260	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	1260	schtasks.exe	86

DCRat payload 28 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3004-0-0x0000000000D20000-0x0000000000E72000-memory.dmp	dcrat
behavioral2/files/0x000600000002320d-17.dat	dcrat
behavioral2/files/0x000900000002322e-95.dat	dcrat
behavioral2/files/0x000600000002320d-249.dat	dcrat
behavioral2/files/0x000600000002320d-248.dat	dcrat
behavioral2/files/0x000600000002320d-309.dat	dcrat
behavioral2/files/0x000600000002320d-324.dat	dcrat
behavioral2/files/0x000600000002323a-330.dat	dcrat
behavioral2/files/0x000600000002320d-338.dat	dcrat
behavioral2/files/0x000600000002323a-343.dat	dcrat
behavioral2/files/0x000600000002320d-353.dat	dcrat
behavioral2/files/0x000600000002323a-358.dat	dcrat
behavioral2/files/0x000600000002320d-366.dat	dcrat
behavioral2/files/0x000600000002323a-371.dat	dcrat
behavioral2/files/0x000600000002320d-379.dat	dcrat
behavioral2/files/0x000600000002323a-385.dat	dcrat
behavioral2/files/0x000600000002320d-390.dat	dcrat
behavioral2/files/0x000600000002323a-395.dat	dcrat
behavioral2/files/0x000600000002320d-403.dat	dcrat
behavioral2/files/0x000600000002323a-409.dat	dcrat
behavioral2/files/0x000600000002320d-417.dat	dcrat
behavioral2/files/0x000600000002323a-422.dat	dcrat
behavioral2/files/0x000600000002320d-431.dat	dcrat
behavioral2/files/0x000600000002323a-437.dat	dcrat
behavioral2/files/0x000600000002320d-446.dat	dcrat
behavioral2/files/0x000600000002323a-451.dat	dcrat
behavioral2/files/0x000600000002320d-459.dat	dcrat
behavioral2/files/0x000600000002323a-465.dat	dcrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe

