dcrat | e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
Size

1.3MB
MD5

a6195d03656c097a2398f7d5fb0778a0
SHA1

968f6bf92173ef27a62cf1e4a28f98cf091f4db7
SHA256

e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48
SHA512

d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53
SSDEEP

24576:h/DBENpV4Ttrg7k+F9P8w7YomZunmGKgPL+0Ha:9DKpVoaJQkmUnbhL/

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2728	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2728	schtasks.exe	28

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1576-0-0x0000000000850000-0x00000000009A2000-memory.dmp	dcrat
behavioral1/memory/1576-11-0x000000001AF90000-0x000000001B010000-memory.dmp	dcrat
behavioral1/files/0x000a000000015c8f-18.dat	dcrat
behavioral1/files/0x000f000000015deb-171.dat	dcrat
behavioral1/files/0x0007000000015d39-259.dat	dcrat
behavioral1/files/0x0007000000015d39-261.dat	dcrat
behavioral1/memory/2960-296-0x0000000000C40000-0x0000000000D92000-memory.dmp	dcrat
behavioral1/files/0x0007000000015d39-338.dat	dcrat
behavioral1/files/0x0009000000016d85-346.dat	dcrat
behavioral1/files/0x0007000000015d39-353.dat	dcrat
behavioral1/files/0x0009000000016d85-359.dat	dcrat
behavioral1/files/0x0007000000015d39-367.dat	dcrat
behavioral1/files/0x0009000000016d85-373.dat	dcrat

