dcrat | 7386643d99fbe783380f85fa364cce332c31ff0bdf023b78de58d329990842ad

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Proverka by xdwd.exe
Size

1.5MB
MD5

b6d84083a9a6d904f8fce712472503db
SHA1

be3cea644584be972eed12578bdcf3cd6ff4ecbb
SHA256

7386643d99fbe783380f85fa364cce332c31ff0bdf023b78de58d329990842ad
SHA512

0cca303cc79bd20a593e1d5a01cce8783c7daffa4c99cf1694dfdaa5c14b7e7be64a35f73e9b8f7063948a94b492c830d32870965ba7fd0f0d067d06b9806539
SSDEEP

24576:U2G/nvxW3Ww0tNAo6ME182LavUt3U27dLqYTZb0yJSogzbKRYSDxtXbkP0hNZnB:UbA30NAF8MIGfQ/Km6XoP05B

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	372	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	372	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0031000000023b76-10.dat	dcrat
behavioral2/memory/2328-13-0x00000000005C0000-0x00000000006F2000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	driverSessionRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Proverka by xdwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 26 IoCs

pid	Process
2328	driverSessionRuntime.exe
3472	wininit.exe
732	wininit.exe
1616	wininit.exe
2164	wininit.exe
1368	wininit.exe
2188	wininit.exe
776	wininit.exe
2432	wininit.exe
3256	wininit.exe
5084	wininit.exe
3060	wininit.exe
4376	wininit.exe
3336	wininit.exe
1652	wininit.exe
1756	wininit.exe
2940	wininit.exe
1436	wininit.exe
920	wininit.exe
4652	wininit.exe
4184	wininit.exe
4332	wininit.exe
2884	wininit.exe
1236	wininit.exe
408	wininit.exe
548	wininit.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe	driverSessionRuntime.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e	driverSessionRuntime.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\CbsTemp\fontdrvhost.exe	driverSessionRuntime.exe
File created	C:\Windows\CbsTemp\5b884080fd4f94	driverSessionRuntime.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\wininit.exe	driverSessionRuntime.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\56085415360792	driverSessionRuntime.exe
File created	C:\Windows\SchCache\SppExtComObj.exe	driverSessionRuntime.exe
File created	C:\Windows\SchCache\e1ef82546f0b02	driverSessionRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proverka by xdwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Proverka by xdwd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	driverSessionRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4648	schtasks.exe
2288	schtasks.exe
1488	schtasks.exe
1156	schtasks.exe
1116	schtasks.exe
3196	schtasks.exe
3528	schtasks.exe
4800	schtasks.exe
516	schtasks.exe
4052	schtasks.exe
4352	schtasks.exe
4604	schtasks.exe
2960	schtasks.exe
1584	schtasks.exe
4772	schtasks.exe
2256	schtasks.exe
5016	schtasks.exe
4704	schtasks.exe
1520	schtasks.exe
4988	schtasks.exe
4644	schtasks.exe
1292	schtasks.exe
1320	schtasks.exe
3960	schtasks.exe
3616	schtasks.exe
2432	schtasks.exe
952	schtasks.exe
1616	schtasks.exe
4240	schtasks.exe
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2328	driverSessionRuntime.exe
2328	driverSessionRuntime.exe
2328	driverSessionRuntime.exe
2328	driverSessionRuntime.exe
2328	driverSessionRuntime.exe
2328	driverSessionRuntime.exe
2328	driverSessionRuntime.exe
3472	wininit.exe
732	wininit.exe
1616	wininit.exe
2164	wininit.exe
1368	wininit.exe
2188	wininit.exe
776	wininit.exe
2432	wininit.exe
3256	wininit.exe
5084	wininit.exe
3060	wininit.exe
4376	wininit.exe
3336	wininit.exe
1652	wininit.exe
1756	wininit.exe
2940	wininit.exe
1436	wininit.exe
920	wininit.exe
4652	wininit.exe
4184	wininit.exe
4332	wininit.exe
2884	wininit.exe
1236	wininit.exe
408	wininit.exe
548	wininit.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	driverSessionRuntime.exe
Token: SeDebugPrivilege	3472	wininit.exe
Token: SeDebugPrivilege	732	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2164	wininit.exe
Token: SeDebugPrivilege	1368	wininit.exe
Token: SeDebugPrivilege	2188	wininit.exe
Token: SeDebugPrivilege	776	wininit.exe
Token: SeDebugPrivilege	2432	wininit.exe
Token: SeDebugPrivilege	3256	wininit.exe
Token: SeDebugPrivilege	5084	wininit.exe
Token: SeDebugPrivilege	3060	wininit.exe
Token: SeDebugPrivilege	4376	wininit.exe
Token: SeDebugPrivilege	3336	wininit.exe
Token: SeDebugPrivilege	1652	wininit.exe
Token: SeDebugPrivilege	1756	wininit.exe
Token: SeDebugPrivilege	2940	wininit.exe
Token: SeDebugPrivilege	1436	wininit.exe
Token: SeDebugPrivilege	920	wininit.exe
Token: SeDebugPrivilege	4652	wininit.exe
Token: SeDebugPrivilege	4184	wininit.exe
Token: SeDebugPrivilege	4332	wininit.exe
Token: SeDebugPrivilege	2884	wininit.exe
Token: SeDebugPrivilege	1236	wininit.exe
Token: SeDebugPrivilege	408	wininit.exe
Token: SeDebugPrivilege	548	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2668	1856	Proverka by xdwd.exe	83
