dcrat | e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
Size

1.6MB
MD5

9af38351067812c0e3fa8e5ba3fdab5f
SHA1

896e6735656cc62d2f9258672683e200c9e30be5
SHA256

da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442
SHA512

dd35feecbb645e33a4a13247e31fac3cb480c9c9cc6aeca1e9434a082b4d7aaa77585583650358d7507e5e02d9a441c43754897c6bf09baf446346574d870c9d
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2636	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2696-1-0x0000000001230000-0x00000000013D2000-memory.dmp	dcrat
behavioral11/files/0x0005000000019438-25.dat	dcrat
behavioral11/files/0x000a00000001211a-81.dat	dcrat
behavioral11/files/0x0006000000019397-105.dat	dcrat
behavioral11/files/0x0007000000019426-116.dat	dcrat
behavioral11/files/0x000800000001946b-182.dat	dcrat
behavioral11/files/0x000800000001963a-207.dat	dcrat
behavioral11/memory/560-235-0x0000000000A80000-0x0000000000C22000-memory.dmp	dcrat
behavioral11/memory/2900-320-0x0000000000C30000-0x0000000000DD2000-memory.dmp	dcrat
behavioral11/memory/1612-343-0x0000000001180000-0x0000000001322000-memory.dmp	dcrat
behavioral11/memory/2164-377-0x0000000000060000-0x0000000000202000-memory.dmp	dcrat
behavioral11/memory/2012-400-0x00000000010A0000-0x0000000001242000-memory.dmp	dcrat
behavioral11/memory/304-412-0x00000000012C0000-0x0000000001462000-memory.dmp	dcrat
behavioral11/memory/292-424-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1840	powershell.exe
2260	powershell.exe
2964	powershell.exe
1252	powershell.exe
1348	powershell.exe
1264	powershell.exe
1680	powershell.exe
2568	powershell.exe
2704	powershell.exe
752	powershell.exe
2448	powershell.exe
2928	powershell.exe
2432	powershell.exe
2912	powershell.exe
3016	powershell.exe
2032	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
560	wininit.exe
2900	wininit.exe
1108	wininit.exe
1612	wininit.exe
2696	wininit.exe
2404	wininit.exe
2164	wininit.exe
1536	wininit.exe
2012	wininit.exe
304	wininit.exe
292	wininit.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXB3E7.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RCXA5C8.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXACFE.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\OSPPSVC.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\6cb0b6c459d5d3	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\56085415360792	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\OSPPSVC.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXB3E8.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\1610b97d3ab4a7	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RCXA55A.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXAD6C.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\5940a34987c991	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Windows\en-US\wininit.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\Fonts\RCXB1E2.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\Fonts\RCXB1E3.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Windows\en-US\csrss.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Windows\en-US\886983d96e3d3e	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Windows\en-US\56085415360792	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\en-US\RCXA355.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\en-US\RCXA356.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\en-US\wininit.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\Fonts\dllhost.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\en-US\RCXC10C.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Windows\Fonts\dllhost.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\en-US\csrss.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\en-US\RCXC04F.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2648	schtasks.exe
2180	schtasks.exe
296	schtasks.exe
1312	schtasks.exe
2284	schtasks.exe
2476	schtasks.exe
2192	schtasks.exe
2336	schtasks.exe
2256	schtasks.exe
1100	schtasks.exe
2496	schtasks.exe
332	schtasks.exe
1668	schtasks.exe
1720	schtasks.exe
2144	schtasks.exe
2664	schtasks.exe
2920	schtasks.exe
688	schtasks.exe
1800	schtasks.exe
1696	schtasks.exe
1684	schtasks.exe
2680	schtasks.exe
2004	schtasks.exe
1252	schtasks.exe
348	schtasks.exe
2332	schtasks.exe
2768	schtasks.exe
2852	schtasks.exe
600	schtasks.exe
2596	schtasks.exe
2880	schtasks.exe
2588	schtasks.exe
496	schtasks.exe
2688	schtasks.exe
3028	schtasks.exe
2984	schtasks.exe
2344	schtasks.exe
288	schtasks.exe
3000	schtasks.exe
1944	schtasks.exe
2572	schtasks.exe
2968	schtasks.exe
2580	schtasks.exe
2244	schtasks.exe
880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
2260	powershell.exe
1252	powershell.exe
3016	powershell.exe
2704	powershell.exe
2448	powershell.exe
2912	powershell.exe
1840	powershell.exe
2964	powershell.exe
2928	powershell.exe
1348	powershell.exe
2032	powershell.exe
1680	powershell.exe
2432	powershell.exe
2568	powershell.exe
752	powershell.exe
1264	powershell.exe
560	wininit.exe
2900	wininit.exe
1108	wininit.exe
1612	wininit.exe
2696	wininit.exe
2404	wininit.exe
2164	wininit.exe
1536	wininit.exe
2012	wininit.exe
304	wininit.exe
292	wininit.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	560	wininit.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2900	wininit.exe
Token: SeDebugPrivilege	1108	wininit.exe
Token: SeDebugPrivilege	1612	wininit.exe
Token: SeDebugPrivilege	2696	wininit.exe
Token: SeDebugPrivilege	2404	wininit.exe
Token: SeDebugPrivilege	2164	wininit.exe
Token: SeDebugPrivilege	1536	wininit.exe
Token: SeDebugPrivilege	2012	wininit.exe
Token: SeDebugPrivilege	304	wininit.exe
Token: SeDebugPrivilege	292	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2704	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	76
