dcrat | 5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
73s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Size

1.6MB
MD5

43460cdfde5083d6f692f08813ef6dd1
SHA1

55756e184df04ffe1c502a40f8f859de16d19003
SHA256

33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b
SHA512

23dc4dc7bfa6f60da960b314c940e3e17e15e5719d5453a5ad1ca6f2c7f034357ad71a1a3a46b16b508076af878d7972c2d24cc3a6a7721a12bd851ff63c6e66
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4968	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4968	schtasks.exe	88

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/3052-1-0x0000000000610000-0x00000000007B2000-memory.dmp	dcrat
behavioral12/files/0x00070000000240b2-26.dat	dcrat
behavioral12/files/0x000a00000001da09-73.dat	dcrat
behavioral12/files/0x000400000001db40-97.dat	dcrat
behavioral12/files/0x000600000001e449-106.dat	dcrat
behavioral12/files/0x000400000001e582-142.dat	dcrat
behavioral12/files/0x000400000001e59d-153.dat	dcrat
behavioral12/memory/4180-309-0x0000000000610000-0x00000000007B2000-memory.dmp	dcrat
behavioral12/files/0x000600000001e449-431.dat	dcrat
behavioral12/files/0x000200000001e9ce-435.dat	dcrat
behavioral12/files/0x000600000001e449-442.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2108	powershell.exe
3988	powershell.exe
4464	powershell.exe
456	powershell.exe
2448	powershell.exe
3500	powershell.exe
4036	powershell.exe
2556	powershell.exe
1884	powershell.exe
2184	powershell.exe
1976	powershell.exe
3120	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 6 IoCs

