dcrat | 6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Size

1.6MB
MD5

8b03d1f60bdf0b6465c0623109e7269e
SHA1

33fb1f09f53ca182e1112ed973fce8fa97e4398f
SHA256

1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf
SHA512

8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2836	schtasks.exe	30

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/1924-1-0x0000000000270000-0x0000000000412000-memory.dmp	dcrat
behavioral17/files/0x0005000000019619-25.dat	dcrat
behavioral17/files/0x0005000000019cb9-40.dat	dcrat
behavioral17/files/0x0006000000019cb9-52.dat	dcrat
behavioral17/files/0x0007000000019609-63.dat	dcrat
behavioral17/memory/2896-144-0x0000000000C70000-0x0000000000E12000-memory.dmp	dcrat
behavioral17/memory/756-213-0x0000000000A90000-0x0000000000C32000-memory.dmp	dcrat
behavioral17/memory/1508-235-0x0000000001100000-0x00000000012A2000-memory.dmp	dcrat
behavioral17/memory/1644-247-0x00000000000A0000-0x0000000000242000-memory.dmp	dcrat
behavioral17/memory/1596-259-0x00000000010C0000-0x0000000001262000-memory.dmp	dcrat
behavioral17/memory/2944-271-0x00000000001F0000-0x0000000000392000-memory.dmp	dcrat
behavioral17/memory/1892-283-0x0000000000AC0000-0x0000000000C62000-memory.dmp	dcrat
behavioral17/memory/1480-306-0x00000000002A0000-0x0000000000442000-memory.dmp	dcrat
behavioral17/memory/1584-318-0x0000000000910000-0x0000000000AB2000-memory.dmp	dcrat
behavioral17/memory/1160-330-0x0000000000FE0000-0x0000000001182000-memory.dmp	dcrat
behavioral17/memory/1432-342-0x0000000001370000-0x0000000001512000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2416	powershell.exe
772	powershell.exe
564	powershell.exe
2964	powershell.exe
2604	powershell.exe
1732	powershell.exe
3016	powershell.exe
1160	powershell.exe
1616	powershell.exe
2168	powershell.exe
1596	powershell.exe
916	powershell.exe
448	powershell.exe
2140	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
756	spoolsv.exe
2608	spoolsv.exe
1508	spoolsv.exe
1644	spoolsv.exe
1596	spoolsv.exe
2944	spoolsv.exe
1892	spoolsv.exe
1056	spoolsv.exe
1480	spoolsv.exe
1584	spoolsv.exe
1160	spoolsv.exe
1432	spoolsv.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX9687.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCX9E98.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCX9E99.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX9995.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX9A03.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\f3b6ecef712a24	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\Windows Media Player\fr-FR\f11cf609cd2375	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\f3b6ecef712a24	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\cc11b995f2a76d	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\56085415360792	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX96F5.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ja-JP\winlogon.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\ja-JP\cc11b995f2a76d	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\ja-JP\winlogon.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2628	schtasks.exe
2696	schtasks.exe
1408	schtasks.exe
2188	schtasks.exe
2996	schtasks.exe
2756	schtasks.exe
2316	schtasks.exe
752	schtasks.exe
1780	schtasks.exe
2696	schtasks.exe
2756	schtasks.exe
2640	schtasks.exe
2188	schtasks.exe
676	schtasks.exe
2960	schtasks.exe
2008	schtasks.exe
2716	schtasks.exe
2996	schtasks.exe
1640	schtasks.exe
2016	schtasks.exe
1776	schtasks.exe
2860	schtasks.exe
3056	schtasks.exe
2860	schtasks.exe
2768	schtasks.exe
2908	schtasks.exe
2024	schtasks.exe
2876	schtasks.exe
2488	schtasks.exe
2004	schtasks.exe
2680	schtasks.exe
2852	schtasks.exe
1880	schtasks.exe
2676	schtasks.exe
1236	schtasks.exe
1844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
1596	powershell.exe
3016	powershell.exe
2604	powershell.exe
916	powershell.exe
448	powershell.exe
1160	powershell.exe
1732	powershell.exe
2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2416	powershell.exe
772	powershell.exe
2964	powershell.exe
2140	powershell.exe
1616	powershell.exe
564	powershell.exe
2168	powershell.exe
756	spoolsv.exe
2608	spoolsv.exe
1508	spoolsv.exe
1644	spoolsv.exe
1596	spoolsv.exe
2944	spoolsv.exe
1892	spoolsv.exe
1056	spoolsv.exe
1480	spoolsv.exe
1584	spoolsv.exe
1160	spoolsv.exe
1432	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	756	spoolsv.exe
Token: SeDebugPrivilege	2608	spoolsv.exe
Token: SeDebugPrivilege	1508	spoolsv.exe
Token: SeDebugPrivilege	1644	spoolsv.exe
Token: SeDebugPrivilege	1596	spoolsv.exe
Token: SeDebugPrivilege	2944	spoolsv.exe
Token: SeDebugPrivilege	1892	spoolsv.exe
Token: SeDebugPrivilege	1056	spoolsv.exe
Token: SeDebugPrivilege	1480	spoolsv.exe
Token: SeDebugPrivilege	1584	spoolsv.exe
Token: SeDebugPrivilege	1160	spoolsv.exe
Token: SeDebugPrivilege	1432	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2604	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	49
PID 1924 wrote to memory of 2604	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	49
PID 1924 wrote to memory of 2604	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	49
PID 1924 wrote to memory of 1732	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	50