PID 2696 wrote to memory of 2704	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	76
PID 2696 wrote to memory of 2704	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	76
PID 2696 wrote to memory of 1252	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	77
PID 2696 wrote to memory of 1252	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	77
PID 2696 wrote to memory of 1252	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	77
PID 2696 wrote to memory of 3016	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	78
PID 2696 wrote to memory of 3016	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	78
PID 2696 wrote to memory of 3016	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	78
PID 2696 wrote to memory of 752	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	79
PID 2696 wrote to memory of 752	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	79
PID 2696 wrote to memory of 752	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	79
PID 2696 wrote to memory of 2032	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	82
PID 2696 wrote to memory of 2032	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	82
PID 2696 wrote to memory of 2032	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	82
PID 2696 wrote to memory of 2260	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	84
PID 2696 wrote to memory of 2260	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	84
PID 2696 wrote to memory of 2260	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	84
PID 2696 wrote to memory of 2928	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	85
PID 2696 wrote to memory of 2928	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	85
PID 2696 wrote to memory of 2928	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	85
PID 2696 wrote to memory of 2448	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	86
PID 2696 wrote to memory of 2448	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	86
PID 2696 wrote to memory of 2448	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	86
PID 2696 wrote to memory of 2432	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	87
PID 2696 wrote to memory of 2432	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	87
PID 2696 wrote to memory of 2432	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	87
PID 2696 wrote to memory of 1680	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	88
PID 2696 wrote to memory of 1680	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	88
PID 2696 wrote to memory of 1680	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	88
PID 2696 wrote to memory of 2912	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	89
PID 2696 wrote to memory of 2912	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	89
PID 2696 wrote to memory of 2912	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	89
PID 2696 wrote to memory of 1348	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	91
PID 2696 wrote to memory of 1348	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	91
PID 2696 wrote to memory of 1348	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	91
PID 2696 wrote to memory of 1264	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	93
PID 2696 wrote to memory of 1264	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	93
PID 2696 wrote to memory of 1264	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	93
PID 2696 wrote to memory of 2964	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	94
PID 2696 wrote to memory of 2964	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	94
PID 2696 wrote to memory of 2964	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	94
PID 2696 wrote to memory of 2568	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	95
PID 2696 wrote to memory of 2568	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	95
PID 2696 wrote to memory of 2568	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	95
PID 2696 wrote to memory of 1840	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	96
PID 2696 wrote to memory of 1840	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	96
PID 2696 wrote to memory of 1840	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	96
PID 2696 wrote to memory of 560	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	108
PID 2696 wrote to memory of 560	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	108
PID 2696 wrote to memory of 560	2696	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	108
PID 560 wrote to memory of 1544	560	wininit.exe	109
PID 560 wrote to memory of 1544	560	wininit.exe	109
PID 560 wrote to memory of 1544	560	wininit.exe	109
PID 560 wrote to memory of 2200	560	wininit.exe	110
PID 560 wrote to memory of 2200	560	wininit.exe	110
PID 560 wrote to memory of 2200	560	wininit.exe	110
PID 1544 wrote to memory of 2900	1544	WScript.exe	112
PID 1544 wrote to memory of 2900	1544	WScript.exe	112
PID 1544 wrote to memory of 2900	1544	WScript.exe	112
PID 2900 wrote to memory of 2112	2900	wininit.exe	113
PID 2900 wrote to memory of 2112	2900	wininit.exe	113
PID 2900 wrote to memory of 2112	2900	wininit.exe	113
PID 2900 wrote to memory of 2004	2900	wininit.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
"C:\Users\Admin\AppData\Local\Temp\da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Users\Default\Videos\wininit.exe
  "C:\Users\Default\Videos\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5de2c489-2342-4a56-8025-ffeec82984bf.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Default\Videos\wininit.exe
      C:\Users\Default\Videos\wininit.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ea5091f-7bfa-4bd1-90f9-5d18ddfff276.vbs"
        5⤵
        