pid	Process
4180	StartMenuExperienceHost.exe
3492	StartMenuExperienceHost.exe
2300	StartMenuExperienceHost.exe
4696	StartMenuExperienceHost.exe
3060	StartMenuExperienceHost.exe
1964	StartMenuExperienceHost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\66fc9ff0ee96c2	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX8C75.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX8C76.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\WindowsPowerShell\sihost.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RCXA261.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RCXA262.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files\WindowsPowerShell\sihost.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\886983d96e3d3e	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2184	schtasks.exe
4600	schtasks.exe
960	schtasks.exe
3644	schtasks.exe
3120	schtasks.exe
1536	schtasks.exe
4744	schtasks.exe
1828	schtasks.exe
3636	schtasks.exe
3236	schtasks.exe
332	schtasks.exe
4216	schtasks.exe
1700	schtasks.exe
4536	schtasks.exe
2316	schtasks.exe
1784	schtasks.exe
2848	schtasks.exe
5100	schtasks.exe
4356	schtasks.exe
4524	schtasks.exe
4392	schtasks.exe
4204	schtasks.exe
392	schtasks.exe
2896	schtasks.exe
2080	schtasks.exe
4036	schtasks.exe
772	schtasks.exe
1620	schtasks.exe
2564	schtasks.exe
3252	schtasks.exe
4848	schtasks.exe
696	schtasks.exe
440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
456	powershell.exe
456	powershell.exe
1884	powershell.exe
1884	powershell.exe
3500	powershell.exe
3500	powershell.exe
2108	powershell.exe
2108	powershell.exe
2184	powershell.exe
2184	powershell.exe
2448	powershell.exe
2448	powershell.exe
3120	powershell.exe
3120	powershell.exe
4464	powershell.exe
4464	powershell.exe
1884	powershell.exe
2556	powershell.exe
2556	powershell.exe
4036	powershell.exe
4036	powershell.exe
3988	powershell.exe
3988	powershell.exe
1976	powershell.exe
1976	powershell.exe
3500	powershell.exe
3120	powershell.exe
456	powershell.exe
456	powershell.exe
2108	powershell.exe
4036	powershell.exe
2184	powershell.exe
4464	powershell.exe
2556	powershell.exe
2448	powershell.exe
3988	powershell.exe
1976	powershell.exe
4180	StartMenuExperienceHost.exe
3492	StartMenuExperienceHost.exe
2300	StartMenuExperienceHost.exe
2300	StartMenuExperienceHost.exe
4696	StartMenuExperienceHost.exe
3060	StartMenuExperienceHost.exe
1964	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	4180	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3492	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2300	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4696	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3060	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1964	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 456	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	126
PID 3052 wrote to memory of 456	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	126
PID 3052 wrote to memory of 2184	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	127
PID 3052 wrote to memory of 2184	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	127
PID 3052 wrote to memory of 4464	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	128
PID 3052 wrote to memory of 4464	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	128
PID 3052 wrote to memory of 1884	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	129
PID 3052 wrote to memory of 1884	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	129
PID 3052 wrote to memory of 3988	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	131
PID 3052 wrote to memory of 3988	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	131
PID 3052 wrote to memory of 2556	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	132
PID 3052 wrote to memory of 2556	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	132
PID 3052 wrote to memory of 4036	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	133
PID 3052 wrote to memory of 4036	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	133
PID 3052 wrote to memory of 2108	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	135
PID 3052 wrote to memory of 2108	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	135
PID 3052 wrote to memory of 3120	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	137
PID 3052 wrote to memory of 3120	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	137
PID 3052 wrote to memory of 1976	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	143
PID 3052 wrote to memory of 1976	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	143
PID 3052 wrote to memory of 3500	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	144
PID 3052 wrote to memory of 3500	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	144
PID 3052 wrote to memory of 2448	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	145
PID 3052 wrote to memory of 2448	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	145
PID 3052 wrote to memory of 4424	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	150
PID 3052 wrote to memory of 4424	3052	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	150
PID 4424 wrote to memory of 3520	4424	cmd.exe	152
PID 4424 wrote to memory of 3520	4424	cmd.exe	152
PID 4424 wrote to memory of 4180	4424	cmd.exe	155
PID 4424 wrote to memory of 4180	4424	cmd.exe	155
PID 4180 wrote to memory of 1672	4180	StartMenuExperienceHost.exe	156
PID 4180 wrote to memory of 1672	4180	StartMenuExperienceHost.exe	156
PID 4180 wrote to memory of 3448	4180	StartMenuExperienceHost.exe	157
PID 4180 wrote to memory of 3448	4180	StartMenuExperienceHost.exe	157
PID 1672 wrote to memory of 3492	1672	WScript.exe	158
PID 1672 wrote to memory of 3492	1672	WScript.exe	158
PID 3492 wrote to memory of 4952	3492	StartMenuExperienceHost.exe	159
PID 3492 wrote to memory of 4952	3492	StartMenuExperienceHost.exe	159
PID 3492 wrote to memory of 2760	3492	StartMenuExperienceHost.exe	160
PID 3492 wrote to memory of 2760	3492	StartMenuExperienceHost.exe	160
PID 4952 wrote to memory of 2300	4952	WScript.exe	166
PID 4952 wrote to memory of 2300	4952	WScript.exe	166
PID 2300 wrote to memory of 3724	2300	StartMenuExperienceHost.exe	167
PID 2300 wrote to memory of 3724	2300	StartMenuExperienceHost.exe	167
PID 2300 wrote to memory of 4720	2300	StartMenuExperienceHost.exe	168
PID 2300 wrote to memory of 4720	2300	StartMenuExperienceHost.exe	168
PID 3724 wrote to memory of 4696	3724	WScript.exe	172
PID 3724 wrote to memory of 4696	3724	WScript.exe	172
PID 4696 wrote to memory of 4848	4696	StartMenuExperienceHost.exe	173
PID 4696 wrote to memory of 4848	4696	StartMenuExperienceHost.exe	173
PID 4696 wrote to memory of 680	4696	StartMenuExperienceHost.exe	174
PID 4696 wrote to memory of 680	4696	StartMenuExperienceHost.exe	174
PID 4848 wrote to memory of 3060	4848	WScript.exe	175
PID 4848 wrote to memory of 3060	4848	WScript.exe	175
PID 3060 wrote to memory of 4644	3060	StartMenuExperienceHost.exe	176
PID 3060 wrote to memory of 4644	3060	StartMenuExperienceHost.exe	176
PID 3060 wrote to memory of 3244	3060	StartMenuExperienceHost.exe	177
PID 3060 wrote to memory of 3244	3060	StartMenuExperienceHost.exe	177
PID 4644 wrote to memory of 1964	4644	WScript.exe	178
PID 4644 wrote to memory of 1964	4644	WScript.exe	178
PID 1964 wrote to memory of 2368	1964	StartMenuExperienceHost.exe	179
PID 1964 wrote to memory of 2368	1964	StartMenuExperienceHost.exe	179
PID 1964 wrote to memory of 1788	1964	StartMenuExperienceHost.exe	180
PID 1964 wrote to memory of 1788	1964	StartMenuExperienceHost.exe	180