PID 1924 wrote to memory of 1732	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	50
PID 1924 wrote to memory of 1732	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	50
PID 1924 wrote to memory of 3016	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	51
PID 1924 wrote to memory of 3016	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	51
PID 1924 wrote to memory of 3016	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	51
PID 1924 wrote to memory of 1596	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	53
PID 1924 wrote to memory of 1596	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	53
PID 1924 wrote to memory of 1596	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	53
PID 1924 wrote to memory of 916	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	55
PID 1924 wrote to memory of 916	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	55
PID 1924 wrote to memory of 916	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	55
PID 1924 wrote to memory of 448	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	56
PID 1924 wrote to memory of 448	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	56
PID 1924 wrote to memory of 448	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	56
PID 1924 wrote to memory of 1160	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	58
PID 1924 wrote to memory of 1160	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	58
PID 1924 wrote to memory of 1160	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	58
PID 1924 wrote to memory of 1716	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	63
PID 1924 wrote to memory of 1716	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	63
PID 1924 wrote to memory of 1716	1924	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	63
PID 1716 wrote to memory of 880	1716	cmd.exe	65
PID 1716 wrote to memory of 880	1716	cmd.exe	65
PID 1716 wrote to memory of 880	1716	cmd.exe	65
PID 1716 wrote to memory of 2896	1716	cmd.exe	66
PID 1716 wrote to memory of 2896	1716	cmd.exe	66
PID 1716 wrote to memory of 2896	1716	cmd.exe	66
PID 2896 wrote to memory of 2140	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	85
PID 2896 wrote to memory of 2140	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	85
PID 2896 wrote to memory of 2140	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	85
PID 2896 wrote to memory of 2416	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	87
PID 2896 wrote to memory of 2416	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	87
PID 2896 wrote to memory of 2416	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	87
PID 2896 wrote to memory of 1616	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	89
PID 2896 wrote to memory of 1616	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	89
PID 2896 wrote to memory of 1616	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	89
PID 2896 wrote to memory of 2168	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	91
PID 2896 wrote to memory of 2168	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	91
PID 2896 wrote to memory of 2168	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	91
PID 2896 wrote to memory of 772	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	92
PID 2896 wrote to memory of 772	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	92
PID 2896 wrote to memory of 772	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	92
PID 2896 wrote to memory of 2964	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	93
PID 2896 wrote to memory of 2964	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	93
PID 2896 wrote to memory of 2964	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	93
PID 2896 wrote to memory of 564	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	94
PID 2896 wrote to memory of 564	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	94
PID 2896 wrote to memory of 564	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	94
PID 2896 wrote to memory of 1476	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	99
PID 2896 wrote to memory of 1476	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	99
PID 2896 wrote to memory of 1476	2896	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	99
PID 1476 wrote to memory of 2388	1476	cmd.exe	102
PID 1476 wrote to memory of 2388	1476	cmd.exe	102
PID 1476 wrote to memory of 2388	1476	cmd.exe	102
PID 1476 wrote to memory of 756	1476	cmd.exe	103
PID 1476 wrote to memory of 756	1476	cmd.exe	103
PID 1476 wrote to memory of 756	1476	cmd.exe	103
PID 756 wrote to memory of 1308	756	spoolsv.exe	104
PID 756 wrote to memory of 1308	756	spoolsv.exe	104
PID 756 wrote to memory of 1308	756	spoolsv.exe	104
PID 756 wrote to memory of 1000	756	spoolsv.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbdqqO4wF7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:880
- - C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
    "C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\winlogon.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rhJyFUC1sI.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2388
    - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c80d33-fc82-49f6-9887-6194c9b9e4c9.vbs"
        6⤵
        