PID 1856 wrote to memory of 2668	1856	Proverka by xdwd.exe	83
PID 1856 wrote to memory of 2668	1856	Proverka by xdwd.exe	83
PID 2668 wrote to memory of 4508	2668	WScript.exe	84
PID 2668 wrote to memory of 4508	2668	WScript.exe	84
PID 2668 wrote to memory of 4508	2668	WScript.exe	84
PID 4508 wrote to memory of 2328	4508	cmd.exe	86
PID 4508 wrote to memory of 2328	4508	cmd.exe	86
PID 2328 wrote to memory of 1700	2328	driverSessionRuntime.exe	119
PID 2328 wrote to memory of 1700	2328	driverSessionRuntime.exe	119
PID 1700 wrote to memory of 2740	1700	cmd.exe	121
PID 1700 wrote to memory of 2740	1700	cmd.exe	121
PID 1700 wrote to memory of 3472	1700	cmd.exe	126
PID 1700 wrote to memory of 3472	1700	cmd.exe	126
PID 3472 wrote to memory of 3232	3472	wininit.exe	128
PID 3472 wrote to memory of 3232	3472	wininit.exe	128
PID 3232 wrote to memory of 4332	3232	cmd.exe	131
PID 3232 wrote to memory of 4332	3232	cmd.exe	131
PID 3232 wrote to memory of 732	3232	cmd.exe	134
PID 3232 wrote to memory of 732	3232	cmd.exe	134
PID 732 wrote to memory of 5100	732	wininit.exe	135
PID 732 wrote to memory of 5100	732	wininit.exe	135
PID 5100 wrote to memory of 4868	5100	cmd.exe	137
PID 5100 wrote to memory of 4868	5100	cmd.exe	137
PID 5100 wrote to memory of 1616	5100	cmd.exe	143
PID 5100 wrote to memory of 1616	5100	cmd.exe	143
PID 1616 wrote to memory of 4560	1616	wininit.exe	144
PID 1616 wrote to memory of 4560	1616	wininit.exe	144
PID 4560 wrote to memory of 4276	4560	cmd.exe	146
PID 4560 wrote to memory of 4276	4560	cmd.exe	146
PID 4560 wrote to memory of 2164	4560	cmd.exe	149
PID 4560 wrote to memory of 2164	4560	cmd.exe	149
PID 2164 wrote to memory of 4652	2164	wininit.exe	150
PID 2164 wrote to memory of 4652	2164	wininit.exe	150
PID 4652 wrote to memory of 2004	4652	cmd.exe	152
PID 4652 wrote to memory of 2004	4652	cmd.exe	152
PID 4652 wrote to memory of 1368	4652	cmd.exe	158
PID 4652 wrote to memory of 1368	4652	cmd.exe	158
PID 1368 wrote to memory of 4524	1368	wininit.exe	159
PID 1368 wrote to memory of 4524	1368	wininit.exe	159
PID 4524 wrote to memory of 3472	4524	cmd.exe	161
PID 4524 wrote to memory of 3472	4524	cmd.exe	161
PID 4524 wrote to memory of 2188	4524	cmd.exe	163
PID 4524 wrote to memory of 2188	4524	cmd.exe	163
PID 2188 wrote to memory of 3552	2188	wininit.exe	164
PID 2188 wrote to memory of 3552	2188	wininit.exe	164
PID 3552 wrote to memory of 228	3552	cmd.exe	166
PID 3552 wrote to memory of 228	3552	cmd.exe	166
PID 3552 wrote to memory of 776	3552	cmd.exe	168
PID 3552 wrote to memory of 776	3552	cmd.exe	168
PID 776 wrote to memory of 5064	776	wininit.exe	169
PID 776 wrote to memory of 5064	776	wininit.exe	169
PID 5064 wrote to memory of 4336	5064	cmd.exe	171
PID 5064 wrote to memory of 4336	5064	cmd.exe	171
PID 5064 wrote to memory of 2432	5064	cmd.exe	173
PID 5064 wrote to memory of 2432	5064	cmd.exe	173
PID 2432 wrote to memory of 3440	2432	wininit.exe	174
PID 2432 wrote to memory of 3440	2432	wininit.exe	174
PID 3440 wrote to memory of 4576	3440	cmd.exe	176
PID 3440 wrote to memory of 4576	3440	cmd.exe	176
PID 3440 wrote to memory of 3256	3440	cmd.exe	178
PID 3440 wrote to memory of 3256	3440	cmd.exe	178
PID 3256 wrote to memory of 1488	3256	wininit.exe	179
PID 3256 wrote to memory of 1488	3256	wininit.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Proverka by xdwd.exe
"C:\Users\Admin\AppData\Local\Temp\Proverka by xdwd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainWebIntoSession\qD91Bf2FR629.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\chainWebIntoSession\mutZScugJ38QpfoGeguI2l.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\chainWebIntoSession\driverSessionRuntime.exe
      "C:\chainWebIntoSession\driverSessionRuntime.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R4elQkPkqf.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2740
      - C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4332
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4868
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4276
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2004
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3472
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:228
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4336
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4576
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        23⤵
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3984
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"
        25⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1064
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
        27⤵
        