Executes dropped EXE 13 IoCs

pid	Process
5388	winlogon.exe
4020	winlogon.exe
5272	winlogon.exe
5472	winlogon.exe
848	winlogon.exe
4968	winlogon.exe
412	winlogon.exe
1160	winlogon.exe
6124	winlogon.exe
5724	winlogon.exe
5232	winlogon.exe
848	winlogon.exe
2452	winlogon.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXA3B7.tmp	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\cc11b995f2a76d	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ea1d8f6d871115	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX9174.tmp	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\9e8d7a4ca61bd9	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXC58A.tmp	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\RuntimeBroker.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Windows\Help\mui\RCXC79F.tmp	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Windows\addins\9e8d7a4ca61bd9	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Windows\Speech\Common\en-US\RuntimeBroker.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Windows\Help\mui\wininit.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Windows\addins\RCXBEA3.tmp	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Windows\addins\RuntimeBroker.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File created	C:\Windows\Help\mui\56085415360792	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
File opened for modification	C:\Windows\Help\mui\wininit.exe	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1420	schtasks.exe
2356	schtasks.exe
3328	schtasks.exe
5100	schtasks.exe
2836	schtasks.exe
5068	schtasks.exe
4864	schtasks.exe
684	schtasks.exe
4800	schtasks.exe
396	schtasks.exe
4500	schtasks.exe
2996	schtasks.exe
2960	schtasks.exe
3240	schtasks.exe
4808	schtasks.exe
4284	schtasks.exe
4648	schtasks.exe
4848	schtasks.exe
3552	schtasks.exe
4988	schtasks.exe
2476	schtasks.exe
1576	schtasks.exe
4716	schtasks.exe
3304	schtasks.exe
4996	schtasks.exe
4260	schtasks.exe
1020	schtasks.exe
4972	schtasks.exe
1404	schtasks.exe
2816	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
1376	powershell.exe
1376	powershell.exe
2200	powershell.exe
2200	powershell.exe
2720	powershell.exe
2720	powershell.exe
4516	powershell.exe
4516	powershell.exe
3328	powershell.exe
3328	powershell.exe
4004	powershell.exe
2800	powershell.exe
4004	powershell.exe
2800	powershell.exe
3540	powershell.exe
3540	powershell.exe
4116	powershell.exe
4116	powershell.exe
2336	powershell.exe
2336	powershell.exe
1800	powershell.exe
1800	powershell.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
1376	powershell.exe
1376	powershell.exe
2200	powershell.exe
2720	powershell.exe
4516	powershell.exe
3328	powershell.exe
4004	powershell.exe
2800	powershell.exe
3540	powershell.exe
2336	powershell.exe
1800	powershell.exe
4116	powershell.exe
5388	winlogon.exe
5388	winlogon.exe
4020	winlogon.exe
5272	winlogon.exe
5472	winlogon.exe
848	winlogon.exe
4968	winlogon.exe
412	winlogon.exe
1160	winlogon.exe
6124	winlogon.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	5388	winlogon.exe
Token: SeDebugPrivilege	4020	winlogon.exe
Token: SeDebugPrivilege	5272	winlogon.exe
Token: SeDebugPrivilege	5472	winlogon.exe
Token: SeDebugPrivilege	848	winlogon.exe
Token: SeDebugPrivilege	4968	winlogon.exe
Token: SeDebugPrivilege	412	winlogon.exe
Token: SeDebugPrivilege	1160	winlogon.exe
Token: SeDebugPrivilege	6124	winlogon.exe
Token: SeDebugPrivilege	5724	winlogon.exe
Token: SeDebugPrivilege	5232	winlogon.exe
Token: SeDebugPrivilege	848	winlogon.exe
Token: SeDebugPrivilege	2452	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4272	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	122
PID 3004 wrote to memory of 4272	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	122
PID 3004 wrote to memory of 2200	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	123
PID 3004 wrote to memory of 2200	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	123
PID 3004 wrote to memory of 1800	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	124
PID 3004 wrote to memory of 1800	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	124
PID 3004 wrote to memory of 3328	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	144
PID 3004 wrote to memory of 3328	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	144
PID 3004 wrote to memory of 4004	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	143
PID 3004 wrote to memory of 4004	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	143
PID 3004 wrote to memory of 1376	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	142
PID 3004 wrote to memory of 1376	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	142
PID 3004 wrote to memory of 4516	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	141
PID 3004 wrote to memory of 4516	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	141
PID 3004 wrote to memory of 2720	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	140
PID 3004 wrote to memory of 2720	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	140
PID 3004 wrote to memory of 2800	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	125
PID 3004 wrote to memory of 2800	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	125
PID 3004 wrote to memory of 2336	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	138
PID 3004 wrote to memory of 2336	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	138
PID 3004 wrote to memory of 4116	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	136
PID 3004 wrote to memory of 4116	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	136
PID 3004 wrote to memory of 3540	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	132
PID 3004 wrote to memory of 3540	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	132
PID 3004 wrote to memory of 2056	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	145
PID 3004 wrote to memory of 2056	3004	NEAS.32e1b0bf75950d5889638f0e030f70c0.exe	145
PID 2056 wrote to memory of 4572	2056	cmd.exe	149
PID 2056 wrote to memory of 4572	2056	cmd.exe	149
PID 2056 wrote to memory of 5388	2056	cmd.exe	152
PID 2056 wrote to memory of 5388	2056	cmd.exe	152
PID 5388 wrote to memory of 5720	5388	winlogon.exe	154
PID 5388 wrote to memory of 5720	5388	winlogon.exe	154
PID 5388 wrote to memory of 5928	5388	winlogon.exe	155
PID 5388 wrote to memory of 5928	5388	winlogon.exe	155
PID 5720 wrote to memory of 4020	5720	WScript.exe	157
PID 5720 wrote to memory of 4020	5720	WScript.exe	157
PID 4020 wrote to memory of 2204	4020	winlogon.exe	158
PID 4020 wrote to memory of 2204	4020	winlogon.exe	158
PID 4020 wrote to memory of 4572	4020	winlogon.exe	159
PID 4020 wrote to memory of 4572	4020	winlogon.exe	159
PID 2204 wrote to memory of 5272	2204	WScript.exe	160
PID 2204 wrote to memory of 5272	2204	WScript.exe	160
PID 5272 wrote to memory of 5600	5272	winlogon.exe	161
PID 5272 wrote to memory of 5600	5272	winlogon.exe	161
PID 5272 wrote to memory of 5464	5272	winlogon.exe	162
PID 5272 wrote to memory of 5464	5272	winlogon.exe	162
PID 5600 wrote to memory of 5472	5600	WScript.exe	163
PID 5600 wrote to memory of 5472	5600	WScript.exe	163
PID 5472 wrote to memory of 4060	5472	winlogon.exe	164
PID 5472 wrote to memory of 4060	5472	winlogon.exe	164
PID 5472 wrote to memory of 4648	5472	winlogon.exe	165
PID 5472 wrote to memory of 4648	5472	winlogon.exe	165
PID 4060 wrote to memory of 848	4060	WScript.exe	167
PID 4060 wrote to memory of 848	4060	WScript.exe	167
PID 848 wrote to memory of 4800	848	winlogon.exe	168
PID 848 wrote to memory of 4800	848	winlogon.exe	168
PID 848 wrote to memory of 5808	848	winlogon.exe	169
PID 848 wrote to memory of 5808	848	winlogon.exe	169
PID 4800 wrote to memory of 4968	4800	WScript.exe	170
PID 4800 wrote to memory of 4968	4800	WScript.exe	170
PID 4968 wrote to memory of 5332	4968	winlogon.exe	171
PID 4968 wrote to memory of 5332	4968	winlogon.exe	171
PID 4968 wrote to memory of 396	4968	winlogon.exe	172
PID 4968 wrote to memory of 396	4968	winlogon.exe	172