Executes dropped EXE 4 IoCs

pid	Process
2960	winlogon.exe
1592	winlogon.exe
864	winlogon.exe
2152	winlogon.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\RCX53F.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\RCX3582.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\csrss.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\886983d96e3d3e	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Common Files\Services\taskhost.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Common Files\Services\b75386f1303e64	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\winlogon.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX1945.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX2164.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\taskhost.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Microsoft Office\Office14\NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Internet Explorer\it-IT\winlogon.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Windows Media Player\en-US\audiodg.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\DVD Maker\es-ES\csrss.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXEB5.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCX5506.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\services.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\c5b4cb5e9653cc	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6cb0b6c459d5d3	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Internet Explorer\it-IT\cc11b995f2a76d	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Windows Journal\ja-JP\b75386f1303e64	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCX10B9.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCX1F60.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\69ddcba757bf72	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Windows Journal\ja-JP\taskhost.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCX976.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Microsoft Office\Office14\80ed86b77df2f8	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\audiodg.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\Windows Media Player\en-US\42af1c969fbb7b	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File created	C:\Program Files\DVD Maker\es-ES\886983d96e3d3e	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\services.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCX152E.tmp	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
File opened for modification	C:\Program Files\Common Files\Services\taskhost.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0000\csrss.exe	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2744	schtasks.exe
1092	schtasks.exe
1256	schtasks.exe
556	schtasks.exe
1912	schtasks.exe
956	schtasks.exe
2596	schtasks.exe
744	schtasks.exe
1600	schtasks.exe
2652	schtasks.exe
628	schtasks.exe
2088	schtasks.exe
3064	schtasks.exe
2244	schtasks.exe
1936	schtasks.exe
364	schtasks.exe
1768	schtasks.exe
1636	schtasks.exe
1724	schtasks.exe
1748	schtasks.exe
1644	schtasks.exe
772	schtasks.exe
1956	schtasks.exe
1456	schtasks.exe
2912	schtasks.exe
2532	schtasks.exe
872	schtasks.exe
2544	schtasks.exe
1992	schtasks.exe
820	schtasks.exe
1896	schtasks.exe
2868	schtasks.exe
2636	schtasks.exe
1188	schtasks.exe
1160	schtasks.exe
2940	schtasks.exe
1964	schtasks.exe
2392	schtasks.exe
2676	schtasks.exe
2756	schtasks.exe
1836	schtasks.exe
2448	schtasks.exe
2764	schtasks.exe
2232	schtasks.exe
2352	schtasks.exe
764	schtasks.exe
2368	schtasks.exe
2928	schtasks.exe
2300	schtasks.exe
1712	schtasks.exe
3048	schtasks.exe
436	schtasks.exe
1976	schtasks.exe
824	schtasks.exe
840	schtasks.exe
1764	schtasks.exe
320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
2084	powershell.exe
1596	powershell.exe
1928	powershell.exe
1104	powershell.exe
1468	powershell.exe
2200	powershell.exe
524	powershell.exe
2660	powershell.exe
1080	powershell.exe
2032	powershell.exe
2108	powershell.exe
1924	powershell.exe
2960	winlogon.exe
1592	winlogon.exe
864	winlogon.exe
2152	winlogon.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2960	winlogon.exe
Token: SeDebugPrivilege	1592	winlogon.exe
Token: SeDebugPrivilege	864	winlogon.exe
Token: SeDebugPrivilege	2152	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1596	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	88
PID 1576 wrote to memory of 1596	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	88
PID 1576 wrote to memory of 1596	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	88
PID 1576 wrote to memory of 2084	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	94
PID 1576 wrote to memory of 2084	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	94
PID 1576 wrote to memory of 2084	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	94
PID 1576 wrote to memory of 2660	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	93
PID 1576 wrote to memory of 2660	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	93
PID 1576 wrote to memory of 2660	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	93
PID 1576 wrote to memory of 2200	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	91
PID 1576 wrote to memory of 2200	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	91
PID 1576 wrote to memory of 2200	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	91
PID 1576 wrote to memory of 1928	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	95
PID 1576 wrote to memory of 1928	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	95
PID 1576 wrote to memory of 1928	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	95
PID 1576 wrote to memory of 1080	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	110
PID 1576 wrote to memory of 1080	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	110
PID 1576 wrote to memory of 1080	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	110
PID 1576 wrote to memory of 524	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	97
PID 1576 wrote to memory of 524	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	97
PID 1576 wrote to memory of 524	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	97
PID 1576 wrote to memory of 2032	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	109
PID 1576 wrote to memory of 2032	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	109
PID 1576 wrote to memory of 2032	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	109
PID 1576 wrote to memory of 1468	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	108
PID 1576 wrote to memory of 1468	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	108
PID 1576 wrote to memory of 1468	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	108
PID 1576 wrote to memory of 1924	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	107
PID 1576 wrote to memory of 1924	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	107
PID 1576 wrote to memory of 1924	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	107
PID 1576 wrote to memory of 1104	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	99
PID 1576 wrote to memory of 1104	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	99
PID 1576 wrote to memory of 1104	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	99
PID 1576 wrote to memory of 2108	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	98
PID 1576 wrote to memory of 2108	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	98
PID 1576 wrote to memory of 2108	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	98
PID 1576 wrote to memory of 2192	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	112
PID 1576 wrote to memory of 2192	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	112
PID 1576 wrote to memory of 2192	1576	NEAS.a6195d03656c097a2398f7d5fb0778a0.exe	112
PID 2192 wrote to memory of 1460	2192	cmd.exe	114
PID 2192 wrote to memory of 1460	2192	cmd.exe	114
PID 2192 wrote to memory of 1460	2192	cmd.exe	114
PID 2192 wrote to memory of 2960	2192	cmd.exe	115
PID 2192 wrote to memory of 2960	2192	cmd.exe	115
PID 2192 wrote to memory of 2960	2192	cmd.exe	115
PID 2960 wrote to memory of 2920	2960	winlogon.exe	116
PID 2960 wrote to memory of 2920	2960	winlogon.exe	116
PID 2960 wrote to memory of 2920	2960	winlogon.exe	116
PID 2960 wrote to memory of 108	2960	winlogon.exe	117
PID 2960 wrote to memory of 108	2960	winlogon.exe	117
PID 2960 wrote to memory of 108	2960	winlogon.exe	117
PID 2920 wrote to memory of 1592	2920	WScript.exe	118
PID 2920 wrote to memory of 1592	2920	WScript.exe	118
PID 2920 wrote to memory of 1592	2920	WScript.exe	118
PID 1592 wrote to memory of 2228	1592	winlogon.exe	119
PID 1592 wrote to memory of 2228	1592	winlogon.exe	119
PID 1592 wrote to memory of 2228	1592	winlogon.exe	119
PID 1592 wrote to memory of 2452	1592	winlogon.exe	120
PID 1592 wrote to memory of 2452	1592	winlogon.exe	120
PID 1592 wrote to memory of 2452	1592	winlogon.exe	120
PID 2228 wrote to memory of 864	2228	WScript.exe	121
PID 2228 wrote to memory of 864	2228	WScript.exe	121
PID 2228 wrote to memory of 864	2228	WScript.exe	121
PID 864 wrote to memory of 1776	864	winlogon.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.a6195d03656c097a2398f7d5fb0778a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a6195d03656c097a2398f7d5fb0778a0.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KK6vRbY5uf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1460
- - C:\Program Files\Internet Explorer\it-IT\winlogon.exe
    "C:\Program Files\Internet Explorer\it-IT\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f77402-c956-4797-978c-63095986e43f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Program Files\Internet Explorer\it-IT\winlogon.exe
        