        PID:2112
      - C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58940e55-184c-49d2-8378-87926ecf23c8.vbs"
        7⤵
        
        PID:2116
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bc9e714-bd62-46a3-9a12-7ffbb51177b1.vbs"
        9⤵
        
        PID:1736
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f9b0493-3236-40ed-afcd-9d0945ce46be.vbs"
        11⤵
        
        PID:2800
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\841bfda7-0364-47b3-9687-81a385af6ef9.vbs"
        13⤵
        
        PID:872
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf32090b-681f-47b5-b255-b4fa9cd5e7c2.vbs"
        15⤵
        
        PID:2112
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39a95418-cf55-4482-af5f-04c3685aae4c.vbs"
        17⤵
        
        PID:692
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e16ba207-f686-4599-afa2-9fab1e295c9f.vbs"
        19⤵
        
        PID:2752
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e9f9fc2-cca2-453a-b5fd-769ab4758c0b.vbs"
        21⤵
        
        PID:2372
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\064000d8-5370-45c6-9ec5-40e9ab837b1b.vbs"
        23⤵
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7335b0d4-06c4-4ba9-ba81-0e2e56663e1b.vbs"
        23⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39513004-a921-49a8-9319-7e7d26b28d7f.vbs"
        21⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a890bf09-60a8-4d42-a2e9-ef07146e2b3f.vbs"
        19⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b3027c-5fb3-49b6-95f1-1ae7a814933c.vbs"
        17⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7eacc9b6-81bc-4878-86ee-d7a73b627031.vbs"
        15⤵
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d56deb8b-a569-44cb-a0d0-70da3cc52913.vbs"
        13⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0ec94a9-0f7d-441a-9bda-7a4efdbbab52.vbs"
        11⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d8c8c53-194c-428d-a083-753f95718ac8.vbs"
        9⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38864205-eda1-487a-97de-7c551121314e.vbs"
        7⤵
        
        PID:2964
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd73e681-674e-4e0e-a726-5ec7d3cd31af.vbs"
        5⤵
        
        PID:2004
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76ad66e7-039b-4dea-8d62-453cf6c3ab20.vbs"
    3⤵
    PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe

Filesize
1.6MB

MD5
6b290fc4ceaa1b92459bb508db11398a

SHA1
ad375a5e949ca5e4ab10723c6d424a41556d2a98

SHA256
53b65f3d3f7c1d5ee5f37a800ffa839c21584af6e2f45baeb4e7bc36b8441f7f

SHA512
49b53a8156b510cd8849af9397b48808dcb7097d86d781121da997013c45c0658d5ea12c440232c5efd5d02751d2b22d4694fe61618f3f9066b24bed3fbdfedd

