dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
152s
max time network
159s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Size

1.6MB
MD5

66d07aba299e88d9fd0562bdde9ef487
SHA1

3187acda67ed22501f39f2b436d064faf9464045
SHA256

d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914
SHA512

64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2936	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/2076-1-0x0000000000050000-0x00000000001F2000-memory.dmp	dcrat
behavioral3/files/0x000500000001a475-26.dat	dcrat
behavioral3/files/0x000800000001a5d0-72.dat	dcrat
behavioral3/files/0x000600000001a4ab-90.dat	dcrat
behavioral3/files/0x000500000001c73a-107.dat	dcrat
behavioral3/files/0x000c00000001a463-195.dat	dcrat
behavioral3/memory/940-294-0x00000000010E0000-0x0000000001282000-memory.dmp	dcrat
behavioral3/memory/1972-305-0x0000000001200000-0x00000000013A2000-memory.dmp	dcrat
behavioral3/memory/2216-317-0x0000000001290000-0x0000000001432000-memory.dmp	dcrat
behavioral3/memory/2384-351-0x00000000013B0000-0x0000000001552000-memory.dmp	dcrat
behavioral3/memory/384-363-0x0000000000140000-0x00000000002E2000-memory.dmp	dcrat
behavioral3/memory/2064-375-0x0000000000BC0000-0x0000000000D62000-memory.dmp	dcrat
behavioral3/memory/2900-387-0x0000000001270000-0x0000000001412000-memory.dmp	dcrat
behavioral3/memory/2368-410-0x0000000000370000-0x0000000000512000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1632	powershell.exe
1528	powershell.exe
2664	powershell.exe
1936	powershell.exe
2624	powershell.exe
1280	powershell.exe
1044	powershell.exe
836	powershell.exe
2868	powershell.exe
1040	powershell.exe
1524	powershell.exe
2844	powershell.exe
2172	powershell.exe
2788	powershell.exe
2604	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
940	taskhost.exe
1972	taskhost.exe
2216	taskhost.exe
2056	taskhost.exe
3048	taskhost.exe
2384	taskhost.exe
384	taskhost.exe
2064	taskhost.exe
2900	taskhost.exe
2232	taskhost.exe
2368	taskhost.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\OSPPSVC.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\6203df4a6bafc7	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCX1EF6.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX2224.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\1610b97d3ab4a7	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\101b941d020240	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXED3.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCX1F16.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCX2AF2.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCX2AF3.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXEC2.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\OSPPSVC.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX2197.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Uninstall Information\dllhost.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Uninstall Information\dllhost.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\tracing\csrss.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\tracing\886983d96e3d3e	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\tracing\RCX2438.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\tracing\RCX2439.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\tracing\csrss.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe
2416	schtasks.exe
2080	schtasks.exe
2256	schtasks.exe
1104	schtasks.exe
2064	schtasks.exe
2616	schtasks.exe
1984	schtasks.exe
2772	schtasks.exe
2948	schtasks.exe
1148	schtasks.exe
2632	schtasks.exe
2188	schtasks.exe
840	schtasks.exe
2228	schtasks.exe
2868	schtasks.exe
2312	schtasks.exe
1284	schtasks.exe
1808	schtasks.exe
2424	schtasks.exe
1412	schtasks.exe
368	schtasks.exe
2724	schtasks.exe
2540	schtasks.exe
2000	schtasks.exe
2408	schtasks.exe
2492	schtasks.exe
1348	schtasks.exe
1932	schtasks.exe
456	schtasks.exe
2788	schtasks.exe
2848	schtasks.exe
1392	schtasks.exe
2960	schtasks.exe
2516	schtasks.exe
1676	schtasks.exe
1468	schtasks.exe
2300	schtasks.exe
2412	schtasks.exe
836	schtasks.exe
860	schtasks.exe
792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
1280	powershell.exe
2624	powershell.exe
1632	powershell.exe
2788	powershell.exe
2868	powershell.exe
1936	powershell.exe
1040	powershell.exe
2844	powershell.exe
2172	powershell.exe
1044	powershell.exe
1524	powershell.exe
2664	powershell.exe
836	powershell.exe
1528	powershell.exe
2604	powershell.exe
940	taskhost.exe
1972	taskhost.exe
2216	taskhost.exe
2056	taskhost.exe
3048	taskhost.exe
2384	taskhost.exe
384	taskhost.exe
2064	taskhost.exe
2900	taskhost.exe
2232	taskhost.exe
2368	taskhost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	940	taskhost.exe
Token: SeDebugPrivilege	1972	taskhost.exe
Token: SeDebugPrivilege	2216	taskhost.exe
Token: SeDebugPrivilege	2056	taskhost.exe
Token: SeDebugPrivilege	3048	taskhost.exe
Token: SeDebugPrivilege	2384	taskhost.exe
Token: SeDebugPrivilege	384	taskhost.exe
Token: SeDebugPrivilege	2064	taskhost.exe
Token: SeDebugPrivilege	2900	taskhost.exe
Token: SeDebugPrivilege	2232	taskhost.exe
Token: SeDebugPrivilege	2368	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1280	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	73
PID 2076 wrote to memory of 1280	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	73