        "C:\Program Files\Internet Explorer\it-IT\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dadc871c-8260-4584-9ad7-830ee33088ee.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Program Files\Internet Explorer\it-IT\winlogon.exe
        
        "C:\Program Files\Internet Explorer\it-IT\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bea0a914-0be6-4fd3-84d1-939bfa3dbb8b.vbs"
        8⤵
        
        PID:1776
        
        C:\Program Files\Internet Explorer\it-IT\winlogon.exe
        
        "C:\Program Files\Internet Explorer\it-IT\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e003328-2522-48e0-9c92-efd187dd7d41.vbs"
        10⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c63747af-bbc2-46d9-bb2b-04268415afcc.vbs"
        10⤵
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef7b029d-9981-40d3-8133-69e11c05ab8c.vbs"
        8⤵
        
        PID:2516
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8f7af17-3768-42ca-a659-c0dda8f8928d.vbs"
        6⤵
        
        PID:2452
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac366843-ff8f-4d69-b0a8-8995b72fcb0d.vbs"
      4⤵
      PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.a6195d03656c097a2398f7d5fb0778a0N" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\NEAS.a6195d03656c097a2398f7d5fb0778a0.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.a6195d03656c097a2398f7d5fb0778a0" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\NEAS.a6195d03656c097a2398f7d5fb0778a0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.a6195d03656c097a2398f7d5fb0778a0N" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\NEAS.a6195d03656c097a2398f7d5fb0778a0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Adobe\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Adobe\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Adobe\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
1.3MB

MD5
e3b87186546e4fe038f250bf028f8ac2

SHA1
fd38965d1e9a031ffef502e1738ba42003080e36

SHA256
f75f4efe3eef80cbbcf224c6d09d874ec66aefe5591c8b36fb44d2fa9d15d157

SHA512
09c3daf8e48b6df42e157a4a50707504c8254249752e9f7f8125930afed9a2efdf7d5db7960e2630f4057d7189e7eec6c8fd1f79a2ee1dd87b73a1d0331695a3

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Program Files\Internet Explorer\it-IT\winlogon.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Program Files\Internet Explorer\it-IT\winlogon.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Program Files\Internet Explorer\it-IT\winlogon.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Program Files\Internet Explorer\it-IT\winlogon.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Program Files\Internet Explorer\it-IT\winlogon.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\5835297371369492fd13cbc873db2be1f9d0a4a2.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\5835297371369492fd13cbc873db2be1f9d0a4a2.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\5835297371369492fd13cbc873db2be1f9d0a4a2.exe