        PID:5028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1660
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
        29⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2728
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        31⤵
        
        PID:3132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1848
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        33⤵
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:4312
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        35⤵
        
        PID:4864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:2736
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
        37⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:3352
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat"
        39⤵
        
        PID:3804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:3604
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        41⤵
        
        PID:4200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:3412
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
        43⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        44⤵
        
        PID:336
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat"
        45⤵
        
        PID:5116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        46⤵
        
        PID:4792
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"
        47⤵
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        48⤵
        
        PID:1856
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        49⤵
        
        PID:1116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        50⤵
        
        PID:3496
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        51⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        52⤵
        
        PID:2216
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
        53⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        54⤵
        
        PID:1864
        
        C:\Windows\RemotePackages\RemoteDesktops\wininit.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\wininit.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"
        55⤵
        
        PID:3108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        56⤵
        
        PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\chainWebIntoSession\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\chainWebIntoSession\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\chainWebIntoSession\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

Filesize
217B

MD5
b8ed67d08465aede06c3dd6e34068f39

SHA1
25903ff5068258ebc81acb5770a768eaf8a8cacb

SHA256
5f075ac898c6d502be3fddd9de5a546b56e46c7661d37e04f5e88b9a58ed344a

SHA512
fdff80eca1556a2751512c6433350e60c17ba1314e6fea71eaf11c452477e7b31bab8effe83e8d7775675714cee64889c1f0927439b941947f5a7af77dedac98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

Filesize
217B

MD5
667645458f9294aa22531f8f54fc2b90

SHA1
154478e7310c08ebb13dd2538cf7623c2d399737

SHA256
be7ecf5b16d8a7a5a0d7f9e6a7c804c7c5a5549fb72c576dbd08e6e45c1b144e

SHA512
7909e9cd02965c2b00b53bcca0b713a11bc6d5d29079298f56790f9ea5f768a90c9c04a7049bd048373ce4da89ad63446507dedaa24a191cc7f4554952304bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat

Filesize
217B

MD5
5a8e95dbf17d902d4108ebd8a4181187

SHA1
a4bed0118597d54cc735ff72670be1f08e6f9bed

SHA256
b970e35bbbf8ef65cdbd9c4012a299427e729f474d37b2389337680572c4b199

SHA512
ff2bd784f2742faef03c8166cde8f5edeac114923f544bf27a6c965c523398d43ae77df4e7b49ba74dcec058070b428d9a9bf1390f6f4ba8eafa0cc4f6217520