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.32e1b0bf75950d5889638f0e030f70c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.32e1b0bf75950d5889638f0e030f70c0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DE1qKFefTY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4572
- - C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
    "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5388
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ef62912-c4dd-4954-a5f5-37cc504469f9.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5720
    - - C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a11f9f0-6903-4bd1-abf1-11419fdcffad.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\005e7da7-9b61-49d9-b78b-0a216e263813.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5600
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6171f26-e60a-4c05-8ece-723a13765be7.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17b6f4d7-8afe-4f4f-af0c-e6503d0924c2.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8e3613a-0f14-4064-aa09-05a99f351a5b.vbs"
        14⤵
        
        PID:5332
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05bc5c1c-5f07-4c8e-8ebb-0568a88c5e7e.vbs"
        16⤵
        
        PID:3648
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\088499da-e8d8-4628-a18b-65db03406a7d.vbs"
        18⤵
        
        PID:5432
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5067bf7f-658e-4c89-9f4d-243e7784b636.vbs"
        20⤵
        
        PID:6040
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca220019-8989-4eb0-8f68-559a6c89e602.vbs"
        22⤵
        
        PID:648
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82f7636e-c3ef-4dbb-b34b-00069538b545.vbs"
        24⤵
        
        PID:2044
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab423b37-3c87-4bd8-bfd9-7bac45402008.vbs"
        26⤵
        
        PID:5300
        
        C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\307735b1-d55c-4ad3-a194-696715315fe7.vbs"
        28⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79ba8d50-d5e6-4c3b-ab5f-7fc9fd861e3d.vbs"
        28⤵
        
        PID:5132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7302baa4-e0f0-492b-9d1b-b311549743f2.vbs"
        26⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e5c619c-d74c-4fd7-9192-458b5f929fd1.vbs"
        24⤵
        
        PID:4808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c00cdc4-f779-4ba2-8ff0-952e4ac965e1.vbs"
        22⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6923235d-cca9-4306-91e9-aa83441d5e50.vbs"
        20⤵
        
        PID:6016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\397c6035-e07a-4fab-922c-e5c41cfb9519.vbs"
        18⤵
        
        PID:6140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33240841-d0a6-44a1-8fca-b0940bb5936f.vbs"
        14⤵
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db0ee52f-36c8-42a9-9900-2566b96f98c3.vbs"
        12⤵
        
        PID:5808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85bd7b3b-d425-43cd-b2e0-b7fbd626656a.vbs"
        10⤵
        
        PID:4648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa2c0a7f-8685-4f75-89c4-f8eeceb1af26.vbs"
        8⤵
        