Filesize
1.3MB

MD5
a6195d03656c097a2398f7d5fb0778a0

SHA1
968f6bf92173ef27a62cf1e4a28f98cf091f4db7

SHA256
e4b1f88ae1cfda5b1c8745ed23a8f3696c41cc5ef1ed271ba391ffe1e5a8df48

SHA512
d93877c2f1e9b1f7aaa3b6bc5fbd3c8d99d9617b3b1c77e1051d5877c7783c6eeb17ba909112f5a0b0dd6d61cae373e331d9787038adbea256a4a8b9d4f11c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e003328-2522-48e0-9c92-efd187dd7d41.vbs

Filesize
729B

MD5
773d22e942a2eb248ed62a2eb328fa8c

SHA1
ece73c8eab72231fbbca1cc15582e0a4e1230e71

SHA256
b61f309613efa03736024167b5ddf4f465ccb7b33e0d4842b70e060f20eb8ae3

SHA512
c24dc130baa605cb0d4818207845e2bb95cc06d800624dd76d3cb75bfd48933d4133c37d2bb462277053e28dec967e11609457b385d16eba4e931575775097f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\71f77402-c956-4797-978c-63095986e43f.vbs

Filesize
729B

MD5
c900b5eadd80c5460bdfbf201e592b6b

SHA1
770f3237634858c430a1bff736253c03e63d22f4

SHA256
b7b0e2ddf8ca2150bf9c226330c465be086c5bab09ee19fbf680d10999de75aa

SHA512
fc691d5d8d3598e811d95c3aa22ab5a134b313fb5ac72d385e7a66de43c068978c2f09327aa71e37fd502757dd36f0048b40dfa4a5d03d2ae480db626599ec0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KK6vRbY5uf.bat

Filesize
218B

MD5
ece70053f48c7b37397d32523c902e84

SHA1
10b2da62fd3f09060cb07b251d47debc9629a981

SHA256
4ff9d27eb31a207ff0bb614a04f673f863ff3df0160767f7affbf7911250bc39

SHA512
850914a77f8d8905462b97d699f0e91bebc7f5e7077c833e28ccb1892be5e4f6767278fac6500cd51efcdad2ac8ba785a07d60bb40d4782a72ad07e97b5b6213

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac366843-ff8f-4d69-b0a8-8995b72fcb0d.vbs

Filesize
505B

MD5
8a117d37b50935f585ee48ec8e587e09

SHA1
970311e7dbef8ccce5fc6e78592bd7fb16b81ae8

SHA256
405eb2e8e1e9ad0afec7964ef1582b61af6851f3dea2e84714fe31cbe2981adc

SHA512
a3cb95a2df440a065e72ea4fc9daafec608aa096305a49d410a64a674688074de5b53d73387d753c59596e0a5989c7950d560cd077e5bd93d6983db7b1c90fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8f7af17-3768-42ca-a659-c0dda8f8928d.vbs

Filesize
505B

MD5
8a117d37b50935f585ee48ec8e587e09

SHA1
970311e7dbef8ccce5fc6e78592bd7fb16b81ae8

SHA256
405eb2e8e1e9ad0afec7964ef1582b61af6851f3dea2e84714fe31cbe2981adc

SHA512
a3cb95a2df440a065e72ea4fc9daafec608aa096305a49d410a64a674688074de5b53d73387d753c59596e0a5989c7950d560cd077e5bd93d6983db7b1c90fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8f7af17-3768-42ca-a659-c0dda8f8928d.vbs

Filesize
505B

MD5
8a117d37b50935f585ee48ec8e587e09

SHA1
970311e7dbef8ccce5fc6e78592bd7fb16b81ae8

SHA256
405eb2e8e1e9ad0afec7964ef1582b61af6851f3dea2e84714fe31cbe2981adc

SHA512
a3cb95a2df440a065e72ea4fc9daafec608aa096305a49d410a64a674688074de5b53d73387d753c59596e0a5989c7950d560cd077e5bd93d6983db7b1c90fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\bea0a914-0be6-4fd3-84d1-939bfa3dbb8b.vbs