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
"C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gVDbXbnsty.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3520
- - C:\0154351536fc379faee1\StartMenuExperienceHost.exe
    "C:\0154351536fc379faee1\StartMenuExperienceHost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4508d78-2a69-4e4b-bbeb-7a11e929b132.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e92e864-aa21-4306-abf3-12e885a31c71.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\855239ec-2169-4124-aeec-9fa509e9fb20.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b59daa4-437c-4095-b24d-94ee0f94f91a.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffae9c8c-7b61-4c1a-b22b-f0690933fe51.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae381d33-6346-4b3e-a7d9-b40314ff660d.vbs"
        14⤵
        
        PID:2368
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        15⤵
        
        PID:4952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fef09f9-cc55-4ed3-9aa7-0302d6ce9564.vbs"
        16⤵
        
        PID:816
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        17⤵
        
        PID:3168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7db1366-bb23-4249-900c-2b039548d05e.vbs"
        18⤵
        
        PID:892
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        19⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a688139-a870-471d-9840-4edc080f1cc4.vbs"
        20⤵
        
        PID:4592
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        21⤵
        
        PID:384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1547e78f-6ba4-40bd-b362-d9d3069f9876.vbs"
        22⤵
        
        PID:4540
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        23⤵
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6961b22e-173c-47e3-a078-e59fae5c2283.vbs"
        24⤵
        
        PID:3228
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        25⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f6b368d-31ea-4da7-b567-2026ba6fb5e1.vbs"
        26⤵
        
        PID:3252
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        27⤵
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977b9a27-ce0d-4aff-b105-fe4bc86bdf2d.vbs"
        28⤵
        
        PID:3688
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        
        C:\0154351536fc379faee1\StartMenuExperienceHost.exe
        29⤵
        
        PID:5064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83702a88-768f-4d10-84b9-e4e5861c52a9.vbs"
        28⤵
        
        PID:4716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5927218a-60d8-4e93-b62c-046264409b20.vbs"
        26⤵
        
        PID:4696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c58f9bd-f860-4b76-8bfe-23fd06ead8d1.vbs"
        24⤵
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65affea2-dea4-48d0-8192-5f2397368381.vbs"
        22⤵
        
        PID:5012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2a55b42-6900-4af8-b2b5-b0d621a778ce.vbs"
        20⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9098d30a-2e11-4c1e-8761-084b094c6dba.vbs"
        18⤵
        
        PID:3952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f5a682f-ba3d-41d4-be33-d47253fb10e0.vbs"
        16⤵
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b77ba38e-5f14-454f-aa4f-def13315704c.vbs"
        14⤵
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8a8e29b-422a-4be3-954e-ed81c9f4bbf1.vbs"
        12⤵
        
        PID:3244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a2fa29c-036e-4f64-9b0a-471988a6588a.vbs"
        10⤵
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8822f86-7e07-4917-b770-df8b118f3fa6.vbs"
        8⤵
        
        PID:4720
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcb18e7f-4954-43d0-9bbf-1cb1203f2c45.vbs"
        6⤵
        
        PID:2760
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\927e498c-0cb3-476a-b436-3447787874b8.vbs"
      4⤵
      PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\0154351536fc379faee1\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\0154351536fc379faee1\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\0154351536fc379faee1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\0154351536fc379faee1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\0154351536fc379faee1\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\0154351536fc379faee1\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\3ac54ddf2ad44faa6035cf\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\0154351536fc379faee1\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\0154351536fc379faee1\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
3ceb3a17c1afbeefe6ee12dc43bf0bba

SHA1
978c9b7eb568664497c02dab3cd9356327d9b624

SHA256
22680589cfef2ba33d1797240c9b304c44ba1ef86c22be5c679253e9f7350721

SHA512
74537aa0ee5e391dc447145489f3321f689dc4f78a03f5fa23e1fde587abc50413c039a755551bc83a333c6a730986cc4351df61d62b1e903fa9b81db255b3da