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
217B

MD5
0b607553edfc9c23e53ebe3890571b24

SHA1
dd9e15287f16f150e0dee67dad2ecf145a17b583

SHA256
5b84ab2b1dfd3f75a098c18f8ec6d873a6211cb11f6e060a3903d56cea72a74c

SHA512
12ce153ca7934f62de689179792089778b85b2cef204bad42fc1694d9d19a04c4644108da4f01064fe1f858c9cc28701c02e9df1c5b50fcc9ab004d967a2eb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

Filesize
217B

MD5
ed363c08f65112d8808ab9279f5cb01c

SHA1
67d9518cda5bcb4df3901eac8b3987b781972c6a

SHA256
7bbc637a1591ad6f0b9f9a175d77698eb5908623685a876e62d2ed38057a945b

SHA512
b6b775053f46f004df8d3c3bb813b5923a54bfc4fd864131f2d4777d99219297a6893cec0580944b85308c6328d2a6911d9f310adc07f2d1927343213c1b744c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

Filesize
217B

MD5
ca6634a30af7698f12ac2b25a3187f70

SHA1
325c46c77a925935d79c8ea45ada5dfd9a962950

SHA256
eb8018d249669c69b5699edb998200804ae7f9efbdc2296fe5e1871d391d7673

SHA512
d4a21ac749aece5378ae40ca5be943afae14e4152416f4e9b74c9f63515c17a59c6168b3e20ac729f21c2c99ca56ba5e1945d2e08708193cc87b29ae8c3633d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

Filesize
217B

MD5
27c9e1d02cf8e93704c1c666b26d55bb

SHA1
ae0bd3f1d259460a55611451692fd6436bde60c0

SHA256
fc98bfdf212a05898ce831572c6ef42cf0dad585e9c43c2871687e65a0f1bec1

SHA512
4b6c2f052e651535d724a415fbfba8248871c110796dcf74b0bbd502ea33a3c166dc65317b2b7c6e757c345a005f8d14279f84e8fc5fd871dc07e1c693802788

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
217B

MD5
2293c77485d0f3618b0c38f836eff0c9

SHA1
c795586d7fc3b59f77f7e23bd632a2deefa0b22c

SHA256
8c89009a487913015503d8ce09d7c4fd893256da2675dcf56af2f214fe1cba69

SHA512
2e0e280682e0ff3f67566d833ba58d2be4415a5a5872003d9d269af1bba58bc6b19d85a471d0589317878f29f48726fc5e8fe69f67ee86ee28c802e18ef073af

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
217B

MD5
7d9fb6b94a1bbd4c54b8ef6873bbb1dc

SHA1
245e7e092019b255ec3f23a13b1e159585893450

SHA256
1b78d2cb5080a54c7494cfbc5369a92ce4230009e7648e92d7cb9aae1e49dfec

SHA512
f8c1208fd8d0b7719c5e572300d24f975c459e2b120da046954f954e7b8123785e40e15a9024c0938f420ff235d71f761b29fb3abfb9149285966540de1825a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat

Filesize
217B

MD5
45960f2890eb252ffe8d67d3b6a1f99f

SHA1
4cd334442c5a956151ebd35a1f999a319187b78b

SHA256
a1995c07bb38a4c24e55183ce5d1179932aaef5fd104aae827734d6b794bed1d

SHA512
bfaad53dd61bced35394d7028a47093e0e40288147f2f8f475aa705f11a7576ce87d31cba7db606d24761d75de851743f03dd3bc6fd91881390da3a7935fcc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
217B

MD5
ef8afc9f27410851c47bb6c02e5a27c9

SHA1
a8fc52b38514588d9b85efa5bb475b27a046aed3

SHA256
ae310881bcb052a14a6b67ed8a389b367e3f239cc9c8c1bf5a314df651c49e8c

SHA512
2ae9e577ee6aaa2f8e21bce37d87c644160d2b841b4653eff21b87c0e7bd7f586b986b5555f45c699e2f2f0066286fd358e2f071b03609ac0d4b404a009d29ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
217B

MD5
e2953b25d6b63973f56d1ae98124c769

SHA1
ff5b2024d6c8cfa8688f51af29409df16d6d4cea

SHA256
87b978f5d2b2785298f67991f005e4bebb56a30ba2bc96b6e50b92fdda5efda3

SHA512
61eb379ca947b2b33486e2d6815de0035bf3ecb703a5150623f03513a42bb9c8813a703ebe36c50961c34e26a0928bbb9e9f5221f5dc9ce3f1cb7444230ee06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