Filesize
728B

MD5
621c32136a358334e2dd7885407f2d88

SHA1
0c4229c947722d427179cf1579f119b3200599f0

SHA256
a986ea9921b38da9aec019a95b2cc2bdbd5298b84b1ca207a13c00d8580ac83f

SHA512
876aecd01134316facfa3f7a420a91a91101d37c57ccefdcb2d95b69db19da628f47de0168691274fe8b38c984e31e3f471ad073ca00e1ed6041ea427c828d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\c63747af-bbc2-46d9-bb2b-04268415afcc.vbs

Filesize
505B

MD5
8a117d37b50935f585ee48ec8e587e09

SHA1
970311e7dbef8ccce5fc6e78592bd7fb16b81ae8

SHA256
405eb2e8e1e9ad0afec7964ef1582b61af6851f3dea2e84714fe31cbe2981adc

SHA512
a3cb95a2df440a065e72ea4fc9daafec608aa096305a49d410a64a674688074de5b53d73387d753c59596e0a5989c7950d560cd077e5bd93d6983db7b1c90fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dadc871c-8260-4584-9ad7-830ee33088ee.vbs

Filesize
729B

MD5
f2fc54b19b01e8f40330374402ee72f8

SHA1
3b295bcdf4e4c9a0711030ed5abd67ef04a2e19f

SHA256
4c138ce606acb4b2e888c3f6bcdd14111b6d87af9cc7c5117fb2ed1a6201bf46

SHA512
821d10d47f18370d3477f1bdecbc81c7295b2587080d35c5f87fe8bf6bd021888ed59f1296c07d0a021cce007c6007730a992dfcbfe29dd4fec345b1cdde8f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef7b029d-9981-40d3-8133-69e11c05ab8c.vbs

Filesize
505B

MD5
8a117d37b50935f585ee48ec8e587e09

SHA1
970311e7dbef8ccce5fc6e78592bd7fb16b81ae8

SHA256
405eb2e8e1e9ad0afec7964ef1582b61af6851f3dea2e84714fe31cbe2981adc

SHA512
a3cb95a2df440a065e72ea4fc9daafec608aa096305a49d410a64a674688074de5b53d73387d753c59596e0a5989c7950d560cd077e5bd93d6983db7b1c90fae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
191edef7d8a72230cca37d9c62912819

SHA1
0822f2e25450e2b41ddc3bdf678394062e7c0f57

SHA256
67f417c46656a805dc84737f0ba342e30e37aec13f80d46daeb21d52883caaa2

SHA512
3b5c3cfcbe6d0b8a4e13c6684c7d96e33b3d9f47eeaed8fb1e414de7e0cabcf3d8492295b556ff371d229aa4af2afaa439e72816798de425d4b7f51aaeb12552

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
191edef7d8a72230cca37d9c62912819

SHA1
0822f2e25450e2b41ddc3bdf678394062e7c0f57

SHA256
67f417c46656a805dc84737f0ba342e30e37aec13f80d46daeb21d52883caaa2

SHA512
3b5c3cfcbe6d0b8a4e13c6684c7d96e33b3d9f47eeaed8fb1e414de7e0cabcf3d8492295b556ff371d229aa4af2afaa439e72816798de425d4b7f51aaeb12552

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
191edef7d8a72230cca37d9c62912819

SHA1
0822f2e25450e2b41ddc3bdf678394062e7c0f57

SHA256
67f417c46656a805dc84737f0ba342e30e37aec13f80d46daeb21d52883caaa2

SHA512
3b5c3cfcbe6d0b8a4e13c6684c7d96e33b3d9f47eeaed8fb1e414de7e0cabcf3d8492295b556ff371d229aa4af2afaa439e72816798de425d4b7f51aaeb12552

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
191edef7d8a72230cca37d9c62912819