PID 2076 wrote to memory of 1280	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	73
PID 2076 wrote to memory of 2624	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	74
PID 2076 wrote to memory of 2624	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	74
PID 2076 wrote to memory of 2624	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	74
PID 2076 wrote to memory of 1936	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	76
PID 2076 wrote to memory of 1936	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	76
PID 2076 wrote to memory of 1936	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	76
PID 2076 wrote to memory of 2664	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	78
PID 2076 wrote to memory of 2664	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	78
PID 2076 wrote to memory of 2664	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	78
PID 2076 wrote to memory of 1040	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	79
PID 2076 wrote to memory of 1040	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	79
PID 2076 wrote to memory of 1040	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	79
PID 2076 wrote to memory of 2868	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	82
PID 2076 wrote to memory of 2868	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	82
PID 2076 wrote to memory of 2868	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	82
PID 2076 wrote to memory of 1528	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	83
PID 2076 wrote to memory of 1528	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	83
PID 2076 wrote to memory of 1528	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	83
PID 2076 wrote to memory of 1632	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	84
PID 2076 wrote to memory of 1632	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	84
PID 2076 wrote to memory of 1632	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	84
PID 2076 wrote to memory of 836	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	85
PID 2076 wrote to memory of 836	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	85
PID 2076 wrote to memory of 836	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	85
PID 2076 wrote to memory of 2844	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	86
PID 2076 wrote to memory of 2844	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	86
PID 2076 wrote to memory of 2844	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	86
PID 2076 wrote to memory of 2788	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	87
PID 2076 wrote to memory of 2788	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	87
PID 2076 wrote to memory of 2788	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	87
PID 2076 wrote to memory of 1044	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	89
PID 2076 wrote to memory of 1044	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	89
PID 2076 wrote to memory of 1044	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	89
PID 2076 wrote to memory of 2172	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	91
PID 2076 wrote to memory of 2172	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	91
PID 2076 wrote to memory of 2172	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	91
PID 2076 wrote to memory of 1524	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	93
PID 2076 wrote to memory of 1524	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	93
PID 2076 wrote to memory of 1524	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	93
PID 2076 wrote to memory of 2604	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	94
PID 2076 wrote to memory of 2604	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	94
PID 2076 wrote to memory of 2604	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	94
PID 2076 wrote to memory of 3004	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	103
PID 2076 wrote to memory of 3004	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	103
PID 2076 wrote to memory of 3004	2076	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	103
PID 3004 wrote to memory of 2808	3004	cmd.exe	105
PID 3004 wrote to memory of 2808	3004	cmd.exe	105
PID 3004 wrote to memory of 2808	3004	cmd.exe	105
PID 3004 wrote to memory of 940	3004	cmd.exe	106
PID 3004 wrote to memory of 940	3004	cmd.exe	106
PID 3004 wrote to memory of 940	3004	cmd.exe	106
PID 940 wrote to memory of 2948	940	taskhost.exe	107
PID 940 wrote to memory of 2948	940	taskhost.exe	107
PID 940 wrote to memory of 2948	940	taskhost.exe	107
PID 940 wrote to memory of 3020	940	taskhost.exe	108
PID 940 wrote to memory of 3020	940	taskhost.exe	108
PID 940 wrote to memory of 3020	940	taskhost.exe	108
PID 2948 wrote to memory of 1972	2948	WScript.exe	109
PID 2948 wrote to memory of 1972	2948	WScript.exe	109
PID 2948 wrote to memory of 1972	2948	WScript.exe	109
PID 1972 wrote to memory of 2176	1972	taskhost.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
"C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzmeZFfo0k.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2808
- - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40a7d123-7817-47e9-8c17-4770c8f10431.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e1454d8-86f1-4b66-a25b-a5a8dd138bf5.vbs"
        6⤵
        