        PID:5464
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c974f79-751b-429a-80b7-c4c3a3d0475a.vbs"
        6⤵
        
        PID:4572
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31114962-9200-4bcb-a63c-67baa6914405.vbs"
      4⤵
      PID:5928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\mui\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Help\mui\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\005e7da7-9b61-49d9-b78b-0a216e263813.vbs

Filesize
740B

MD5
218efeb312587893efd31e4d121c8e55

SHA1
3efc7f6ae038ad74a1795b7ef621c8b60d9d0fdf

SHA256
c28579680e8b11138b18489c54412107cfbcb10b83894a36aad11efa51d075b1

SHA512
fc24cb92bc62bc5dfc4c4ac09c5506cd7846e561b0275b6e58f0788e82a37b3716e962a4c4cf4be1259b8d210c7604bc19dd45b0a2fc70a90eedf6b901194953

Download Submit
C:\Users\Admin\AppData\Local\Temp\05bc5c1c-5f07-4c8e-8ebb-0568a88c5e7e.vbs

Filesize
739B

MD5
b34a93f15a36b1ae45b2553296055a58

SHA1
64c03843fa4a7e08eddf3903ccc18a16b23f3c74

SHA256
a78577c20657127cc06e0761a9b61b454b7a9eca1111f45c952801a2dbd04022

SHA512
09da75e9764d1724e3d93b31c4bab87080ef78f30b714cae429ab29b88e8ed57b52e6979270e10aef02079e184f5de5e65a2b00f8aaa5b20aea8d0d30db42f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\088499da-e8d8-4628-a18b-65db03406a7d.vbs

Filesize
740B

MD5
06a0eac5343888a17119befb5a84ac1b

SHA1
e3ff6b7a8375f22d9bffe44a76430022d63d63d7

SHA256
17fb1a5124febeca852c4441953d40dcdae69495f2e2bcc24ee228a617f6cb0e

SHA512
41a90289de378a9f018d15501588ec453d57cb021d4fe4911114b9f2887da226ece3260e2cd67c3b643b8ca4fddb0a6f5c889c04ceb81729b710e91727b648bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\17b6f4d7-8afe-4f4f-af0c-e6503d0924c2.vbs

Filesize
739B

MD5
4c38fb75d86a08f277e92e032d37e5ae

SHA1
6a9f1be0f0aa37211565f1e8b53e9519b0d08d23

SHA256
bacc47493c86da87bb3190558d570ca6a1c6296006f8fcab332d26661e1b3eef

SHA512
a1ed31d560d34f9f9e30c6066eb51e52fae9c6186eb740719d4bc0cea4de3538784cd3c6b6b7a5e62dc4472858293a89b325013529ff6dd3075a0de9a19f84ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\307735b1-d55c-4ad3-a194-696715315fe7.vbs

Filesize
740B

MD5
4522bdedb1aef4cbfe8343a100b92e09

SHA1
138635ad7a5e60cc40d036f8d649c5416069ec40

SHA256
878349822550faa5baeaf79f81c7987e40f27a70fdeae42f2071596e9d61cb38

SHA512
a79d8ddc1e6a4487e35ef98674f7fa76571328cc0be1e16b16a82f56ee9fb1394ddf33dd5f4f48f0c2440eccd05f963813c604adaba4b4137c62f02217b04eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\31114962-9200-4bcb-a63c-67baa6914405.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\33240841-d0a6-44a1-8fca-b0940bb5936f.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\397c6035-e07a-4fab-922c-e5c41cfb9519.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\400a7f28eda5a93994b450f15e20b8d2264d46c0.exe

Filesize
1.3MB

MD5
32e1b0bf75950d5889638f0e030f70c0

SHA1
46452b2a92fc30511ebe60c7daf946e039240985

SHA256
91bc33ad3f53ecdae0a4f033c876fabae135910ea24351c6aee87d85d1bfff9f

SHA512
2b58e540672e426838a436e6ef31cd46dafb2ca00767c35efcb4822ec19801fc33ef93fa61fae204249753ae58ad864b29747662c36691a8ed6a59ac0ddd860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a11f9f0-6903-4bd1-abf1-11419fdcffad.vbs