SHA1
0822f2e25450e2b41ddc3bdf678394062e7c0f57

SHA256
67f417c46656a805dc84737f0ba342e30e37aec13f80d46daeb21d52883caaa2

SHA512
3b5c3cfcbe6d0b8a4e13c6684c7d96e33b3d9f47eeaed8fb1e414de7e0cabcf3d8492295b556ff371d229aa4af2afaa439e72816798de425d4b7f51aaeb12552

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
191edef7d8a72230cca37d9c62912819

SHA1
0822f2e25450e2b41ddc3bdf678394062e7c0f57

SHA256
67f417c46656a805dc84737f0ba342e30e37aec13f80d46daeb21d52883caaa2

SHA512
3b5c3cfcbe6d0b8a4e13c6684c7d96e33b3d9f47eeaed8fb1e414de7e0cabcf3d8492295b556ff371d229aa4af2afaa439e72816798de425d4b7f51aaeb12552

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
191edef7d8a72230cca37d9c62912819

SHA1
0822f2e25450e2b41ddc3bdf678394062e7c0f57

SHA256
67f417c46656a805dc84737f0ba342e30e37aec13f80d46daeb21d52883caaa2

SHA512
3b5c3cfcbe6d0b8a4e13c6684c7d96e33b3d9f47eeaed8fb1e414de7e0cabcf3d8492295b556ff371d229aa4af2afaa439e72816798de425d4b7f51aaeb12552

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
191edef7d8a72230cca37d9c62912819

SHA1
0822f2e25450e2b41ddc3bdf678394062e7c0f57

SHA256
67f417c46656a805dc84737f0ba342e30e37aec13f80d46daeb21d52883caaa2

SHA512
3b5c3cfcbe6d0b8a4e13c6684c7d96e33b3d9f47eeaed8fb1e414de7e0cabcf3d8492295b556ff371d229aa4af2afaa439e72816798de425d4b7f51aaeb12552

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ESUGC8WOL81LT2R9R2KR.temp

Filesize
7KB

MD5
191edef7d8a72230cca37d9c62912819

SHA1
0822f2e25450e2b41ddc3bdf678394062e7c0f57

SHA256
67f417c46656a805dc84737f0ba342e30e37aec13f80d46daeb21d52883caaa2

SHA512
3b5c3cfcbe6d0b8a4e13c6684c7d96e33b3d9f47eeaed8fb1e414de7e0cabcf3d8492295b556ff371d229aa4af2afaa439e72816798de425d4b7f51aaeb12552

Download Submit
memory/524-270-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/524-268-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/524-267-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1080-283-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1080-284-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1080-282-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1080-285-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1080-286-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1104-258-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1104-256-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1104-260-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1104-262-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1468-264-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1468-266-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1468-265-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1468-263-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1576-2-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1576-5-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/1576-0-0x0000000000850000-0x00000000009A2000-memory.dmp

Filesize
1.3MB

Download
memory/1576-243-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-11-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1576-1-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-3-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/1576-4-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1576-10-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-7-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1576-6-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/1596-252-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1596-249-0x000000000253B000-0x00000000025A2000-memory.dmp

Filesize
412KB

Download
memory/1596-255-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1924-293-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1924-292-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1924-294-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1924-295-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1928-251-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-257-0x000000000299B000-0x0000000002A02000-memory.dmp

Filesize
412KB

Download
memory/1928-254-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-253-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2032-276-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/2032-269-0x000000000265B000-0x00000000026C2000-memory.dmp

Filesize
412KB

Download
memory/2032-272-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-241-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/2084-244-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-248-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-247-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2084-246-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2084-250-0x000000000258B000-0x00000000025F2000-memory.dmp

Filesize
412KB

Download
memory/2084-245-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2084-240-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/2108-287-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/2108-290-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2108-288-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2108-291-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2108-289-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/2200-275-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2200-274-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2200-273-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2200-271-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-281-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2660-277-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-278-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2660-279-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-280-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2960-296-0x0000000000C40000-0x0000000000D92000-memory.dmp

Filesize
1.3MB

Download