dcrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

454e6ce92c1c3a8c55164afd9b2d4f08.exe
Size

1.6MB
MD5

454e6ce92c1c3a8c55164afd9b2d4f08
SHA1

fe300937097e5e84fe9b9ee61292a8aa4462cec2
SHA256

f2931e5d0ed208b3ff25ea01cb1b3c2f9e03990b9e5ac912a6abce922aa16501
SHA512

91f631962f40a284638509a4c5087327b39fc1f65d3eb2e69369a611f0dffc0e60ba69aaa2061682a2ed979e42cad2b3c8c95483031f492acfce13b31662483a
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5856	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5184	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5904	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6052	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5616	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3948	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3948	schtasks.exe	87

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral30/memory/3580-1-0x0000000000C80000-0x0000000000E22000-memory.dmp	dcrat
behavioral30/files/0x000700000002427e-26.dat	dcrat
behavioral30/files/0x000e0000000240c4-78.dat	dcrat
behavioral30/files/0x00070000000242a2-100.dat	dcrat
behavioral30/files/0x000900000002427e-111.dat	dcrat
behavioral30/files/0x000c000000024283-134.dat	dcrat
behavioral30/files/0x000900000002428b-145.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4476	powershell.exe
5188	powershell.exe
6024	powershell.exe
6128	powershell.exe
6132	powershell.exe
4904	powershell.exe
4464	powershell.exe
1748	powershell.exe
5696	powershell.exe
6084	powershell.exe
2432	powershell.exe
4792	powershell.exe
1660	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	454e6ce92c1c3a8c55164afd9b2d4f08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 13 IoCs