Download Submit
C:\0154351536fc379faee1\StartMenuExperienceHost.exe

Filesize
1.5MB

MD5
db74a4252fae2fe90515378923db77f0

SHA1
959996b7d9c5e03ebe07509d650648d4e3ac4ac7

SHA256
b23960b2fa4727983369f36ddb47a744c0ef721fd382be0c1d47e46cf8d0b51f

SHA512
a4a08fa682fdaf1bf10633b7fe170095cde1704bff11aa9d230ec0b1104d4d19fb4558bbd79cd3c84ab26fc9b0cfe46b48de1c4f57532e8e143339a7d0222b67

Download Submit
C:\0154351536fc379faee1\StartMenuExperienceHost.exe

Filesize
898KB

MD5
618f57d600d964018c0fa7766d803c31

SHA1
c0a54722855616cae710f55f194c25980c38278d

SHA256
a66e0dfa8dac9655b59d9c6da9f574456a6b4642a1f796adeeecfa53fad49364

SHA512
cd4d76db7ab826920c737272f476b7f50ea49f89c2530fab53a9992429d6c964948443a4cb93e927841a0b9b1fd2a79000cf026f1bc91b51e7396b7a9a0d49b1

Download Submit
C:\0154351536fc379faee1\services.exe

Filesize
1.6MB

MD5
3ab0a8b15c55c6bfda450f4fccdbaeb4

SHA1
40a0fdc7d6db52313e38e15f19b7922de317c58a

SHA256
ee1074f91506bba21819cfeb3df698c81252e7bad987d55089114460dd9ee0bf

SHA512
919edf4ac8adb46de14c12f401190c6b72d691b3dd35130d843a05c30bbdd9f4b5973be6549c09b22a3216b26db808488d9ac99272ce3e57ae9837e85b0fc231

Download Submit
C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe

Filesize
1.6MB

MD5
ff01ea58f5cbdc72ad2cdf56d1a79303

SHA1
a3aa4607c35f6163a69f54f6d32a5ec2ba45536f

SHA256
21ade5293e25c2e5c13abfb1d263b246a57185a5b2ac4d9c7f1e326573f9b23c

SHA512
5269c62b0c5d3dc725e7fcc80f4f26a725754e7df6ea75422f05f23092885b112d7b6f6d6ecfb8df67a94eb980ead171a445a6ccf765a793cee65916513ffa2e

Download Submit
C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe

Filesize
1.6MB

MD5
43460cdfde5083d6f692f08813ef6dd1

SHA1
55756e184df04ffe1c502a40f8f859de16d19003

SHA256
33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b

SHA512
23dc4dc7bfa6f60da960b314c940e3e17e15e5719d5453a5ad1ca6f2c7f034357ad71a1a3a46b16b508076af878d7972c2d24cc3a6a7721a12bd851ff63c6e66

Download Submit
C:\3ac54ddf2ad44faa6035cf\services.exe

Filesize
1.6MB

MD5
ea07a5b133ad37a1827303b94e891be0

SHA1
a7834fc486fa2f6cc6b0a7cb8c86cf82fd9b06e9

SHA256
2382a57631bdbe2c41d6f585ff48660999db1b68128d9dffcdb8c1a1f433695d

SHA512
ca5767e7aac3ff9a3f1444aad145c4b77c582081d1bcd6141671f775266b7de9a566e8d98ca5c69257c75a29b22d856f104f50010502f9ce2fa2873ec89f990a

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.6MB

MD5
50aa4e776822dc0c012948d97c4cadad

SHA1
fb0b1b4941c0b707a2b634998b6abdcc80354864

SHA256
417c0a997a61d971b40769afd4bec0d8f3153fdc95b2eea4cf59b7f15ea1d406

SHA512
e042f83f17420ac77879c9a9668b54da2f920c4e961bde0da6682f75d318bca6baac183a6db25a119d7c4d7dcd0cb4eb56ff4759f3997bcf1efd9d4727d3a34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba8a00bf6995531451ca4ff43fecb0b9

