dcrat | 45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
Size

1.7MB
MD5

d6ece0dfc8c9c95e0cc2851ee372405d
SHA1

2fd8432db75562aa867903b69f1e2c36bbac5fab
SHA256

45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d
SHA512

b9e47c3073a8d2dac54f6937491bc55a4c25c23066bbd08d8f5e5203258684ea17d6a3b65c45174c5a8426422c30422dd8773ee560f3fd874cd1a363f2336b27
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKva:+THUxUoh1IF9gl2Z

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2696	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2340-1-0x0000000000370000-0x0000000000530000-memory.dmp	dcrat
behavioral1/files/0x0005000000019659-27.dat	dcrat
behavioral1/files/0x000b000000019615-118.dat	dcrat
behavioral1/files/0x0007000000019c36-152.dat	dcrat
behavioral1/files/0x0006000000019d40-162.dat	dcrat
behavioral1/files/0x0007000000019d40-169.dat	dcrat
behavioral1/files/0x0007000000019da9-187.dat	dcrat
behavioral1/memory/1556-272-0x00000000011C0000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/1740-319-0x0000000000160000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2336-332-0x00000000001F0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1924-344-0x00000000002E0000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/1348-356-0x0000000000970000-0x0000000000B30000-memory.dmp	dcrat
behavioral1/memory/1720-368-0x0000000000360000-0x0000000000520000-memory.dmp	dcrat
behavioral1/memory/2980-381-0x0000000000BD0000-0x0000000000D90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe
1800	powershell.exe
2544	powershell.exe
1688	powershell.exe
2344	powershell.exe
2308	powershell.exe
1724	powershell.exe
2884	powershell.exe
1368	powershell.exe
776	powershell.exe
2792	powershell.exe
2000	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe

Executes dropped EXE 10 IoCs

pid	Process
1556	lsm.exe
2904	lsm.exe
2316	lsm.exe
984	lsm.exe
1740	lsm.exe
2336	lsm.exe
1924	lsm.exe
1348	lsm.exe
1720	lsm.exe
2980	lsm.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\dtplugin\42af1c969fbb7b	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX8BEF.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX8C5D.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\RCX8E61.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\DVD Maker\Shared\audiodg.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\DVD Maker\Shared\42af1c969fbb7b	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\7-Zip\Lang\0a1fd5f707cd16	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\dwm.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\6cb0b6c459d5d3	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\RCX785D.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\RCX785E.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\RCX7C87.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX8090.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\dllhost.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Windows Media Player\Icons\winlogon.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\7-Zip\Lang\sppsvc.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\RCX7C86.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX808F.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\audiodg.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX897E.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sppsvc.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\RCX8E91.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\dwm.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\5940a34987c991	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Uninstall Information\24dbde2999530e	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\dllhost.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX8910.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Uninstall Information\WmiPrvSE.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2400	schtasks.exe
668	schtasks.exe
2192	schtasks.exe
1976	schtasks.exe
1608	schtasks.exe
1340	schtasks.exe
2468	schtasks.exe
2200	schtasks.exe
2384	schtasks.exe
2280	schtasks.exe
880	schtasks.exe
1268	schtasks.exe
2004	schtasks.exe
2136	schtasks.exe
2112	schtasks.exe
2232	schtasks.exe
2316	schtasks.exe
324	schtasks.exe
2812	schtasks.exe
1860	schtasks.exe
2412	schtasks.exe
2896	schtasks.exe
1956	schtasks.exe
2328	schtasks.exe
2348	schtasks.exe
2560	schtasks.exe
1660	schtasks.exe
776	schtasks.exe
592	schtasks.exe
3040	schtasks.exe
2244	schtasks.exe
1080	schtasks.exe
2888	schtasks.exe
2104	schtasks.exe
1756	schtasks.exe
1652	schtasks.exe
2160	schtasks.exe
2932	schtasks.exe
2128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
2544	powershell.exe
776	powershell.exe
2792	powershell.exe
2884	powershell.exe
1688	powershell.exe
1724	powershell.exe
2308	powershell.exe
2000	powershell.exe
2344	powershell.exe
1368	powershell.exe
1800	powershell.exe
2080	powershell.exe
1556	lsm.exe
1556	lsm.exe
1556	lsm.exe
1556	lsm.exe
1556	lsm.exe
1556	lsm.exe
1556	lsm.exe
1556	lsm.exe
1556	lsm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1556	lsm.exe
Token: SeDebugPrivilege	2904	lsm.exe
Token: SeDebugPrivilege	2316	lsm.exe
Token: SeDebugPrivilege	984	lsm.exe
Token: SeDebugPrivilege	1740	lsm.exe
Token: SeDebugPrivilege	2336	lsm.exe
Token: SeDebugPrivilege	1924	lsm.exe
Token: SeDebugPrivilege	1348	lsm.exe
Token: SeDebugPrivilege	1720	lsm.exe
Token: SeDebugPrivilege	2980	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2000	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	70
PID 2340 wrote to memory of 2000	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	70
PID 2340 wrote to memory of 2000	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	70
PID 2340 wrote to memory of 2344	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	71
PID 2340 wrote to memory of 2344	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	71
PID 2340 wrote to memory of 2344	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	71
PID 2340 wrote to memory of 2792	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	72
PID 2340 wrote to memory of 2792	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	72
PID 2340 wrote to memory of 2792	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	72
PID 2340 wrote to memory of 776	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	73
PID 2340 wrote to memory of 776	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	73
PID 2340 wrote to memory of 776	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	73
PID 2340 wrote to memory of 1368	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	75
PID 2340 wrote to memory of 1368	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	75
PID 2340 wrote to memory of 1368	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	75
PID 2340 wrote to memory of 2544	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	76
PID 2340 wrote to memory of 2544	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	76
PID 2340 wrote to memory of 2544	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	76
PID 2340 wrote to memory of 2308	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	82
PID 2340 wrote to memory of 2308	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	82
PID 2340 wrote to memory of 2308	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	82
PID 2340 wrote to memory of 1800	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	83
PID 2340 wrote to memory of 1800	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	83
PID 2340 wrote to memory of 1800	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	83
PID 2340 wrote to memory of 2884	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	84
PID 2340 wrote to memory of 2884	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	84
PID 2340 wrote to memory of 2884	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	84
PID 2340 wrote to memory of 1688	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	85
PID 2340 wrote to memory of 1688	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	85
PID 2340 wrote to memory of 1688	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	85
PID 2340 wrote to memory of 1724	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	87
PID 2340 wrote to memory of 1724	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	87
PID 2340 wrote to memory of 1724	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	87
PID 2340 wrote to memory of 2080	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	88
PID 2340 wrote to memory of 2080	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	88
PID 2340 wrote to memory of 2080	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	88
PID 2340 wrote to memory of 1144	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	94
PID 2340 wrote to memory of 1144	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	94
PID 2340 wrote to memory of 1144	2340	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	94
PID 1144 wrote to memory of 700	1144	cmd.exe	96
PID 1144 wrote to memory of 700	1144	cmd.exe	96
PID 1144 wrote to memory of 700	1144	cmd.exe	96
PID 1144 wrote to memory of 1556	1144	cmd.exe	97
PID 1144 wrote to memory of 1556	1144	cmd.exe	97
PID 1144 wrote to memory of 1556	1144	cmd.exe	97
PID 1556 wrote to memory of 3036	1556	lsm.exe	98
PID 1556 wrote to memory of 3036	1556	lsm.exe	98
PID 1556 wrote to memory of 3036	1556	lsm.exe	98
PID 1556 wrote to memory of 2596	1556	lsm.exe	99
PID 1556 wrote to memory of 2596	1556	lsm.exe	99
PID 1556 wrote to memory of 2596	1556	lsm.exe	99
PID 3036 wrote to memory of 2904	3036	WScript.exe	101
PID 3036 wrote to memory of 2904	3036	WScript.exe	101
PID 3036 wrote to memory of 2904	3036	WScript.exe	101
PID 2904 wrote to memory of 2932	2904	lsm.exe	102
PID 2904 wrote to memory of 2932	2904	lsm.exe	102
PID 2904 wrote to memory of 2932	2904	lsm.exe	102
PID 2904 wrote to memory of 1932	2904	lsm.exe	103
PID 2904 wrote to memory of 1932	2904	lsm.exe	103
PID 2904 wrote to memory of 1932	2904	lsm.exe	103
PID 2932 wrote to memory of 2316	2932	WScript.exe	104
PID 2932 wrote to memory of 2316	2932	WScript.exe	104
PID 2932 wrote to memory of 2316	2932	WScript.exe	104
PID 2316 wrote to memory of 2332	2316	lsm.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
"C:\Users\Admin\AppData\Local\Temp\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w82jcrZC1N.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:700
- - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
    "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d9f4424-198a-4625-bea5-b4e6e1e3aa58.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50b4c987-7d00-4a82-844d-2630242d9258.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\478b1186-658d-42f2-ba67-5b2e4e7d1f24.vbs"
        8⤵
        