pid	Process
1796	dllhost.exe
5376	dllhost.exe
724	dllhost.exe
2796	dllhost.exe
3788	dllhost.exe
4784	dllhost.exe
1940	dllhost.exe
396	dllhost.exe
5108	dllhost.exe
4284	dllhost.exe
2880	dllhost.exe
5028	dllhost.exe
2232	dllhost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Java\f3b6ecef712a24	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files\Java\RCX9DCC.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files\Java\RCX9E3B.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files\Java\spoolsv.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Program Files\Java\spoolsv.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\schemas\AvailableNetwork\taskhostw.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Windows\Web\4K\Wallpaper\Windows\RCX98F6.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXA9EC.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\taskhostw.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\unsecapp.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Windows\Web\4K\Wallpaper\Windows\unsecapp.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\29c1c3cc0f7685	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Windows\schemas\AvailableNetwork\ea9f0e6c9e2dcd	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Windows\Web\4K\Wallpaper\Windows\RCX9916.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXAA6A.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	454e6ce92c1c3a8c55164afd9b2d4f08.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5596	schtasks.exe
6092	schtasks.exe
2064	schtasks.exe
5856	schtasks.exe
5184	schtasks.exe
4500	schtasks.exe
4028	schtasks.exe
4088	schtasks.exe
4556	schtasks.exe
4980	schtasks.exe
4868	schtasks.exe
4844	schtasks.exe
1568	schtasks.exe
3792	schtasks.exe
4720	schtasks.exe
4412	schtasks.exe
4544	schtasks.exe
5904	schtasks.exe
4816	schtasks.exe
4212	schtasks.exe
6052	schtasks.exe
4828	schtasks.exe
5616	schtasks.exe
4576	schtasks.exe
4708	schtasks.exe
4988	schtasks.exe
4376	schtasks.exe
4892	schtasks.exe
1000	schtasks.exe
4456	schtasks.exe
5580	schtasks.exe
4776	schtasks.exe
3836	schtasks.exe
5468	schtasks.exe
2112	schtasks.exe
4060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
2432	powershell.exe
2432	powershell.exe
6128	powershell.exe
6128	powershell.exe
6084	powershell.exe
6084	powershell.exe
5188	powershell.exe
5188	powershell.exe
4904	powershell.exe
6132	powershell.exe
4904	powershell.exe
6132	powershell.exe
6024	powershell.exe
6024	powershell.exe
4464	powershell.exe
4464	powershell.exe
4792	powershell.exe
4792	powershell.exe
2432	powershell.exe
1748	powershell.exe
1748	powershell.exe
6132	powershell.exe
5696	powershell.exe
5696	powershell.exe
1660	powershell.exe
1660	powershell.exe
4476	powershell.exe
4476	powershell.exe
6128	powershell.exe
6128	powershell.exe
6084	powershell.exe
4464	powershell.exe
4792	powershell.exe
4904	powershell.exe
5188	powershell.exe
6024	powershell.exe
4476	powershell.exe
5696	powershell.exe
1748	powershell.exe
1660	powershell.exe
1796	dllhost.exe
5376	dllhost.exe
724	dllhost.exe
2796	dllhost.exe
2796	dllhost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeDebugPrivilege	6084	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeDebugPrivilege	1796	dllhost.exe
Token: SeDebugPrivilege	5376	dllhost.exe
Token: SeDebugPrivilege	724	dllhost.exe
Token: SeDebugPrivilege	2796	dllhost.exe
Token: SeDebugPrivilege	3788	dllhost.exe
Token: SeDebugPrivilege	4784	dllhost.exe
Token: SeDebugPrivilege	1940	dllhost.exe
Token: SeDebugPrivilege	396	dllhost.exe
Token: SeDebugPrivilege	5108	dllhost.exe
Token: SeDebugPrivilege	4284	dllhost.exe
Token: SeDebugPrivilege	2880	dllhost.exe
Token: SeDebugPrivilege	5028	dllhost.exe
Token: SeDebugPrivilege	2232	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 6132	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	127
PID 3580 wrote to memory of 6132	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	127
PID 3580 wrote to memory of 4904	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	128
PID 3580 wrote to memory of 4904	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	128
PID 3580 wrote to memory of 4792	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	129
PID 3580 wrote to memory of 4792	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	129
PID 3580 wrote to memory of 4464	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	130
PID 3580 wrote to memory of 4464	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	130
PID 3580 wrote to memory of 6128	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	131
PID 3580 wrote to memory of 6128	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	131
PID 3580 wrote to memory of 6024	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	132
PID 3580 wrote to memory of 6024	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	132
PID 3580 wrote to memory of 2432	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	133
PID 3580 wrote to memory of 2432	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	133
PID 3580 wrote to memory of 6084	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	134
PID 3580 wrote to memory of 6084	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	134
PID 3580 wrote to memory of 5188	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	136
PID 3580 wrote to memory of 5188	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	136
PID 3580 wrote to memory of 5696	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	137
PID 3580 wrote to memory of 5696	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	137
PID 3580 wrote to memory of 4476	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	139
PID 3580 wrote to memory of 4476	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	139
PID 3580 wrote to memory of 1748	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	141
PID 3580 wrote to memory of 1748	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	141
PID 3580 wrote to memory of 1660	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	144
PID 3580 wrote to memory of 1660	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	144
PID 3580 wrote to memory of 1624	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	153
PID 3580 wrote to memory of 1624	3580	454e6ce92c1c3a8c55164afd9b2d4f08.exe	153
PID 1624 wrote to memory of 5476	1624	cmd.exe	155
PID 1624 wrote to memory of 5476	1624	cmd.exe	155
PID 1624 wrote to memory of 1796	1624	cmd.exe	158
PID 1624 wrote to memory of 1796	1624	cmd.exe	158
PID 1796 wrote to memory of 5796	1796	dllhost.exe	160
PID 1796 wrote to memory of 5796	1796	dllhost.exe	160
PID 1796 wrote to memory of 2792	1796	dllhost.exe	161
PID 1796 wrote to memory of 2792	1796	dllhost.exe	161
PID 5796 wrote to memory of 5376	5796	WScript.exe	162
PID 5796 wrote to memory of 5376	5796	WScript.exe	162
PID 5376 wrote to memory of 4992	5376	dllhost.exe	163
PID 5376 wrote to memory of 4992	5376	dllhost.exe	163
PID 5376 wrote to memory of 2112	5376	dllhost.exe	164
PID 5376 wrote to memory of 2112	5376	dllhost.exe	164
PID 4992 wrote to memory of 724	4992	WScript.exe	167
PID 4992 wrote to memory of 724	4992	WScript.exe	167
PID 724 wrote to memory of 5824	724	dllhost.exe	169
PID 724 wrote to memory of 5824	724	dllhost.exe	169
PID 724 wrote to memory of 4044	724	dllhost.exe	170
PID 724 wrote to memory of 4044	724	dllhost.exe	170
PID 5824 wrote to memory of 2796	5824	WScript.exe	172
PID 5824 wrote to memory of 2796	5824	WScript.exe	172
PID 2796 wrote to memory of 556	2796	dllhost.exe	173
PID 2796 wrote to memory of 556	2796	dllhost.exe	173
PID 2796 wrote to memory of 4600	2796	dllhost.exe	174
PID 2796 wrote to memory of 4600	2796	dllhost.exe	174
PID 556 wrote to memory of 3788	556	WScript.exe	178
PID 556 wrote to memory of 3788	556	WScript.exe	178
PID 3788 wrote to memory of 5380	3788	dllhost.exe	179
PID 3788 wrote to memory of 5380	3788	dllhost.exe	179
PID 3788 wrote to memory of 5444	3788	dllhost.exe	180
PID 3788 wrote to memory of 5444	3788	dllhost.exe	180
PID 5380 wrote to memory of 4784	5380	WScript.exe	181
PID 5380 wrote to memory of 4784	5380	WScript.exe	181
PID 4784 wrote to memory of 3192	4784	dllhost.exe	182
PID 4784 wrote to memory of 3192	4784	dllhost.exe	182