SHA1
b590fcea37aded3a4b083ec2d39252fe10b97a61

SHA256
0211a4649daa040751a5aa8f42a3a677da906daf541fed80c2aa19c5f77e9a60

SHA512
e0cfd06cca6fca6d1b742ecc354c2dd9c0e72ab456525086c2af388cb533ff5baae6ff83fa4347dfbc28edc1a2c1b97ef986c2923af9634fd6d967e913fbfc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f3d606f9a5f1201bfc1f01c54e842c4

SHA1
f1917e50b557b135953ecbe63e1fc1e675b541f1

SHA256
dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

SHA512
d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c44e48d99762769d16de7352e92db16f

SHA1
29898e4ddba0504899fe0f0a55abacf592689e1b

SHA256
f92b4e399718fecfdc08924f70f0bdb7c5e0014eaeec343d815a503e06205bc8

SHA512
18cfd8b4bf3871c26c01d20ecd90f76493a6e55d7df33e78fb1491f6151ab3c04589758d6419f7b73a1288d5e65b85f40142bb7e3df5bc46e7fe4cf2da014879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
566ef902c25833fe5f7f4484509fe364

SHA1
f8ba6651e7e4c64270e95aac690ad758fa3fc7f8

SHA256
28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514

SHA512
b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Temp\1547e78f-6ba4-40bd-b362-d9d3069f9876.vbs

Filesize
726B

MD5
4c9390ccc03d4ef372729cac7e126b32

SHA1
adc16397a57268c84ae1ba4e10759f7fb1e176cb

SHA256
708a21473cd39fc430a84fa5caa60d29c8f184e02473f5be56659c5b6d8e2ebb

SHA512
c6c3243d71c523e0cd8d7c21858d712cc4ee137296a23c4fbea998591465dffa68602fc2d220c21b3786f5320c62602b5924baf0642ddf5272859f25cdd838b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a688139-a870-471d-9840-4edc080f1cc4.vbs

Filesize
726B

MD5
2251b95d34f0638a25c4bae71922dd7a

SHA1
a91c3504fe0a08b032fa67d5777448c3fb9858a0

SHA256
1408a538efac559255f870a9ebae70f022109d5525906797c087763cce0d8cfb

SHA512
ec65b532ac5b4088dbd631714d3f9fb0a263d13b82cdd2cd21c69fae3ec6c82f8339c66dcafd733cff16b1074f6f6e9af1180780f62f33b581859f448cb1995e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fef09f9-cc55-4ed3-9aa7-0302d6ce9564.vbs

Filesize
727B

MD5
78d75c8f388c5ccf9f3234bd085d3fd1

SHA1
5d9b96c73ff4f90815349cdfb9622ce8c042e589

SHA256
748b1de3381294027f4c4ff47a0d5799b320e74e9de66a5d346e7565766b5867

SHA512
c1f48748262a51d18ca9e1ac601c7b4ca8d499248e71ceea2f479ce1d685a2bdef528f60c7c8b284ff780f785c48a671629d28d081c9ec99af76e4da0e5128e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\576d75ff4354c398e1c121496938f8af95d52d9a.exe

Filesize
923KB

MD5
f002dd54f285cc992ad5185edbf072d4

SHA1
1bf39034ea0249e4ea9b421832da12143cb2f86f

SHA256
78f85f0a505ed3e7c788ad7c2b32f3bd6f8c9980b19d509ff91480ac8bf150a2

SHA512
f675c822b6dd3c269880db91084f2c57bae4dedadaa2033fb443b38b4dfb44f12e4e390f78a0ec82c8f30a9749fd844b3f5b67f9a2b328bf67715b50acee0a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e92e864-aa21-4306-abf3-12e885a31c71.vbs

Filesize
727B

MD5
4156ef6a4005f5ed19d416dacc57dc43

SHA1
3244b4769988abfeababe5da75b50de1cf79595f

SHA256
84fa6193d8ad26d9d9883231357a83c575c4114f7744e3922d357b0a360afa06

SHA512
ec836db5236f04d674cb97cdc43d3cc6bbad120811a962722ddce0373e7378964c01b3a672d8541fe261955e0efecfe15cf482b14b8f544be9236bf8c9525288