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\OSPPSVC.exe

Filesize
1.6MB

MD5
7c046266122cec3ea06eddfc3a0268fd

SHA1
d7bb89869e628ab24c0e567e2a4a08741c34a3f2

SHA256
ba7b3ef28f5eb7cf8fc96d87c2372a240a2ac05b36a79ffa4de26faf8b1ba044

SHA512
3ffb11243a6cabe2d4bcb0d6270608d2747b25cbec887a44820d705218cdd87c5175d09c336a981c560420b3b0e191cfd0321d53a72422aae8f12013db92f178

Download Submit
C:\ProgramData\Microsoft Help\taskhost.exe

Filesize
1.6MB

MD5
7d016a5262b253cd731146c0baab38ab

SHA1
471fe287cd4af66f7feffdff7e6faa8bc1dbbda1

SHA256
460184f7ec7931a189bffe48473a6be8f1e64954be62575635d733cd09bdd3df

SHA512
24ba844a016291da1ecf1483d7cd622a65b78e44eb9e9a8db9c4d56161a3060ee9cd2669cb16e0379bde0c0042e16881943b4aca4c54f9bc6ea4ef57d7e518c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\064000d8-5370-45c6-9ec5-40e9ab837b1b.vbs

Filesize
710B

MD5
d59d6ca9bb6ad41f90d97ffefd5b2e4f

SHA1
343f50ffebf543329bc0589d02ec0f11fc0850df

SHA256
2543f3a9c828f60053a2a237856be5b47851f7f169c7dd21a7218fca90366cea

SHA512
4f52fa6859904bab901cccdbd196a62335de9d1358c9e9701e39586a4626911b64a005ec90ede6d03020a835e832134150140f3c6ae3034b197f400a6ac7f938

Download Submit
C:\Users\Admin\AppData\Local\Temp\39a95418-cf55-4482-af5f-04c3685aae4c.vbs

Filesize
711B

MD5
e4734d29504ef23baa3fad8b0f08976a

SHA1
c27677e11513b3e2ef340403c3587707eff792cb

SHA256
0fd67221b4f93d3f5d1531de4e468d850b740534b6e3e061d0905219fba67011

SHA512
a1adc07e1bdcbfa0e7dbd9ea3b8b51cbb24488065cd4c558b63cafbf9b271b5c56e09323c0ee946986a7eddf784ae092f32b426fd11309a10ffd32b042bc52b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\433c307c84d6debf07c9320743b8837718339cb7.exe

Filesize
1.6MB

MD5
1e8d57e682cb3d9cc222af122745aa22

SHA1
a3fbc1cd689dae26da6d83340ed9799ff6dce13f

SHA256
b3b22c911900dc290828ebe4b4011cdb6049be13fcff42d79f27fe8dc431a275

SHA512
6dcdd5aef60019db5506c7c52544341cdda796647e096587291bab6a5b8dec8f99dc78486dfb872c2889a88a63cbfe2b9727f4d844c5eb57920eccbcae31653b

Download Submit
C:\Users\Admin\AppData\Local\Temp\58940e55-184c-49d2-8378-87926ecf23c8.vbs

Filesize
711B

MD5
e653a5a40b1a2ea61d769437ffbc1b83

SHA1
2eb05e3f7ac393bf8fa39ab876990c3d5d5a2e20

SHA256
d14e4634a4a918450e0955dd377dcf190de3182c7a5fea9716d34587c4fa42bd

SHA512
0b209d6dd1a78d152ae6652f01739a41e6942b030499f7cc970261d534e62ee21e8edb36b7586c887e25bf3cb840147634a0cc1a2d2a1e7bb0d9e97ce1cb2fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5de2c489-2342-4a56-8025-ffeec82984bf.vbs

Filesize
710B

MD5
1cda3bd69fbc0cb34d687bfec81c5d45

SHA1
2d85d66f13b8ad2c4d8434d6e2788b6b3fa30aea

SHA256
089753884c30a7373035d512a2b0985a1da1c8d726d028deabe78075cee0bbff

SHA512
68b4c91181fffdf5d3b443f3db871dfd6467bc9ba813524c0f552b863ab7577b8d314e311d7ff77d26863f252a71c97af20c133789ee7e426eb84076c99ccc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f9b0493-3236-40ed-afcd-9d0945ce46be.vbs