Filesize
740B

MD5
e6c45fb2a551b0aaad290fcd9490750e

SHA1
547adaf1ebd42e340899e98aedbdc19627c0dd83

SHA256
e6fc4775e4d5dee43e18567531edcad581bc18b57f96cbf0d79b2bdc1165f24d

SHA512
84480bf6681537d46eab821ae72717d6fd5172658c38327613fe621ac535b04a5c3aefb3d6f1198cf6e22abce061f40206337184808d6c7b684026ee633259a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ef62912-c4dd-4954-a5f5-37cc504469f9.vbs

Filesize
740B

MD5
b9ea7a155332eb3ea9575015b638ef48

SHA1
eb123cb1d60b36c8e79d46c221d4337d83bd524c

SHA256
7dcf76671426b23e41db37b4ff9718fe3ae2439e3f66d4eb1ef47b0df77ce935

SHA512
1530fcb818fbfdacd187ba96d909d0e5219477ab597d21aeebaa2ce25b3e34b100c2e1738879fd8d1764103a6f5891d7b3f2fd6b28b78cbbd41161926979b7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\5067bf7f-658e-4c89-9f4d-243e7784b636.vbs

Filesize
740B

MD5
85a9c72b155c801a0baa71bb819529d5

SHA1
aec3e2edaf93cc871cf5e2927a1c6e1b6eecf6a8

SHA256
8bd7332b5bf0f4d4ac73b26e7ae79af7a9481d8bed7f71962d751ddd4a337056

SHA512
9fe7bddcf335562e8b3b0a987f9ed5b108f136c967f3f16e73c07547a4138a475ed98dc0b11021b970e71969cc39225eba67d1984f431090e29c0461ce762291

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c00cdc4-f779-4ba2-8ff0-952e4ac965e1.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6923235d-cca9-4306-91e9-aa83441d5e50.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7302baa4-e0f0-492b-9d1b-b311549743f2.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e5c619c-d74c-4fd7-9192-458b5f929fd1.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f7636e-c3ef-4dbb-b34b-00069538b545.vbs

Filesize
740B

MD5
300a929c8eff742fc99a26c8c5055515

SHA1
149107eec49d1de7b8d003d77f6dbae43abcb764

SHA256
4676ec7b20fd4fbfdb7e5dc84fd9b4cb41c2ccc696ca228c367658a1ad8b7a7f

SHA512
1cc50593c1ff09315cd04d11deb99ee2da6f6a7f6981640a865b796cc218b14efc5f3759cdaccfcec99b18a5323c9c0d178b2fb0a01f3e85e3ea24419be5c91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\85bd7b3b-d425-43cd-b2e0-b7fbd626656a.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c974f79-751b-429a-80b7-c4c3a3d0475a.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c974f79-751b-429a-80b7-c4c3a3d0475a.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE1qKFefTY.bat

Filesize
229B

MD5
2f57bc5694f260215908a15e89f55d55

SHA1
8904149477da68348694bbde7dba1d7171110f31

SHA256
c2379152284f8400ce017eb2370dded32781c18b03b66e7a5c108a45841c97fc

SHA512
a011d1dd30aeeb0bc14a579897a7c5d560b34845e79e4cec2baddf96a1228ea3a73d8414571c57a8dbbcf85e4395ddeeb9445a33dce24f42ff7c67163929447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lezhfa1v.xq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa2c0a7f-8685-4f75-89c4-f8eeceb1af26.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab423b37-3c87-4bd8-bfd9-7bac45402008.vbs

Filesize
739B

MD5
4c38fb75d86a08f277e92e032d37e5ae

SHA1
6a9f1be0f0aa37211565f1e8b53e9519b0d08d23

SHA256
bacc47493c86da87bb3190558d570ca6a1c6296006f8fcab332d26661e1b3eef

SHA512
a1ed31d560d34f9f9e30c6066eb51e52fae9c6186eb740719d4bc0cea4de3538784cd3c6b6b7a5e62dc4472858293a89b325013529ff6dd3075a0de9a19f84ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab423b37-3c87-4bd8-bfd9-7bac45402008.vbs