        PID:2176
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\970079e1-15ab-4f38-bd29-45542ce03cfd.vbs"
        8⤵
        
        PID:2032
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b899c1ca-ee7d-45b7-bbb6-4cf7c76e4b19.vbs"
        10⤵
        
        PID:2572
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\197a253a-ff7c-4a8d-9832-e12bae5ce40a.vbs"
        12⤵
        
        PID:2516
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef7d39a3-3564-4aaf-9bd4-445ef6b0397d.vbs"
        14⤵
        
        PID:2436
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23397a86-3940-4146-b53a-c6d59b3cfb56.vbs"
        16⤵
        
        PID:2772
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2db0b86f-9a25-4046-aab0-27af2b4a842b.vbs"
        18⤵
        
        PID:2352
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4e8a899-5e73-4122-924d-d08f4037d249.vbs"
        20⤵
        
        PID:1596
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca149c7e-445a-4f25-a979-da9d63f33c22.vbs"
        22⤵
        
        PID:2068
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d03a28d8-7107-44fd-9b83-3e9cfff5203c.vbs"
        24⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f997de2f-2d35-4139-a797-726e75f8b355.vbs"
        24⤵
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54c72c34-42da-446b-a251-d18d7e8ae629.vbs"
        22⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b2c269b-b623-40a6-b44d-5edd62debca9.vbs"
        20⤵
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88b74990-3b2a-453b-badf-4b1741c61701.vbs"
        18⤵
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4eb070c-9687-49ff-ab22-46b375cdda2d.vbs"
        16⤵
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c251e7-42a7-49a4-9172-c7a4cd54a866.vbs"
        14⤵
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88874d3a-5145-4e4c-8b47-0c7e18487549.vbs"
        12⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed739679-a1ca-4001-b074-4691dc79f830.vbs"
        10⤵
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06345d05-66c5-4722-aed2-8c23bcc82821.vbs"
        8⤵
        
        PID:932
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20c21c91-2b68-4313-a726-54b54645ef1e.vbs"
        6⤵
        
        PID:2456
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f393f1d-9259-45e7-a376-b1818494722d.vbs"
      4⤵
      PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
1.6MB

MD5
66d07aba299e88d9fd0562bdde9ef487

SHA1
3187acda67ed22501f39f2b436d064faf9464045

SHA256
d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914

SHA512
64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
1.6MB

MD5
9c35e71ba2bc9a434db59868e271288e

SHA1
90db068fcd312febf30880648a0a5772de30652a

SHA256
6c158a40f2244978b0a31466e60e8be19ddcaa106827e120d2e31141bb499077

SHA512
5fa6f5f3ea163ead2c6fc77bd8e5e4ced7490e27bb2d152608165968d0600c8f4bbaf372405a068e8279af812af92e4a71bb5a9296be0316f73881c6bc5da41c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RCX15BA.tmp