Download Submit
C:\Users\Admin\AppData\Local\Temp\6961b22e-173c-47e3-a078-e59fae5c2283.vbs

Filesize
727B

MD5
0e6425472b7f4ccebb89932ccaf4e17b

SHA1
bd14fcac9367f57a2f98edbf29a16d2d9cf01fba

SHA256
4b92be96ff5aa71286d62f11cbee5a7380a181df71510e7a1e246cc0c50f791c

SHA512
1fcc77e3f3213b0d00748307e6254bea5cdbd7d80fe40378f9cc4f75391c064fdf4d3e9d9620761bf93989d0b0d35522e86beb7938cff4b1de712579d5d2a53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b59daa4-437c-4095-b24d-94ee0f94f91a.vbs

Filesize
727B

MD5
42d631635146f876468c54a05a00e1e0

SHA1
7eff5f64deb8f11171765e62ddc352b0d42b2b55

SHA256
244cd1074773b008341c602845c04e15db22fb3fd3e71562406379fa9686fb3f

SHA512
9311d08077b1d2703fdce61d81ba02bde2dd33b50a16c673839a971eac70b4cb0ce17ecbdf026398503caa5d9cd9615867a366a069837a3b92f7d3134797201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\855239ec-2169-4124-aeec-9fa509e9fb20.vbs

Filesize
727B

MD5
c808a49d3add40b2ed298a9727ce4625

SHA1
90bee1854cdf487a3f59a7ff0c385d55cc57e2d1

SHA256
a393af14a06121706f828957ff7ecae530e35c9a0d7dcf7e4436666045fbd072

SHA512
f611bb85de4e5705a51f42a4a185e6b7b179394838e3cc0e7f457d660ba289d05702160d5666a9f25d89358c328d75b3b32650c025cb9803a4e4689087d63b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\927e498c-0cb3-476a-b436-3447787874b8.vbs

Filesize
503B

MD5
5c8f76c79ed3ae674555e345eaaded63

SHA1
6059fd092b3f74e9ac61dedc576720446fc30fb0

SHA256
06d896832e8548efa1867dfb1f0f8c8f8e9607e83d81cd25a1e7782877589d57

SHA512
9a70f0da2bba5053cf70f12ac31766e64c90bb51a6a04fa512e575c0f839827b341f59629d8d4dcfdb0d4873369765318e188bec8794ebd811af972ed67df0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\977b9a27-ce0d-4aff-b105-fe4bc86bdf2d.vbs

Filesize
727B

MD5
6e6a971b15a86a254300110884d8b294

SHA1
bb43cbc15725dd299dfff89a2d5ce2058e6652f3

SHA256
bb681e4b54ebcae92e888d0d188ff980412aad1f5993e2b9299f3f671fa4edd2

SHA512
48e914e85dedc8f7dc69c2205a1a22f497c5451aafc7d77c1ec0d962b6aa5ec1988cb8812eda43f9968ae7f9459136a02ac1e50a8a00b188fcb0493f9e909823

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f6b368d-31ea-4da7-b567-2026ba6fb5e1.vbs

Filesize
727B

MD5
ef4b0fd388ffc3de3e7095e386a551b5

SHA1
63d0a9ff1287d4deace3aeb7210fda4ec4545a73

SHA256
0c3004590bebee778f53bb7f3f85b41d7ed19dc56d4985b5e3dd6a6ebd71837a

SHA512
255d25562996bb6eea683328322ff3aa54a93b34e886777e5976a1637ee6fac7e8914a6d3e2e1113c40863bd0b7fd20aed960f618915ea09c75faca0f28ed8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hecjwagm.sh5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae381d33-6346-4b3e-a7d9-b40314ff660d.vbs

Filesize
727B

MD5
a0639f3a5f85f4a9df32d6c25667e054

SHA1
bdd6620e50e9c7fd57d1ca3e19a29cac339b0c9d

SHA256
aa6a04b511f48288df0d8904233e40ce8f61398a28460f875165d09e48380662

SHA512
0339120adde68d62931cf638cf6a76a3b6b2892573c7e05af88d83d6a64213ed713efbe948167af384e04cfe4b6c7a11ec1080617fea84b80f4c0d44cae95bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4508d78-2a69-4e4b-bbeb-7a11e929b132.vbs