        PID:1308
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c00bb0f4-042f-4d3e-84f5-7199ba61a020.vbs"
        8⤵
        
        PID:2856
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd1e594-cedb-4e66-881e-35b3b8dceec7.vbs"
        10⤵
        
        PID:2704
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdc0d54-74b5-4bf0-a765-2c7ef67e8c19.vbs"
        12⤵
        
        PID:1608
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\514d493e-a860-4192-984f-dc65d6893eb9.vbs"
        14⤵
        
        PID:2288
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48e748f3-a566-4a80-89e5-fd5c2e913cba.vbs"
        16⤵
        
        PID:2960
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14bf4083-7c70-4ede-b737-48785590ba59.vbs"
        18⤵
        
        PID:2624
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02916f4a-e6af-4d0e-b264-909a38163ccf.vbs"
        20⤵
        
        PID:576
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8593642-4ae0-4d7b-a635-55ead738bac7.vbs"
        22⤵
        
        PID:2476
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64bd468e-b006-4891-8c9e-ed6fe8762c66.vbs"
        24⤵
        
        PID:1888
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4182c578-166e-4201-bf9d-5ec13bf3a395.vbs"
        26⤵
        
        PID:2136
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e533bebb-91a0-40e9-ba70-ab74737a4659.vbs"
        28⤵
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ece93cd-1e7b-4d05-91de-4312fb22e31b.vbs"
        28⤵
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20a87400-8df2-4ca6-b6d5-d0dbe1d1144b.vbs"
        26⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a3c08a6-4162-4791-93b6-48e4dd3f605e.vbs"
        24⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dbfa688-7d89-49e9-9a8c-a72885053d3d.vbs"
        22⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43ebebfc-f677-4577-a210-efaeec9cf7f8.vbs"
        20⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\513c39f7-de23-4ef3-af25-e97130d2b705.vbs"
        18⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c27f2b-b45b-40d4-9793-b432521ec358.vbs"
        16⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56a8081e-fb2c-4086-ba28-50097651a504.vbs"
        14⤵
        
        PID:780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24460d33-9f14-4032-a003-e0efeb83429f.vbs"
        12⤵
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\663cd161-27d6-4f00-b318-bcbaaf2d742d.vbs"
        10⤵
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39935f99-b55e-4815-a8a7-8541c3b8616e.vbs"
        8⤵
        
        PID:988
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b0b9f79-e92d-461e-ba9d-035c6ade5369.vbs"
        6⤵
        
        PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe

Filesize
1.6MB

MD5
73270f0623b4e563f303814af8a35cdf

SHA1
99d2ec5a6d2796e6e82ae20a2bbce30efd2eec85

SHA256
82cfd06a9b9ac15a3851ef57c628c02add7f85ec9fdffcb7cf5618fef87ea010

SHA512
c101b629eaba445c28830cd08abae82b21b629aec15894861077f9e2369324f5c7c84f38692555764ffd4914ffccde46ef7419346003924013d5a44627565b17