Filesize
217B

MD5
6cc9ae452ed67375cf9d4152d7049e91

SHA1
c5e578aaf391d6752ce11d32e83f78449cdbc475

SHA256
1d2895b1d7d5445833da6f39c96e836fd210b2a594f2034ce5ee3738b6efee53

SHA512
ee8c82f784f9dcf3770338b490f62a0429c23f9a2ac5f3569b7bf7ca3afde64d0d732b15a60969e89b65d29c7014474fb15766d3201da720f55be4b14fa69d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\R4elQkPkqf.bat

Filesize
217B

MD5
9585843f0086a16394e40bac062f993a

SHA1
6dc52f91a53f7098b46d161159212e0bd3a3aad9

SHA256
f3794760d3b7443242b11932a96d525df7b7fd99ca81787e7209a72bff608a87

SHA512
db69890d0d6db8319b9b3cea44bafd643d422f23216cebedf8b7947b387633f637133ef45be411271c441d78afd7e0cafe290415d1c46a02e41e1a4a6cc0f1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
217B

MD5
cb48516a8fe33dfae739001ceaf9cd44

SHA1
54fbc8240184ed2855d11693ccdb6a97b6776bb8

SHA256
7baa82fad80467fac80471aee6ac853f8acfa0b053806f6fea9cc93fac334866

SHA512
099c2d4c67e193c45b3362b09f44328e10c844ce44f6a50f376cc2663c2a16a2ea48f6e9cd6500f5debd6a658fa0ce38e28c4bcf445b077fbf3e34af8ac08b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat

Filesize
217B

MD5
4f613be7c75d61cef6c35f3d4df0da0d

SHA1
f0865f7dd3a35addc900065d74801927c611a744

SHA256
140d73d2024587756098a089eb01fac8b2d833826201fb37ae5f1eac35201231

SHA512
50303f6f39016a9919de074ee5acc6a4ddc011e3fa1f7128d479ee88c0cdb34296037b815b6fdb56da6a159cf270ef6883e27007aa2d414e677a1f155a8a799c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

Filesize
217B

MD5
6a808a3ce0b57ae23ae2b868eccb1887

SHA1
38381689d3f3554ef37f975bc56d63df8f851538

SHA256
0dfaadb15f0b5d443345c9402f8b98dc37917916d1a7fff9d7e1aa60606163aa

SHA512
a98b608f8722e95d82c22260d2174676403104f5c9fe8fd0422b52bce26680c736bbaff592df234868b86450a9b439c2966693f47442d6e9e62f9e0b6819b4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

Filesize
217B

MD5
0fb21c1f0c7197d354ddb7b0cd81b2de

SHA1
22bb0fcc9b17c743a8fc0d990cc96d0aafab4ea0

SHA256
58d420d0f8d0d2311951bcf796becb24747d9e33ad5f4e73a6fd7c07a1f4f9db

SHA512
85426b15e0ee9e728e7ba6e37bc354a0b3fc0747352524324951ff0142ef834b1cda7150100537e5f2cd417a7c607c79ac85bb03835a138781d93f0df68e7260

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
217B

MD5
c59722c17e2672738126e4a07ad4f384

SHA1
2b7cf9d72067d97669088549325408f1bfef1a98

SHA256
ce0512f2a65d915621b558330b1e978f064c6985570a0bdde77aebbbc42de657

SHA512
ccecc5a2b08181486da768e30d7f75be65ff0f1a5bc1928af5704929e55294f2173e825425f8a7a667947aa0b81f8605a81a067f06519cc19b1816a93e722204

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

Filesize
217B

MD5
f2232de99a62d888699efc786336b162

SHA1
7001f9a4f01d90072fc8cdc9fadcabad7bb72504

SHA256
6716f252f3fab363298ddb1f76940d0097cad68a17ef5bb245fe9cc7a4a0bae2

SHA512
bb29c866c887c3837385889283789f3be97f5acdba6f31910dcb8ef1ad1b7b2ac6afe86d10fff3f6f8312589c5ffc63af5f4151d61eae202211703d96c2b1af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat

Filesize
217B

MD5
680bc6448d96a4c1b0a4b141cb25cbdf

SHA1
a8f50ce4dea4231389232b6b7dc599e7e4e93fb8

SHA256
b447f55a38f309531def238eab66a47f8397709c5aea3eacbf4cc19fff4bc441

SHA512
e46567ac1ce452ac090e2d38ddf5d8f09c8aefcb83ed4fb1953e4cae36a14dfa6fecc33cd005f831593da9abc5390f8c013c65a14bf01b0cba3ff97e621c7f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

Filesize
217B

MD5
09eec7fc5c83ea5673c1a9239f612ce7

SHA1
6a9e05c1eef8985f32738735fd8f28cf8c7e4468

SHA256
7d25fd59a27cc28b98e757d8559307a9ac68535f59a55d170ac0a38c43b675a1

SHA512
625eef8a2aa6d16c151444baaeac2b93448e74516070311ce4c978cf5f9c0934a85482432d33f76b6af45a2e6311b74d05e848044b553a8f2d528fdac24a338a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat

Filesize
217B

MD5
4bf5c451a3fa8365abf1727b6b8c683a

SHA1
8d41095e742be20f851f6caafb5f521a005d530b

SHA256
4495cf737a410aa0ee469e709abf017773af0c5097dbe159c42ccf522b4ccfb7

SHA512
5985d5e327621feed9f5179a65e5e9cac3e7dd027bfb0546630ab571759a5e93b7cec7ee98c4612e3dd9c4dd24cf06bfb4b36b7ec21466ba57c856c4dc6d17f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
217B

MD5
562fbb982a3a6f03e74717344a98b9fa

SHA1
c98df7c4afd7351e76d5691e2dbd59a9bf596409

SHA256
19c7fb7784f81b4def9411e653e7caa8e4459b2b274d708eafa1b683a261d774

SHA512
a0f4067e1550306d06e0635da08896c90e8a08fed13691022fd92f6bcfb1fc3c1364037a7b81540f00be6ce5bcfdad7a762b768cb85aa0625012b0c8c4635e31

Download Submit
C:\chainWebIntoSession\driverSessionRuntime.exe

Filesize
1.2MB

MD5
6fa9d3afd6e7a33f230d630effcdcd68

SHA1
e36e510d35918147c19da9c2e4d153dd16acda56

SHA256
34067e70cf580aa3b0503f80c0944cc261f7b511988bb37cbc8d810a16e27229

SHA512
5466923061a3c3799a88a6947839c8d3e47f4aa08abe396adf4137bf9b2db38e9285f2a62d7c2ccd3c942f6199525cf47d33a2dd277a840bed0ed951a4ad50fc

Download Submit
C:\chainWebIntoSession\mutZScugJ38QpfoGeguI2l.bat

Filesize
49B

MD5
6000af83a4ec5ba337a3199e02ef3adc

SHA1
6d3e75d8513f156d5a0cdaca7c04754207897763

SHA256
cff888ba6c207a854350f2a5bfa943e933229e0f4b577c57e5e8d9c73fa678d6

SHA512
8181a8fa8d67c7aabc5d439c4338d7a5b92023992f148b498dbf6937bdcfe8c91b5961b06a1d745b46fe8a23aac857e3b5f88d19b6d10f2ade791b889185e4c3

Download Submit
C:\chainWebIntoSession\qD91Bf2FR629.vbe

Filesize
218B

MD5
e376bec17fcd43091d7e796e1990822e

SHA1
905ea05ef90ac3f2686443c8bc44e1b81c061a6a

SHA256
cb1d5eab7477bb30819023038a740abd7c5366f8ebe57b14e8339d4f79cfab3d

SHA512
c7e36f65a1da9681355a77e200a5d06fe2a6270d20a00b191f5c3b484ca52b16574058134a97f5008826f4b4e1f2153936e50d93f125a18c1019c306a97bb4ce

Download Submit
memory/2328-14-0x0000000002890000-0x00000000028AC000-memory.dmp

Filesize
112KB

Download
memory/2328-12-0x00007FFBE0C83000-0x00007FFBE0C85000-memory.dmp

Filesize
8KB

Download
memory/2328-13-0x00000000005C0000-0x00000000006F2000-memory.dmp

Filesize
1.2MB

Download
memory/2328-15-0x000000001B2C0000-0x000000001B310000-memory.dmp

Filesize
320KB

Download
memory/2328-16-0x000000001B220000-0x000000001B236000-memory.dmp

Filesize
88KB

Download
memory/2328-17-0x0000000002770000-0x000000000277C000-memory.dmp

Filesize
48KB

Download