        PID:2332
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8a3e550-db26-49c4-9409-bb13b58ac35d.vbs"
        10⤵
        
        PID:1080
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8c8dd78-6cf2-45cd-be6b-d4152be40739.vbs"
        12⤵
        
        PID:1476
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6bc62b9-5163-4d98-8bf8-d5554a85daf9.vbs"
        14⤵
        
        PID:2296
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c81b43e-7416-4afc-a22f-98e46a10a09e.vbs"
        16⤵
        
        PID:3048
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6a2220b-7f14-4602-92c0-6c5d2dc4c76a.vbs"
        18⤵
        
        PID:2796
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5761cbe-509f-4c34-979f-c52040ce74c0.vbs"
        20⤵
        
        PID:2548
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd994d82-baa6-448a-b431-0f86105fa1cb.vbs"
        22⤵
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a52d24de-9b05-4468-b109-7b1429e87886.vbs"
        22⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bd90848-1548-46ea-8e6e-1efaad2f21d0.vbs"
        20⤵
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7eef9607-c08e-4c2a-8d38-e77114844bd9.vbs"
        18⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42c511d5-f612-400c-91f6-807eadf76f8e.vbs"
        16⤵
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5824d848-a7dd-4353-b3f6-a55c7f251455.vbs"
        14⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31890a38-3bcf-47df-8989-3040d491872a.vbs"
        12⤵
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b05fce3-0e10-474c-8117-109110be68ea.vbs"
        10⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9df784c-ea21-49d0-93ce-ded58bfd9df4.vbs"
        8⤵
        
        PID:2216
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6852fafc-9cb7-4c21-bf9a-1b7ea53a44c8.vbs"
        6⤵
        
        PID:1932
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f69b8bb-0e3a-49e6-9b06-13ebe35943c7.vbs"
      4⤵
      PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\Shared\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Searches\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Searches\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d4" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d" /sc ONLOGON /tr "'C:\MSOCache\All Users\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d4" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\RCX897E.tmp

Filesize
1.7MB

MD5
1bf4a3c947aba53d4c94cce1ee637443

SHA1
3d6c2b5ab384653b43d0a76b6e0e5b20a3264b1b

SHA256
02d3a64d901517afb94208bde30b214f95118087524969c22e7543d2e799e24a

SHA512
5bf65323efd467b433471caa72b91a1aaa3ee129168cbc1bc275d554297afa5b470f23dc16bf5120fb4fd7195bd017eee4d42e984fd5d1ce2c3235fe9701178f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\RCX8E61.tmp

Filesize
1.7MB

MD5
a45ed89732a51d80e51a4729b1f5b34b

SHA1
fef9dbf908ff0a3d881901aac2fb07d034fcad3b

SHA256
dbbec8de53d6f3f58c0539a2fc3e7bc63f923476880cd8916977027fdcf6491f

SHA512
fb45b9d901fcc99206b1a7b92adfd96f661e50ed753ccba924b2e870f7b3e464c05269a8d78e8b103e5ad6ba490eb23f49f3a01a10c5536168716e6b6ac74845