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\454e6ce92c1c3a8c55164afd9b2d4f08.exe
"C:\Users\Admin\AppData\Local\Temp\454e6ce92c1c3a8c55164afd9b2d4f08.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\454e6ce92c1c3a8c55164afd9b2d4f08.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\4K\Wallpaper\Windows\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\AvailableNetwork\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PaiUjX8Vy6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5476
- - C:\Recovery\WindowsRE\dllhost.exe
    "C:\Recovery\WindowsRE\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcddb96f-1ca4-4177-bea2-54584e3fb557.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5796
    - - C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a274f714-5bff-43a8-883b-51fa3336224b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf7059f4-ce8c-49a8-a143-9914eac32d43.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5824
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c02ad96e-bd2f-4036-a859-aba7486c661d.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c9ce28e-14d9-4413-8bd5-d9f3721ace73.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5380
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61205ad5-a05f-48c5-ab12-f98fc2e22dde.vbs"
        14⤵
        
        PID:3192
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\987142f2-539b-4f3c-8adc-2de871650cbf.vbs"
        16⤵
        
        PID:1460
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b7804e-8302-46ad-9b6f-08c04a4f2d7b.vbs"
        18⤵
        
        PID:4352
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51608b82-ace1-4494-a782-e65311180b71.vbs"
        20⤵
        
        PID:724
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68405d94-0e77-44b9-9bc4-30700958023a.vbs"
        22⤵
        
        PID:3188
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc256fc2-dfd7-4c57-bcdd-fb132e5be8be.vbs"
        24⤵
        
        PID:924
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32ebb026-c7f5-4de6-af7d-caec68ef189f.vbs"
        26⤵
        
        PID:5600
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d031c4b4-3c7a-4b53-82b0-90d37254a8bb.vbs"
        28⤵
        
        PID:4592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74c9117d-1c59-4ef4-a3d3-e6f0c62aa30b.vbs"
        28⤵
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe9fcb20-ea5a-4367-9574-7c5fea5211f6.vbs"
        26⤵
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d77cdc0c-1eda-4970-89a7-94d4cc435db5.vbs"
        24⤵
        
        PID:6140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa9f9cd7-2152-4c90-ae7c-e2fbfc9e17f8.vbs"
        22⤵
        
        PID:3280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bf3dc1b-a849-405a-901c-de4e000ff964.vbs"
        20⤵
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8b07294-5e58-4127-b665-4471f2dea6ec.vbs"
        18⤵
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b95f852-5582-4b11-9a72-bd6afe9d2268.vbs"
        16⤵
        
        PID:4696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7bd259c-415a-418d-a448-51afdbecdb87.vbs"
        14⤵
        
        PID:5512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecb2896c-3a87-499b-8a91-f4c5349292b4.vbs"
        12⤵
        
        PID:5444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2abcbf96-1b06-4e3f-9ae3-8ba1d308c0da.vbs"
        10⤵
        
        PID:4600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c9a8687-f1ec-4003-9d87-31b1de535869.vbs"
        8⤵
        
        PID:4044
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e62f545a-7380-4e7b-ac17-664340a843ee.vbs"
        6⤵
        
        PID:2112
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90fec405-cce1-4c01-85a9-7d8377b0f57f.vbs"
      4⤵
      PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Web\4K\Wallpaper\Windows\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Videos\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\AvailableNetwork\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\AvailableNetwork\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe

Filesize
1.6MB

MD5
454e6ce92c1c3a8c55164afd9b2d4f08

SHA1
fe300937097e5e84fe9b9ee61292a8aa4462cec2

SHA256
f2931e5d0ed208b3ff25ea01cb1b3c2f9e03990b9e5ac912a6abce922aa16501

SHA512
91f631962f40a284638509a4c5087327b39fc1f65d3eb2e69369a611f0dffc0e60ba69aaa2061682a2ed979e42cad2b3c8c95483031f492acfce13b31662483a

Download Submit
C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe

Filesize
1.6MB

MD5
cbd7a7090838e5a622270412bff478c0

SHA1
5a0331253b88eeefa4b474aacd0d94262c802692

SHA256
43c93d4f9708cc955e73cd89660afc40859110584ffb1d66661528947c76786f

SHA512
9ad20f06a9e6dfd1ce3f84ad277e7db58651b20ab4afedf798c0bcc5dfb3b56c0872fadb19e3fcc9e1822dafdc41480c700f76aa3821413467bd6827145facb7

Download Submit
C:\Program Files\Java\spoolsv.exe

Filesize
1.6MB

MD5
71f897f4286bb6cc96bb0c1deb84c564

SHA1
8e3f51a4f750b58fca80631173ed45f02fe7ffd6

SHA256
d68bf699079f98107b98302a720fbe155b6164709f3a195196150dc82c87c28c

SHA512
90e5136884bc8b878a14a3e16a1d68dd700e5f37cbdf7651450cbf0111f3425922b2c17ebedb406e0b03cb153508621ef05745f837e7879c5dab01925c21740d

Download Submit
C:\ProgramData\SoftwareDistribution\sppsvc.exe

Filesize
1.6MB

MD5
d0b6e7a5b1ca2295a16dd58239f046ac

SHA1
1c3c5e272ca07f2879f835021c6893458f722720

SHA256
034579e634940467d7e7dfc94cdf597f41737a38ebbd0c2f0c1a6085746df936

SHA512
80160f51f2c2d08f139af540651c9276efecb24eac8da69568dd4b6644da91dabeb7406200e0d4ec897470bb18b1f9089d7637baa7ed75d6316e8b61685230bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e69ced0a44ced088c3954d6ae03796e7

SHA1
ef4cac17b8643fb57424bb56907381a555a8cb92

SHA256
49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

SHA512
15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d7ef90d60b004c1ca554407c4ce6d0f

SHA1
8d57fc1cbb9776bb85c8c740a7ad2bc10c531fb4

SHA256
5a2c61fa1c443a345a6f9961b72b01489f7ceaf7da9af4f9f217ae5e81a8bffb

SHA512
263d0d91a24adbe5e536a48145976876e88d09b57435efcafd622391f8c586c0d282c7cb78275074e039e3108474c1b13199be1adbcbd79990e6e6b3d60f2809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a16aff60eb3c3e35753a259b050c8a27

SHA1
85196d5dfb23d0c8b32b186325e2d58315a11287

SHA256
a057f85fa5358fac25f1337c1fbabeffb1ca1908b352208038293ec575dfc206

SHA512
13e6514cddaafba8f4fe3b08f6d6e118823ad454aac4efcb71a82438de50f97cd9570f44d594db27e4c534912a12ed066ea098b95505a6994f854f8349f2f5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4021b258cd26ad91b3208444aca2f1

SHA1
617431aae43c616ecb3680101f01939d427479ef

SHA256
64edd4e5aafb2dd9117768e239f4368bc2a224de1ec5103a13d80f68ae74c00e

SHA512
5ede51408ee2b94b3d5e9cb192f59bff2ce7521d1f6704141ca40ff1d09b39700bf70b0e482ab55f45e206e0f73b215a2a6bff5e455e5916d2e35aa5122a3af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fdbc304f3d894fc63c481c99aa258017

SHA1
47cd3a7cae4dbf6bdd92532bbb69224a75221b86

SHA256
58c02d17c622f9ffc1744d26a3be409d7a95796119bcea540e54dcf687c8abb3

SHA512
18923c6b620a47d59377bdffd8dbf9717750a52980530cd67c169704649e471b1583eda2045cc7db84e560a9672759f8ea0c3a5ab45d4f328e17aa6e0ca5fae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\32ebb026-c7f5-4de6-af7d-caec68ef189f.vbs