Filesize
739B

MD5
4c38fb75d86a08f277e92e032d37e5ae

SHA1
6a9f1be0f0aa37211565f1e8b53e9519b0d08d23

SHA256
bacc47493c86da87bb3190558d570ca6a1c6296006f8fcab332d26661e1b3eef

SHA512
a1ed31d560d34f9f9e30c6066eb51e52fae9c6186eb740719d4bc0cea4de3538784cd3c6b6b7a5e62dc4472858293a89b325013529ff6dd3075a0de9a19f84ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6171f26-e60a-4c05-8ece-723a13765be7.vbs

Filesize
740B

MD5
dcdd7c633b72200eef802ef249d0c8aa

SHA1
cb7ab4d2a333e04ec42c9263c217649ca6d83a0f

SHA256
f88cc377f27a26796891d4abed936e7e516676b297a3fbaca97b565da948a770

SHA512
37749ddd9b5fc54fc0d6a1a24840256954cfc859f5e765f4f86a2b88b22ec664a0db13665c649aee9c2a38a216aa3f56945310bbb195375fc03b09fc07d73e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8e3613a-0f14-4064-aa09-05a99f351a5b.vbs

Filesize
740B

MD5
15b9e7fa86bc42cbc85e81dee81f703a

SHA1
37d24f4c71c338b1b8e3d35116ec8ab97a5b7f32

SHA256
7f41871768688a09cde7dbab183b34c6a71fd22e3c5ce3b1f007e629556d241f

SHA512
b101ef1c312070beba71e92a61fe1d87a2b3e64864298ebf96b20a4910bf38bb355ac8894bd49e6baed6b7a7de1070a831e0e04bae69d51d0849ba2624f13529

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca220019-8989-4eb0-8f68-559a6c89e602.vbs

Filesize
740B

MD5
e4999334bb6e913da981c8fc97ecaa4a

SHA1
da5f8484be3745ced6bafd94d70ace7ef78b4739

SHA256
31f3c097e03882bcda962740ba287594a975d786003a5acb6008c31750094dc1

SHA512
f5808c5f90a4ae5b1fba20bbaf0ceda5a3ea7357e6c33d2800f206bf7a59a6e68b99592fbf476f8bc4d06fb831aaf229601ad5ced8fa3a8dd065edd019743dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\db0ee52f-36c8-42a9-9900-2566b96f98c3.vbs

Filesize
516B

MD5
a78e6cfc3775a09ad3687c473b2aaaba

SHA1
881214518709c219c3de093f488e76e2289763f3

SHA256
cdc161e9cb6e5153cbcb8704b3333da0757a333f78f1c98c679bb40dfdc1172e

SHA512
0342d4824144f1cbfb3af5fd043f6683c45ef8b6bdf7248aee108846a87e9617060809982e7afb8ef9fd021d4b296ddc841f3746d87fc411624048cc934c22cc

Download Submit
C:\Windows\Help\mui\wininit.exe

Filesize
1.3MB

MD5
e57186631f0d11f33114d4df5efd9563

SHA1
ce0e3fcff38c687afd43993c09ea5e02de5d3c6d

SHA256
28ddc0c768d6b2609cc8ab8c71c49e7cad7537beae61b621b2dc7cf3a89383a0

SHA512
2fcd33f9bb1d93cc20a7ace260c41b1ac3b352d463d0c9c13c49ce73a2325cf62cc779c8b5b677fdec30d923c3d3d1f9afdb532c5448728f12d741c55eb76d4c

Download Submit
memory/1376-100-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/1376-116-0x0000017077F70000-0x0000017077F92000-memory.dmp

Filesize
136KB

Download
memory/1376-244-0x0000017076190000-0x00000170761A0000-memory.dmp

Filesize
64KB

Download
memory/1376-101-0x0000017076190000-0x00000170761A0000-memory.dmp

Filesize
64KB

Download
memory/1376-102-0x0000017076190000-0x00000170761A0000-memory.dmp

Filesize
64KB

Download
memory/1800-285-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/1800-233-0x00000174EE9B0000-0x00000174EE9C0000-memory.dmp

Filesize
64KB

Download
memory/1800-241-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/1800-254-0x00000174EE9B0000-0x00000174EE9C0000-memory.dmp