Filesize
1.6MB

MD5
9969b3bfe87dc4009640b8bc3502eaff

SHA1
3f2aec270e0ebba1da3148d8773784d8a3d90405

SHA256
d3ce5305b860cdc537b0d323116a74e0926b9fa19175ddeb78fa38b6a732fe58

SHA512
495865687b6bf13dd999278a837e9f22f45a484a979e34c73bc4b0cec730dbfb9561e4b2fdcb55f716def328cba8ced9e78c4506d549e2e159eb5d8fa84f6d71

Download Submit
C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCX2AF2.tmp

Filesize
1.6MB

MD5
d1ce80f6c39f5068fea8ce4aae4805f3

SHA1
e5e72cbb5ee8ee040614506cdb5fff4ade7be178

SHA256
7bd6af9464f26c041653e2a41bf07da2b290baf926a6dea15aee918977626f7e

SHA512
8f413db8f501980b7400df324b9a6a4cf73d4f20f75a773ec71b6d528b89945549e955c5a4b799accb9bbe76c129e4b0afdabcf9a5543d1f8b8bd148db69e42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\197a253a-ff7c-4a8d-9832-e12bae5ce40a.vbs

Filesize
737B

MD5
b27fab47942a4ab52f8a47bc1df0c6c8

SHA1
9012c9073f87779c1dd5af001f165225f66e3c1f

SHA256
fe84db462687f2825e7e4eccab79c5337d92ad3c5a3ea0097280b194b05f294f

SHA512
7fd6cef13b3280e5d1e3d7ab4a2ee017519df6e378dbaa0cc03a838bd3b01855cde4aa38d3a015d828eed0fd47db54a9dd549b4948acc07279b7072e73bb0cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\23397a86-3940-4146-b53a-c6d59b3cfb56.vbs

Filesize
736B

MD5
5936848cbe60d3e50980c693942a93f2

SHA1
4301b38ce91e21905cb5342b3f3875d89fb425c3

SHA256
de0b013cf731e0cbfb5d6f93d5029720ce849613e474fe7ef83fbb4b7e840afc

SHA512
ae11ca75ae174ab70448266087381f2cc4db398dfdbb6c6b456237a84ded19b299499ddd1aadd2efc58eeaf450c62956e826d21be27a0350bc2cad76b0a743ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\2db0b86f-9a25-4046-aab0-27af2b4a842b.vbs

Filesize
737B

MD5
5647c7d801544816cdc1fb1a8064b99f

SHA1
e038c02aebe1cad16e56608d5d21fe05cf93ef39

SHA256
e2aa3154baa9635267bd5647dcf05c4963222799654068c1150eb6b58ca1a793

SHA512
02997f95789ed8a4b2be389e4bc49f96506c0b4768c0a884c7eb1d5f52dcac07d71a243d02632ec929a211647ea33e5eb2ae5037620d4ae5585620bab7410823

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e1454d8-86f1-4b66-a25b-a5a8dd138bf5.vbs

Filesize
737B

MD5
2766f18c620eeb3b2785d5d2a1f6a1e1

SHA1
8e303b69ef33bd1c53a44bb3e1ddb98f2a80d0cd

SHA256
4dca79b346d4ecf917e17172f00d416648635faff0a04b69bd53fbe02b5879e3

SHA512
dce70954794ef30c4812277f443e0dc79369c556f92d9fe167d94e8efdd327a2ce405f929a0c7ec53a4790f8485061e0bb21019858b6256503acda7cdfa41488

Download Submit
C:\Users\Admin\AppData\Local\Temp\40a7d123-7817-47e9-8c17-4770c8f10431.vbs