Download Submit
C:\Program Files (x86)\Windows Portable Devices\csrss.exe

Filesize
1.6MB

MD5
0b73d95537d4effd03cef8ff0335ee4e

SHA1
97c6f7d160c7b0b22e4463a4c0ad9a519d003d8a

SHA256
7f8e84fccd955d5e01646ca11ecc7a8b70f6985e36e1df0ece02f37c3d0b81e9

SHA512
ede3722171595d37bc14a9e484471dbfae21a4809e5149cb2b63936ad6867274c26efdbf290146e6a9e37609f8ff659fc5761aa84b32a5c79175f7c8fd019f23

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe

Filesize
1.6MB

MD5
6be01e880b49b6468d97576d45dab300

SHA1
38de2fdc20cc9c0537a778a1c94c1018d7f1203e

SHA256
41ad555e28f385deade32c635e35e0d7fb12698bd6cdac4e65af5940376cee60

SHA512
021beb46a588e0fc058e6f22a6fe2dd03088b42ec89b615611093c03bea538fc486dca0ed6f4f3db499bf69cd0306a49648ac4022323922526bd61133848a2a5

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe

Filesize
1.6MB

MD5
8b03d1f60bdf0b6465c0623109e7269e

SHA1
33fb1f09f53ca182e1112ed973fce8fa97e4398f

SHA256
1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf

SHA512
8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\02916f4a-e6af-4d0e-b264-909a38163ccf.vbs

Filesize
751B

MD5
c2d423d0db9ca53bac8a5054c82a0b7b

SHA1
2e6b5a9ca00bd03d004c9b093ec94fad83093b37

SHA256
f4a133f2af0cf84301e468638a926fdddf5110f4fca12974abfea44bddfa22b9

SHA512
cd5b0e4d8c168aa983a36c4cb477f36b1c1753a89094c1f8bb1fe4ed352459fcc14c18dc552be98c449193d452c31af809f0c010634fc0210d874067b956c8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\14bf4083-7c70-4ede-b737-48785590ba59.vbs

Filesize
751B

MD5
56df3f3f5671dbcbe51c663d33abddc0

SHA1
284c056228cfd33e32597b232104d110d7370a5b

SHA256
3e64a8de9257224e62ebff3b34db31892cea3e9ac2effa39f391dda378752750

SHA512
40d95115dba215c551dc8eda0603e3849a866013c67ed41b75c36bffb967e68eda8a62d92dd5b9b88e66e001838da772a3b00e85029bfbfc5c87480acf6adb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fd1e594-cedb-4e66-881e-35b3b8dceec7.vbs

Filesize
751B

MD5
3cb9ceab802c53b354a7d6a4749b7674

SHA1
3d4a8a415e3b524dfd4ed851314f16566eccb329

SHA256
69d170e27796c7396e64c8164070246d0b5b4833c415153388315e06738a47f6

SHA512
fbf13cd345096cc33e57e48e5a551b88ab761e08db9a13fe52bb78ee936c6ec1e409b0a9a476c962c830842ba3abda15cb4a2fd36c224268e9626e11556f35c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4182c578-166e-4201-bf9d-5ec13bf3a395.vbs

Filesize
751B

MD5
f9b3216288370816b0b19ecf76fc4337

SHA1
cf18e298ee510077c1ab5fc79c100f4aad0a1120

SHA256
eb804a9a3bfca4e1d63d77440812e3ca6ec4874d9597bb21136716ea6bdf0c7c

SHA512
9d300943bb825a010602d1d8066e609943e3b6cfcdbcfcdd355e3c40aa3ce85fd7e6d06f5a88bb696decf9035cf8034fbec810c78691ff98326063f9b563a637

Download Submit
C:\Users\Admin\AppData\Local\Temp\48e748f3-a566-4a80-89e5-fd5c2e913cba.vbs