Download Submit
C:\Program Files\Mozilla Firefox\defaults\pref\dllhost.exe

Filesize
1.7MB

MD5
d6ece0dfc8c9c95e0cc2851ee372405d

SHA1
2fd8432db75562aa867903b69f1e2c36bbac5fab

SHA256
45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d

SHA512
b9e47c3073a8d2dac54f6937491bc55a4c25c23066bbd08d8f5e5203258684ea17d6a3b65c45174c5a8426422c30422dd8773ee560f3fd874cd1a363f2336b27

Download Submit
C:\Program Files\Uninstall Information\RCX8C5D.tmp

Filesize
1.7MB

MD5
00b1eac04525cd6f47f0aca265ebb710

SHA1
e2d3ae6e17ead31f4782311eb9112d94ba662b1c

SHA256
10ff9b8427d8c1e31c6d7832438c8e7ae4756023f00a16f109680d95315ed12e

SHA512
ced0fcad7b02aa1940f98ad3bed976b4485708e050653badc921ba86dc713ab66fd899a9a91f55510e6fa10c129ec2ee5db70d8110f723efb69db472b857a45e

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\RCX9112.tmp

Filesize
1.7MB

MD5
57313b7348526a64015349d7bab629b3

SHA1
4fcfa8952ded80ba67ed981154d2f0381c81beea

SHA256
5dd74fd3b59fefbc98eb0623ed7fc9d8d89c2b078c7edb54cd83b75b18ab0963

SHA512
d99a416137b1e02babd421c7978f80500da3460d75a7dfcfdeb179e061cae3591ea07f489e718d5153067ac279bef22790e3455bf893b448d23213e1449df5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d9f4424-198a-4625-bea5-b4e6e1e3aa58.vbs

Filesize
732B

MD5
c7210e252d5b86b61ec37e941c994892

SHA1
c3c2d734f9174e71941236110b930412215a2542

SHA256
4a75a3aad58bd83a9cf4df86f3886373d074654908ce324a965e8757576e0770

SHA512
588ef2f7d2500c5f8b1ad53c77e31b040e09a60ff70f92cc40faf107726d0fdc890c6f7e243863af3f9ebbba5c4f4de2e3826cda851b2cc1d14e8dacece91571

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f69b8bb-0e3a-49e6-9b06-13ebe35943c7.vbs

Filesize
508B

MD5
ac3c4df0397a2e793e2e7a5b8fc3b839

SHA1
f4c320002bde1efae0880ea8704a2d020bd026b9

SHA256
7cdfd07009dd07b3ef686b73a72e88f34dd0833732691db1fac4941fdd4bc4f2

SHA512
86f302dabb93210178b56bf9e943eeeea0720378fa65f4bc09db306e4e2002fdc83353717f8f4e12b5cead13da1f5f747d58647d3e1ae244228aa443bbf25a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\478b1186-658d-42f2-ba67-5b2e4e7d1f24.vbs

Filesize
732B

MD5
837c5f17a58eff23520552b85ff56691

SHA1
303c6e69b8e2f1f793eb666b9d5a46ebf4b20b91

SHA256
d79afcba4a4a7dc49c46d77513e7d219444227369a02742a22b474529dbea600

SHA512
1baecc6e6f690aea3e7d8221e7a4c3f514b5e6ad2e1e85b7af42745f67bec1fb68ffab908fd00919a80d2e45c9527d5e265daa9cc5a7f19804bbbca8021c4b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\50b4c987-7d00-4a82-844d-2630242d9258.vbs

Filesize
732B

MD5
1a05ed144541e59e7c515c567ea79e18

SHA1
82c739ee94ec3bc2ae7133f4c508e29e17b4de53

SHA256
ac7ca048bde2214d0bf2efb546493d8c1979d711fb7fd4330912f9e5026fcd94

SHA512
44cfd807db26c8f8edc9c8882c56f8ab5c25fbff49e5c2dba4a0319ba67235fa733b018bd92717fc970cbd92f79a3259eab7536edffbf7b33453a605247e5774