Filesize
727B

MD5
75b12bf5e8f9c5d58d1b377241183d1a

SHA1
86467d6295f211a3dc5ef3bfa216e639f6f8b1f7

SHA256
8dd2dfad947871549999d83c45caf95112bc8a38ee6736ac2544b475583fbb53

SHA512
b0f14219eec23382f8a559704deea3ce0f443925a62e5e60baa67c5997989c455d4f02a923c584a16ee0e50f2017aafe41b60df88f1569b658e4f561db4b26bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7db1366-bb23-4249-900c-2b039548d05e.vbs

Filesize
727B

MD5
eb090ee84b3183961f67d554c877917b

SHA1
259e9c0c263e3cd250d125cdd82ff06a9d002f00

SHA256
cef3901b8c6bc6a93432e9869ba849b4907d27291207ea849d61ee4b29866c13

SHA512
a91b0bfb5ad4e3b828c4003f7a6fa5f17e133126962ed116e4a4e3a16e6e618a6c0817f34f85f703475cce5111c000792b92f86a1408495b6a597b27cabbb30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffae9c8c-7b61-4c1a-b22b-f0690933fe51.vbs

Filesize
727B

MD5
357f5769dcf55f451bdb7ad6a1f0e405

SHA1
9a4d9c8311a5fe3c221c5ba3b4bfeb73abd46664

SHA256
d0d73c906c27751742a5ce565822687e3149a319bd542c3cfbe8e923f4c2cf91

SHA512
c8a0109e81c8a0b88e83948d358be19b3d1288d177dd71fda78ee19306c8ab9426363d8f668380a88167fa90519c12cb98e870bd9b7b2576a0803c4501f46aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gVDbXbnsty.bat

Filesize
216B

MD5
bf4c6ec18c7e605c22e0e41b131a0b38

SHA1
98d25f06826f652450e3771f05d78e4f97431d55

SHA256
686ef2356dd2fe092c8898969007713ecaccef5010328fb0a2f699ae2895b349

SHA512
5b2380d069929f2724e98ed9cf80b70ca621d01e5d689f77e0c42f522a71f2713016ad615ad89227ce157a1e7bfd328a8cd063d578f63edfe2e679e06e9889bb

Download Submit
memory/456-182-0x000001B333F00000-0x000001B333F22000-memory.dmp

Filesize
136KB

Download
memory/3052-12-0x000000001B5A0000-0x000000001B5AA000-memory.dmp

Filesize
40KB

Download
memory/3052-11-0x000000001B480000-0x000000001B48C000-memory.dmp

Filesize
48KB

Download
memory/3052-225-0x00007FFAB1860000-0x00007FFAB2321000-memory.dmp

Filesize
10.8MB

Download
memory/3052-7-0x0000000002900000-0x0000000002908000-memory.dmp

Filesize
32KB

Download
memory/3052-16-0x000000001B5E0000-0x000000001B5EA000-memory.dmp

Filesize
40KB

Download
memory/3052-13-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

Filesize
56KB

Download
memory/3052-17-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/3052-15-0x000000001B5D0000-0x000000001B5D8000-memory.dmp

Filesize
32KB

Download
memory/3052-1-0x0000000000610000-0x00000000007B2000-memory.dmp

Filesize
1.6MB

Download
memory/3052-0-0x00007FFAB1863000-0x00007FFAB1865000-memory.dmp

Filesize
8KB

Download
memory/3052-10-0x000000001B470000-0x000000001B47C000-memory.dmp

Filesize
48KB

Download
memory/3052-9-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/3052-6-0x00000000028E0000-0x00000000028F6000-memory.dmp

Filesize
88KB

Download
memory/3052-14-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

Filesize
32KB

Download
memory/3052-8-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/3052-4-0x0000000002920000-0x0000000002970000-memory.dmp

Filesize
320KB

Download
memory/3052-5-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/3052-3-0x00000000010C0000-0x00000000010DC000-memory.dmp

Filesize
112KB

Download
memory/3052-2-0x00007FFAB1860000-0x00007FFAB2321000-memory.dmp

Filesize
10.8MB

Download
memory/4180-309-0x0000000000610000-0x00000000007B2000-memory.dmp

Filesize
1.6MB

Download