Filesize
64KB

Download
memory/1800-232-0x00000174EE9B0000-0x00000174EE9C0000-memory.dmp

Filesize
64KB

Download
memory/2200-104-0x0000022399B20000-0x0000022399B30000-memory.dmp

Filesize
64KB

Download
memory/2200-236-0x0000022399B20000-0x0000022399B30000-memory.dmp

Filesize
64KB

Download
memory/2200-103-0x0000022399B20000-0x0000022399B30000-memory.dmp

Filesize
64KB

Download
memory/2200-238-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/2200-293-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/2336-259-0x000001CAC1EF0000-0x000001CAC1F00000-memory.dmp

Filesize
64KB

Download
memory/2336-237-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/2720-258-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/2720-118-0x00000137983D0000-0x00000137983E0000-memory.dmp

Filesize
64KB

Download
memory/2720-119-0x00000137983D0000-0x00000137983E0000-memory.dmp

Filesize
64KB

Download
memory/2720-251-0x00000137983D0000-0x00000137983E0000-memory.dmp

Filesize
64KB

Download
memory/2720-106-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/2800-246-0x000001B17B2F0000-0x000001B17B300000-memory.dmp

Filesize
64KB

Download
memory/2800-227-0x000001B17B2F0000-0x000001B17B300000-memory.dmp

Filesize
64KB

Download
memory/2800-225-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/2800-290-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3004-56-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/3004-8-0x000000001BFF0000-0x000000001BFFC000-memory.dmp

Filesize
48KB

Download
memory/3004-1-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3004-6-0x000000001BFC0000-0x000000001BFD6000-memory.dmp

Filesize
88KB

Download
memory/3004-0-0x0000000000D20000-0x0000000000E72000-memory.dmp

Filesize
1.3MB

Download
memory/3004-2-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/3004-7-0x000000001BFE0000-0x000000001BFEA000-memory.dmp

Filesize
40KB

Download
memory/3004-5-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/3004-52-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3004-4-0x000000001C140000-0x000000001C190000-memory.dmp

Filesize
320KB

Download
memory/3004-117-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3004-3-0x000000001BFA0000-0x000000001BFBC000-memory.dmp

Filesize
112KB

Download
memory/3328-196-0x0000010546700000-0x0000010546710000-memory.dmp

Filesize
64KB

Download
memory/3328-260-0x0000010546700000-0x0000010546710000-memory.dmp

Filesize
64KB

Download
memory/3328-177-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3328-283-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3540-257-0x000001DEC39A0000-0x000001DEC39B0000-memory.dmp

Filesize
64KB

Download
memory/3540-231-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4004-226-0x000002F005E80000-0x000002F005E90000-memory.dmp

Filesize
64KB

Download
memory/4004-215-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4004-239-0x000002F005E80000-0x000002F005E90000-memory.dmp

Filesize
64KB

Download
memory/4116-229-0x000002312D450000-0x000002312D460000-memory.dmp

Filesize
64KB

Download
memory/4116-240-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4116-289-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4116-230-0x000002312D450000-0x000002312D460000-memory.dmp

Filesize
64KB

Download
memory/4272-252-0x0000016CA2810000-0x0000016CA2820000-memory.dmp

Filesize
64KB

Download
memory/4272-235-0x0000016CA2810000-0x0000016CA2820000-memory.dmp

Filesize
64KB

Download
memory/4272-234-0x0000016CA2810000-0x0000016CA2820000-memory.dmp

Filesize
64KB

Download
memory/4272-280-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4272-243-0x0000016CA2810000-0x0000016CA2820000-memory.dmp

Filesize
64KB

Download
memory/4272-242-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4516-130-0x000001A3BBAF0000-0x000001A3BBB00000-memory.dmp

Filesize
64KB

Download
memory/4516-253-0x000001A3BBAF0000-0x000001A3BBB00000-memory.dmp

Filesize
64KB

Download
memory/4516-245-0x000001A3BBAF0000-0x000001A3BBB00000-memory.dmp

Filesize
64KB

Download
memory/4516-129-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4516-131-0x000001A3BBAF0000-0x000001A3BBB00000-memory.dmp

Filesize
64KB

Download
memory/5388-250-0x00007FFCB8060000-0x00007FFCB8B21000-memory.dmp

Filesize
10.8MB

Download
memory/5388-261-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download