Filesize
751B

MD5
37ce81857a22af9a1ac4599a4e8b6357

SHA1
c14de35236e37690db1c5be77307bfc63249da80

SHA256
bce354d6c030451f580193bb07261448cd94831c549861ea37c2f6e9606288ef

SHA512
59d14d71c51dd1f948e7ff827e22fb4d1ade8c5d26ef355f64762eb6d1d77525cff4b1d12bc1fca0cae8c37c5e460f7cf679015ce81b5eb1d8c336165c215612

Download Submit
C:\Users\Admin\AppData\Local\Temp\49c80d33-fc82-49f6-9887-6194c9b9e4c9.vbs

Filesize
750B

MD5
01b243ef9b7e78fca2c16f7652a45f82

SHA1
38771516d9b0567ca3fe9b77d41278d5ab102103

SHA256
4a6836a669635fed9f36b345c19723e370c16d6b2fc906c5c31d845c70640ed1

SHA512
3e15cffa6331f63b49ad181b51c6df825cde51ffe784216d951f8fc8765a41e444476ed38c88c9f41fe368761b993c7f770cf6de74a92fefed142f21d67a8364

Download Submit
C:\Users\Admin\AppData\Local\Temp\514d493e-a860-4192-984f-dc65d6893eb9.vbs

Filesize
751B

MD5
40f0984d0ded3b409f55488edb51475c

SHA1
bfcdab74e6b53411c3f75c5b7b0f6b14e5082b96

SHA256
6605dae4da5e4bb3ec6d69a1f635b32b9c3cf192791a60338c1efd1338474d3d

SHA512
1a37ddd6bb39e5dc12c59c885f93801503a274fc0609ada578ca01de400357849644d0bc81555fbdc0817cbb26519503bbd52eec7fe72729d7a433434697c67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\64bd468e-b006-4891-8c9e-ed6fe8762c66.vbs

Filesize
751B

MD5
ab98b23fb4347d31512b21ae36d01342

SHA1
c80f267206d2638d51c5aa56443c999d3b581a99

SHA256
a6eea52c38284d8635762529ad038c5fd43d413f62421289b47d2765c5b88f2e

SHA512
771261f8449897ea25255f981f4994668469a153c14ae965d056ef322174de274703dee5d1733cd322194dbf60039485709721c869266b9a88a94841e899709d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0b9f79-e92d-461e-ba9d-035c6ade5369.vbs

Filesize
527B

MD5
427c74111837ab25ebc3e957b7de878a

SHA1
d802d9fdc0d1956f9de4f52138ccb34f4bbccaea

SHA256
b523a1f332255b2ec005b9c5afe4fa1eddd963edcfa9c2fd0be439c9aca428ca

SHA512
fd5bca024eb79c51b6b7a90335e1e7672dcc5ac7da7a862e7a3bc25036b0e31d1feb82d534b4b2cbca04d31752875e43141624f32947c75038512a1ba4a90202

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8593642-4ae0-4d7b-a635-55ead738bac7.vbs

Filesize
751B

MD5
2816adc772b71371a6192a942146c33c

SHA1
ae5bfc395d8bd5a2e74fec628b43a4013a5b21b6

SHA256
6ba7f65c9eaf991e194def1860ac3c77f9c27b30c02482bc7c771840beb95a9f

SHA512
bf9452f406a88d8bd27c4f4a22f624eaaac65dbb794f3f480c0068abf641a307e33462448c776fb68128335aece3f63558a07b6e0fff0053180289e5d0e0f56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdqqO4wF7.bat

Filesize
267B

MD5
7e268009943c9f90f1ad458e64bd4145

SHA1
0d62cc0b9b2a8ff27c75ee3c987eeac139bb3dcd

SHA256
62dec3c112c630ee367c57a19d8a9f7ccead079a5633c9f8d5178cfe09abedd2

SHA512
ded485da3f5b08ed9e995e0a86dd5476fe383cce982b8842ed205d90a6549fc5d28a0b3991820decfd69a4389665183d85a9be09a0dc45e73ed0f000026c220f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcdc0d54-74b5-4bf0-a765-2c7ef67e8c19.vbs