Filesize
736B

MD5
138c70101843f1560b0a0e29663b2396

SHA1
37dce5fd0b4a4294a16a6e38fb656c766454c892

SHA256
46d72445722c43545675c5073300ec63788064f2b9791ce22db861ef1170e310

SHA512
00da833c1a4e000008b09d43453a9c36d9534b713cf9969f06f54c3e6684c9edbb45c71b95d01fd589ddf11f944473229b27a04c62a5c9a7119752af1bbb23ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\970079e1-15ab-4f38-bd29-45542ce03cfd.vbs

Filesize
737B

MD5
16b3d73646e67e6a51d536f8acb015d9

SHA1
1022d33938f7995a471e90343788c0fe5d132cd5

SHA256
069e083f5762d0cd4955c72e2ac66e75c59fbe4df71d2fd9272562c4ffba5a01

SHA512
4e1e727488eed61aa08624ceeebeda76333e61fb1e326698264482cafdab31a627a9d7ecd11e8b169cf014af2d6676b0daf3a32b3b0e75411f4ff390c1c36830

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f393f1d-9259-45e7-a376-b1818494722d.vbs

Filesize
513B

MD5
5df581b6e51485ef0bdd2326bab7030a

SHA1
e4a119d2383fed096a074b7888e2fb8b902e2780

SHA256
88ec7e9162c97f67bef0179d67002c9eda22b50a8681000cecf40d7c1a374961

SHA512
7bd0a76e29316da47bb8bf6d182fbe30451e9c6122f6e1250d79a42a306dbec2e1b68e6a76b5d9eb7594b7e3c8139168e4c1542e033959c9025b02f20d53bacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4e8a899-5e73-4122-924d-d08f4037d249.vbs

Filesize
737B

MD5
c1d6c0ca31d6e1e4f6085e48b35f9bb3

SHA1
abf9cb91722a3b1b227dba5c1539f3be93c5b584

SHA256
945c1b0c98ad2b7a50aae2e1b6a2909aa1007049147ff2dcb23f20c364f4a496

SHA512
6e7e123d21b5dd7da25fced34ac6412524681715388ad8ed87980a90624163253d86be1e13148a77846e7cecdf54ad9dc0ef209f9a27a1f6ddff9f7421f1de93

Download Submit
C:\Users\Admin\AppData\Local\Temp\b899c1ca-ee7d-45b7-bbb6-4cf7c76e4b19.vbs

Filesize
737B

MD5
bc1e4f386df0959a0a2b62d0bfe59206

SHA1
27f3876d511a1d0578fa6e956cb390b5db4d88ed

SHA256
f676b1eede083fcbcf6c4e3e205e400e36c6bd29ff5f8016eaee28d647d8b765

SHA512
4f100277ba00c399bc2ec13bb3429557af4e534430b9384bc9a58c5d5adb64730059e1a3e39a52adb4ea1c607374cb563b895c55997726a84c8a15c6a939caeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca149c7e-445a-4f25-a979-da9d63f33c22.vbs

Filesize
737B

MD5
24dbb03a357685b28c7621e718d30244

SHA1
499fb6cca680752545c5e2845faefeb0f2727d23

SHA256
a543774505edac54532cf5a6619a7bd9566d7bc247395e03f1376b1d94e672f6

SHA512
8e2e4f5f998c786af27570edabf2b5e8fa9181f5eedeffda1481cd7e85831ea07e57922838a6373adea2e8f0dcde004dc74453ca78d8e87ea2a8525e3af9bc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d03a28d8-7107-44fd-9b83-3e9cfff5203c.vbs

Filesize
737B

MD5
88595650ee707dc8b52d2ecfb5835826

SHA1
53a9ba27228ce68e1a6650d1396bfe1d8ad1ead3

SHA256
c7846ecf113e142c680b5a4d33964790b5df60f9c6c15391c529c7b643c0644a

SHA512
ab6ed8b644429db881ec0f9581c8052f71f21d86bc863de5bd58afc92b6ad7115f3713b012af655d929280bf4997592f84258d10cd830aa42d541b00a6d9c630