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c81b43e-7416-4afc-a22f-98e46a10a09e.vbs

Filesize
732B

MD5
5988c40fa2046b0bdc9547b139a03bba

SHA1
02c3ef4e16d616266c70c8d5f4fcac0995709f9c

SHA256
62d28f31ada39e8a6f8ce5f0dae92753690e2560c3258c150fefb3a3893ca06c

SHA512
e955e5b54db846e0e9335d01cba3fc7fc072ffbec4b1660e9f562b9426c66a77806660096a2a2f50ecc64d982a60a65e87cdeba478958cd3b4cbb6381d586835

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5761cbe-509f-4c34-979f-c52040ce74c0.vbs

Filesize
732B

MD5
bdd2b806ceceb3ae05dec6918b24efa2

SHA1
eeef8b680aa907e8f136a45172e3d1adb079e560

SHA256
c455c540a993dcb9259f1d1e8850606c370e0df1dd09484ee345e5dcc2ec0c37

SHA512
43c728558f8886c328e8c0ed88432c6bf7e3c312908fe8e3f0833ddb1f6c93882760dedb21f0487933302070279070536e53d8730d66158c4ff8fa5a74f5740f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6a2220b-7f14-4602-92c0-6c5d2dc4c76a.vbs

Filesize
732B

MD5
ca21d4f15e078e8213a987083a2e184f

SHA1
17c16ef7091952b13b70142150624c2dd5e971e5

SHA256
46024d1a2c03b124a4892602a6c283704ade33b02bf153da92aaa959811226d3

SHA512
f11105e5391ce8d605a71923cdfebd37a01123fe8692989ac615535b202167ecbdcfc7056c5b98da3f421993eefba175babb35bf06090cbd0e745790caf64b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8a3e550-db26-49c4-9409-bb13b58ac35d.vbs

Filesize
731B

MD5
4fd24c3b368e380ce8cd05b943d4c780

SHA1
565a2b31762f1d530fe68a8a4e6ae50332ec4911

SHA256
94d9071fbfc3743e8573223b98ee1f2f9a08628327f6dd9e515ddac07e348e35

SHA512
a1cdf72f3c5ee8e3d47474d2f74f094239d4d02cfe941e718ddf8be1a798f314d58a1a775623285861b2a7f4e23020ac4fe8083d4008bd81865c2890ba97e824

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd994d82-baa6-448a-b431-0f86105fa1cb.vbs

Filesize
732B

MD5
805a7a7ed26702a55c4857e53ba6c505

SHA1
6dfc03fcbb84bbc17415962c8e61bb1fc7f7f1df

SHA256
018384d3cfd126bf87e83acc4e75bd350630e529b2dcd811ac43f0cbe81a1dd2

SHA512
8d8503eac792cc337dc236fd3db1be777d1ac27da2c1125914183abf5d8aa849a81cd94a38788b35944fe8c2758fa774461ff47cc84244885068e9866df4852c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6bc62b9-5163-4d98-8bf8-d5554a85daf9.vbs

Filesize
732B

MD5
7ecd325339adec4bea079ac8f25827b0

SHA1
1a28ce4414882a3bd003e9fd48686463f77b5959

SHA256
d6d55ecd1dda61201110d4982db6e25be761129ae53f2248c2c1bc3bdb4d1721

SHA512
c3157ffc2c934e0d64d3bd29dda49b62abbc5c657fed8183a3fe9db1325876ed3da9a6da0afbff81248c5163d35a5d0045489d373679cf4f532d93120d5afac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8c8dd78-6cf2-45cd-be6b-d4152be40739.vbs

Filesize
732B

MD5
f5e1ba9daaf00a0a7a2e221c2b99b4ea

SHA1
5002abd3d2e8b4436befa4cc64edcae216ec2786

SHA256
357c3fbf8d7716526e87b547aaa587abd9b738c97467ff2c8265756643c5f128

SHA512
935d831ec1c0bd95adae435f9987f8587b0e817d3f4b2193a015c572536f460d137af9c0b9498b331945624717e27c248a88fbca4e0fcd7167c5be5b935a32cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\w82jcrZC1N.bat