Filesize
751B

MD5
29ba92d387d4f243248b004cf0857f40

SHA1
84796307761cce50e6fc60aab287bc620b87ae6b

SHA256
4bbe1433b54e1f85cac6f37a8bd378086a3e668f02279a66281e60d693c9e491

SHA512
58a8998f0926c06b0efeca187ff8288c9822356658d4b2d62c278e85d9d795d56cdbb9e43da23f71ed7669d24c8b449a1620617d34e7292a9d86e21f9e7e5d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c00bb0f4-042f-4d3e-84f5-7199ba61a020.vbs

Filesize
751B

MD5
6ddc8602de136cfa5a4ce2d411e665ec

SHA1
a67108d2328754a5b1db9c53af3fb2f218a24fe8

SHA256
f71e4b31c347ea22ac7cf66ade9603b2be991244efe4407c9e544bb4c6ce8cf8

SHA512
193111e66532ffd1bdc568918b9aad2d1956f9f3987d550661fd1747ff19fefda119cfdc1ae12752401489d75874b9345bdf493e7046e297a92d3cbd1bb029e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhJyFUC1sI.bat

Filesize
240B

MD5
09f0ae9cb76a3e28f8732870f059cc96

SHA1
e815d34cb854c821ea430fe5a539658c2f7a5854

SHA256
aa19ae8aefbeb092fa3b2c05b6ce976e4965684c56ccc977403a1203322abe94

SHA512
c258a53859a16151f581a096fd68e2bb7688b47b825c6acfea9dc496db7cca703838773febbe5684265d0073e38e59ce321fb9df32bad68060263fc754f0359b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d638a8aa8e6ca4ba671124c950a1d0a0

SHA1
ab787acb4582cbeca2b812df6e4ca95f9aa4d633

SHA256
219f2c0b1fc00a6ad4dc91515b21a5c1474ed624b8ee3f9a777917604b0081ee

SHA512
79eaec864181cfb32bdcfe91d6fcdec68fd50e513abd6bb6cac586cc73bc152a6b3c1f54f578d1358c6532198876c561a13ac5ab816e7b00acdd2d0d065ba417

Download Submit
memory/756-213-0x0000000000A90000-0x0000000000C32000-memory.dmp

Filesize
1.6MB

Download
memory/1160-330-0x0000000000FE0000-0x0000000001182000-memory.dmp

Filesize
1.6MB

Download
memory/1432-342-0x0000000001370000-0x0000000001512000-memory.dmp

Filesize
1.6MB

Download
memory/1480-306-0x00000000002A0000-0x0000000000442000-memory.dmp

Filesize
1.6MB

Download
memory/1508-235-0x0000000001100000-0x00000000012A2000-memory.dmp

Filesize
1.6MB

Download
memory/1584-318-0x0000000000910000-0x0000000000AB2000-memory.dmp

Filesize
1.6MB

Download
memory/1596-259-0x00000000010C0000-0x0000000001262000-memory.dmp

Filesize
1.6MB

Download
memory/1596-128-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/1596-110-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1644-247-0x00000000000A0000-0x0000000000242000-memory.dmp

Filesize
1.6MB

Download
memory/1892-283-0x0000000000AC0000-0x0000000000C62000-memory.dmp

Filesize
1.6MB

Download
memory/1924-13-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/1924-11-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/1924-1-0x0000000000270000-0x0000000000412000-memory.dmp

Filesize
1.6MB

Download
memory/1924-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-117-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-16-0x0000000002190000-0x000000000219C000-memory.dmp

Filesize
48KB

Download
memory/1924-15-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/1924-14-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/1924-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/1924-12-0x0000000002150000-0x000000000215E000-memory.dmp

Filesize
56KB

Download
memory/1924-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/1924-4-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1924-10-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/1924-9-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/1924-8-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1924-6-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1924-7-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/1924-5-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/2416-184-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2416-179-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2896-144-0x0000000000C70000-0x0000000000E12000-memory.dmp

Filesize
1.6MB

Download
memory/2944-271-0x00000000001F0000-0x0000000000392000-memory.dmp

Filesize
1.6MB

Download