Filesize
711B

MD5
28c15c6eb1ef4e299121e6423dd4d3e3

SHA1
919d2ba0f0ff1b4bd11e6ccd3dbf36653eda86cf

SHA256
876e95dc937e0a3a4089818f7d56024c37bfa08c3de1939918514405c0eb20da

SHA512
c0687138b2a8c2acbafcd0108a5abc7b2201b8486c489a2ed60376bc6d6e17a05576921413e0628d00232986259caf3c574a6187bcff7fcdb31dda7408b94dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bc9e714-bd62-46a3-9a12-7ffbb51177b1.vbs

Filesize
711B

MD5
0f1d7965cfd94af1793365f214fabc1d

SHA1
71011be3a7f19c047b4a4eeb32b2be71160f1c71

SHA256
bbe241c2da98416b451c02b2de985836a221ab326924855ecae24260b7c7c4f6

SHA512
cc92f44553c59a3641d5ed1ce3da73e7373f11f87725996ab720bd33f247563a8d67fd2528e738120874b5fea820960725a34ce2c3378d91fba2819b0ae26e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ad66e7-039b-4dea-8d62-453cf6c3ab20.vbs

Filesize
487B

MD5
f6c05e55c8448f8a50f194ba5fe3c4dd

SHA1
7170da85d8bed188863846fd4a28f32cb0d10a40

SHA256
d23ee56b8edb75efcefa86d9f87acc79b7a39e310a1b5536ab40dbfbcefe76b0

SHA512
73b9a3b3891c81ded9e520430e21123884be4117da82785c37d3d584d2115a86d4e559133554db6ae7f896dfe153f4aba1a2bd8f459f181a85fcc575d6170ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e9f9fc2-cca2-453a-b5fd-769ab4758c0b.vbs

Filesize
710B

MD5
b800859c48c80f998384582404b960ed

SHA1
d90ee0cf6560212076224546df441e54d5684f4a

SHA256
3de4201da76ded874bc5ff2d54efe294564889e4da52f0a330d5179a3afb6c86

SHA512
ed0980ed03bdc523130f4ccc2ce355e842c809dc64c42dc1690fd09dcc71583e7a98886ddc31a2b983bd819df4cccfd7880b604cfc67387ea2213f1f2050a70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\841bfda7-0364-47b3-9687-81a385af6ef9.vbs

Filesize
711B

MD5
1ad69cddbc95feb950559a27f7768c1e

SHA1
3c6215c3d4830552d8f4d360f3b301d280db16c6

SHA256
a90304fcae508606d79f0ed2073a69b3538d0574112d9633d6f62ce19e049a12

SHA512
395cc4ceb0d5ec7bf3a65cb6469f654376c2dd8f508a5c1f0d1ebddd2a94e83cbb081592f563378fec1bc6c074f2ad10eaaf9b3cfd75684bc02120a539b80adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ea5091f-7bfa-4bd1-90f9-5d18ddfff276.vbs

Filesize
711B

MD5
0b940d68dcbad1fba1e990f7e03f4b72

SHA1
e4bc2709b0057fbb80539125fd0e6c668a35df8c

SHA256
ead7769f4f313ad491a771ba6e891a046c8298e2138f6c7c8616b90a6ea30b99

SHA512
bf9df618ae028501137a658c50551f60ccad0eedea9b4d346158f4942fb4d68f9ec8b46abb5a360e2d8fad42ba5d25a1741b80441d407b8e902cc1ce400bab7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf32090b-681f-47b5-b255-b4fa9cd5e7c2.vbs

Filesize
711B

MD5
faf77c95e6922e2735c84e00177193ba

SHA1
328acd966fcaf59060bdb25ca0aa41375c9acb72

SHA256
bb3254a958d07c2714a9b14cc29fdbfcc29652bb203d9624d10709d279872389

SHA512
80733d3f69e1661d89bcfc59e9cbc42eda3b636affe9af9d587f807ec856531cb07306b6e83e5425a6b156a49f19b3fd0b41cd63aab253f7bf5da0d88ee8029c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e16ba207-f686-4599-afa2-9fab1e295c9f.vbs