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef7d39a3-3564-4aaf-9bd4-445ef6b0397d.vbs

Filesize
737B

MD5
849f6a361bfffbeadde5535f5f834144

SHA1
7e5d7d1fb7843d21006612fde2d6c1d317ef111b

SHA256
edddd29d42252f8d9323564f7d0348c213311025ca728175a882f11f150a87b9

SHA512
66f64cbbe88d0b23ec64c9df24d4d04d496d5ada0e1aa3cbf73a432c86300a233f14432633b891655889c2e1fb2437413516be2e4093f62db557d3926345c79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzmeZFfo0k.bat

Filesize
226B

MD5
dad721be9921501820b1dfc2e16da2ed

SHA1
f486af55ac1179a9cdd76ae26f46125ef3b96016

SHA256
25d1fab024204bfe84ee8da6afcbc1b7febda13e7b607b7b428df2d138603e40

SHA512
a15fdf3a4fc49a2ac2be6b7770bff8f4efa171f884cbc51625c2811288a73dfd037778689dbd2ec64a33e2c7e6f3d690c752d32c102d20de4ce818f118a4aa4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UUTR3KN5YM2EWTPR60NE.temp

Filesize
7KB

MD5
9fd4f3d8b49af40a770f02127fd74ab7

SHA1
7af3cd79a94ecac17ae2b7df85ae232dc382a3b3

SHA256
ae524ada6620604bbb5da2f8cac29e04245df6c4448b4aa67bd31880d2678d8c

SHA512
c020731591472900f4688a0c0d612b8e9452941cffbe8d00ce5e7755326c4190a7d9a7998225fd4c5706177dc67a4e6288dbd3ec666c0ec50741e3a4bc2b1242

Download Submit
C:\Users\Default\Favorites\csrss.exe

Filesize
1.6MB

MD5
60985904c222593516ac49fbb39446aa

SHA1
77dad0c3120cf5136dc86b263d750b342409e9aa

SHA256
966603cba71a3373472a99bf6784b7306842ae7abd60ea75a4b61acb19135788

SHA512
48b52476ee4bc1056c848e70f2c7a59fa2073b7d1cba9ecd8db53069e970cb6a6e4c55d04769ee70eb2eaf30a134e51ab75e8a24712065369986b0842472ad45

Download Submit
memory/384-363-0x0000000000140000-0x00000000002E2000-memory.dmp

Filesize
1.6MB

Download
memory/940-294-0x00000000010E0000-0x0000000001282000-memory.dmp

Filesize
1.6MB

Download
memory/1972-305-0x0000000001200000-0x00000000013A2000-memory.dmp

Filesize
1.6MB

Download
memory/2064-375-0x0000000000BC0000-0x0000000000D62000-memory.dmp

Filesize
1.6MB

Download
memory/2076-6-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/2076-8-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2076-1-0x0000000000050000-0x00000000001F2000-memory.dmp

Filesize
1.6MB

Download
memory/2076-247-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-13-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/2076-2-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-14-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/2076-12-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2076-11-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2076-15-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/2076-10-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2076-3-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/2076-9-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2076-0-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2076-7-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2076-4-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2076-17-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/2076-16-0x00000000021F0000-0x00000000021FA000-memory.dmp

Filesize
40KB

Download
memory/2076-5-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2076-46-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2216-317-0x0000000001290000-0x0000000001432000-memory.dmp

Filesize
1.6MB

Download
memory/2368-410-0x0000000000370000-0x0000000000512000-memory.dmp

Filesize
1.6MB

Download
memory/2384-351-0x00000000013B0000-0x0000000001552000-memory.dmp

Filesize
1.6MB

Download
memory/2624-240-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2624-235-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/2900-387-0x0000000001270000-0x0000000001412000-memory.dmp

Filesize
1.6MB

Download