Filesize
221B

MD5
77269111ca97b12719c6a2bab545d3cf

SHA1
37aed350ae33b0c59d2dd417ba73ba9117d99b40

SHA256
7e63acf1111dddd8f1c82ae919186918ade7d75a514952477a6acee8bbc38316

SHA512
b5876a9f12bdca9fd86a031abe66c0033b13648bf443294d5011b59401e9e757d50231636b999bb8bf9a21e69ffa03883330081f9acf31e8ccf0931d5fd0cd7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dc9cad61ecddf3cd21edf3d102ff2c78

SHA1
247b8fe9490829f3695a6f2c7a4d020bfa1c11a6

SHA256
8ae3807628a377eef13e0d300dea6372f8dfcbaa6b4aca719467ab838a9ccf18

SHA512
a2bac66b2c6e4926badaeb8ae530bbbdaaa8d2e725d27720424bd09c7350e1616595ae2090e4a556dd5e6887891566177d0493affd3f5390442d425bf5ccea1a

Download Submit
C:\Users\Admin\Searches\audiodg.exe

Filesize
1.7MB

MD5
0ae811bf1814e42c0b9db8eb1f283bef

SHA1
acece04573a36b77fb2382395f015dba551092e9

SHA256
673a0b4319420b1f6370b4d49da54c7e831e7b7070cff3eb1586556f0a4e8ff6

SHA512
5cb0b8cb3cc378dbf4e0ea04c80280c7d5322460e08856eaec8a2074cc9ece6a3e8af5b70574839725975fdf83f3d0c1399217a04ffd3870d66662015402a4c1

Download Submit
memory/776-221-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1348-356-0x0000000000970000-0x0000000000B30000-memory.dmp

Filesize
1.8MB

Download
memory/1556-272-0x00000000011C0000-0x0000000001380000-memory.dmp

Filesize
1.8MB

Download
memory/1556-273-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1720-368-0x0000000000360000-0x0000000000520000-memory.dmp

Filesize
1.8MB

Download
memory/1720-369-0x0000000002050000-0x0000000002062000-memory.dmp

Filesize
72KB

Download
memory/1740-319-0x0000000000160000-0x0000000000320000-memory.dmp

Filesize
1.8MB

Download
memory/1740-320-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/1924-344-0x00000000002E0000-0x00000000004A0000-memory.dmp

Filesize
1.8MB

Download
memory/2316-296-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2336-332-0x00000000001F0000-0x00000000003B0000-memory.dmp

Filesize
1.8MB

Download
memory/2340-14-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/2340-12-0x00000000022F0000-0x00000000022FC000-memory.dmp

Filesize
48KB

Download
memory/2340-224-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-189-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2340-1-0x0000000000370000-0x0000000000530000-memory.dmp

Filesize
1.8MB

Download
memory/2340-19-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-17-0x000000001A9B0000-0x000000001A9BC000-memory.dmp

Filesize
48KB

Download
memory/2340-16-0x000000001A8A0000-0x000000001A8AC000-memory.dmp

Filesize
48KB

Download
memory/2340-15-0x000000001A880000-0x000000001A888000-memory.dmp

Filesize
32KB

Download
memory/2340-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2340-13-0x000000001A890000-0x000000001A89A000-memory.dmp

Filesize
40KB

Download
memory/2340-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-11-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/2340-9-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/2340-8-0x00000000022A0000-0x00000000022AC000-memory.dmp

Filesize
48KB

Download
memory/2340-7-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/2340-6-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2340-5-0x0000000002050000-0x0000000002060000-memory.dmp

Filesize
64KB

Download
memory/2340-4-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2340-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2544-223-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2904-284-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/2980-381-0x0000000000BD0000-0x0000000000D90000-memory.dmp

Filesize
1.8MB

Download