Filesize
711B

MD5
b8131a2bc9a30aa1dffdf1c84a716e77

SHA1
af4d6a5a16a70db5dd26c2830aea48b2ca3633af

SHA256
80a9e0512b23ea8f8aebbe0be751ad8e556543a8c94d67fba0ed970ce48613ab

SHA512
ec9c4a8c1798e8bdfc38ece46b1021eac68b8f4bac40dae75bb7a14e9972875ee7e314980abebb848e525a1702d94d624642fd89a1740e1ab76f025f321c3791

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7898a4be7e62014416e1036dca8dfc44

SHA1
e13b12f75d3e383beca49253c3200e4dd435cb76

SHA256
42830d4341ac7e1171ca7fbfa38e998bdcab52e424900f8f03dad8dd88015c6e

SHA512
9ace8a3e4b6062aeb50b6c05e65f90c3ffc223872fc063184b07e66bc514ccd54ada2a15056c668d392c373bb7a1d1d9af3f0dea11963a3c0eef8091c0cb57de

Download Submit
C:\Users\Default\Videos\wininit.exe

Filesize
1.6MB

MD5
9af38351067812c0e3fa8e5ba3fdab5f

SHA1
896e6735656cc62d2f9258672683e200c9e30be5

SHA256
da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442

SHA512
dd35feecbb645e33a4a13247e31fac3cb480c9c9cc6aeca1e9434a082b4d7aaa77585583650358d7507e5e02d9a441c43754897c6bf09baf446346574d870c9d

Download Submit
C:\Users\Default\Videos\wininit.exe

Filesize
1.6MB

MD5
f4790ee9cf50092ec7d2a78159b7aab3

SHA1
a254029187cca4a5a67d0d8d370e7de00a31d65d

SHA256
a269a20ad0ebd730abea299ab3de270b9073bbaf19f45592c832de5afeb105f6

SHA512
7915b4ae287db29c3f9562747dc7ae645048552a80946bae77c1a53367b0e30c93d87f0fdaf25c31f8a662a3db0c214c5e1c755a0d56b0ded56c92bebd336008

Download Submit
C:\Windows\en-US\wininit.exe

Filesize
1.6MB

MD5
a0b008842d4e5b309b86fc83b97b9b90

SHA1
91098817dc6718c1f3a2fcbf8f3c6390a590a527

SHA256
8bb65ac241b4a2934c7478f26c428b68bda1593a9d5281b2b468a4d893a0dbc6

SHA512
e3d0381635c11a49e4591657bcacd6801e3f287111940c1eea7cec8704abaf45ca1cbae90f892fc77d4621fe4f267d119a96ebeccc8d2ffb09a07b682a980f2b

Download Submit
memory/292-424-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download
memory/304-412-0x00000000012C0000-0x0000000001462000-memory.dmp

Filesize
1.6MB

Download
memory/560-235-0x0000000000A80000-0x0000000000C22000-memory.dmp

Filesize
1.6MB

Download
memory/1252-236-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1612-343-0x0000000001180000-0x0000000001322000-memory.dmp

Filesize
1.6MB

Download
memory/2012-400-0x00000000010A0000-0x0000000001242000-memory.dmp

Filesize
1.6MB

Download
memory/2164-377-0x0000000000060000-0x0000000000202000-memory.dmp

Filesize
1.6MB

Download
memory/2260-237-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2696-4-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2696-6-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2696-13-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2696-12-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2696-1-0x0000000001230000-0x00000000013D2000-memory.dmp

Filesize
1.6MB

Download
memory/2696-11-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2696-10-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2696-0-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

Filesize
4KB

Download
memory/2696-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2696-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2696-14-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2696-16-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2696-7-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2696-5-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2696-243-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-198-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2696-181-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

Filesize
4KB

Download
memory/2696-2-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-15-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/2900-320-0x0000000000C30000-0x0000000000DD2000-memory.dmp

Filesize
1.6MB

Download