Filesize
709B

MD5
278492872caa2725525426f04b3aac62

SHA1
695cc7714f4a6d8f3b5e2a3c7324d0b127434b7e

SHA256
25e68469451d5873a879ea32b138493cceea022745df013cf7d668bba3c23dac

SHA512
20678d0af63a9593e616b250b68990f122d123762573317b48866e72499494f006cccc5fcd87a428b257f67537776632c5d2cc268323e7c6d4c2e66decf553f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c9ce28e-14d9-4413-8bd5-d9f3721ace73.vbs

Filesize
709B

MD5
91878753b53894381e6b14548db3bc32

SHA1
eead99516f938d770636abf9e7e97457b9a4a0c3

SHA256
1f72b9fb0f6eb84c9a8bb460ec6b653c3658194491e2708d47ea1d0e6078c362

SHA512
c4a63a721b0cb2eaf52c59a9f2f436d246d122319039c993a657053325508da80806ac19cd7fab3a3cc8428676f23076e22f950c8ba5a4b0453d159bf9da2632

Download Submit
C:\Users\Admin\AppData\Local\Temp\51608b82-ace1-4494-a782-e65311180b71.vbs

Filesize
709B

MD5
676f56ab6e74b5e09d91e253ad0616f4

SHA1
0920b243f732b287c6ec786e8aefe4109445ad61

SHA256
a6d290ecbc9be4a1433002f3e4e4e02e45999cfac876b6857446d28c4da7aee2

SHA512
175368507894b2e5f79ccb3c63c7b4b4f657ad335daad7096c79477a20cf2c7b95e2df657ba97152f0c67600f072dcd9f0a3830546952efbe63526001de2aa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\61205ad5-a05f-48c5-ab12-f98fc2e22dde.vbs

Filesize
709B

MD5
799eb3ff1b88aafa359276688787d353

SHA1
c20ad1ca013a9ac28415984021ffa82e8d019f74

SHA256
5627a4aced7890236712710b841b79a2f984ee9856d94ffd49d967ca89a3dbcc

SHA512
cbe744bfe7842251ad1f935713873d106ac3821b8055d4c28fbfb7506025b152a20aa12d29aabc2d2067e9c73fb17c0e8fd1b2a22eb9e75257a1e4cf0adacbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\68405d94-0e77-44b9-9bc4-30700958023a.vbs

Filesize
709B

MD5
4507f44307cb393704f1da73574a634f

SHA1
7ffbe918d67fba2faa1d3a41dfd7007478824955

SHA256
97c04c3b9b2b0296e4cffff75d46f451a22ca036ea71163e873571f8fe541843

SHA512
f10f2b24efc20f9fab3d5a53d3dc515f98fea83e066a27fe56dd98202e6de38e0e548542fe74c1b0a3c872885ecf2d91017118ae492e8b88e750841c824d6248

Download Submit
C:\Users\Admin\AppData\Local\Temp\90fec405-cce1-4c01-85a9-7d8377b0f57f.vbs

Filesize
485B

MD5
57220aa0a11d376b19072c738ed1ee04

SHA1
64d5f6b867da783fcbe4cb5f932ef992325fa27d

SHA256
c57900818833c568cedc09641cc69a43f6c842c1fbbd69c3ee39156787008f77

SHA512
b7aeba506714eedcac5e347c6cc3b8d37cf72aaaeb5ea4d40179379936a465d84f789b28c5e9dc462f77eb40f5918243eb6bf1be07622058feccf2a986f056cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\987142f2-539b-4f3c-8adc-2de871650cbf.vbs

Filesize
709B

MD5
1294e5ec222b0a46b59dbdfe822dca00

SHA1
dd9cb847bc23237713af076b00a2a02f614b72df

SHA256
4003e62a47947122841a5836973244b616c3536e42dc53c10024c18260cf1803

SHA512
ea33e7419bdecdc4be10d24d4d8d8d406679d6ecb129186fa664880a3a156d2b4ace97e3770172ea2cc78a34e8320126e2f84b0c23d6407309f42d2fb2c4ac49

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaiUjX8Vy6.bat

Filesize
198B

MD5
2c52dc7c1261f58b75c5926893412315

SHA1
c0a945420243fac93fc6ad794d77345e2d4de02f

SHA256
95e9fac9ab8c000ae264d330fa90515633207f6b4c07ca03dffee3d2b8b713b4

SHA512
bb42eb97656ca9134a73851a50d56a271c608dda452a29a5fb2dce34209b50720b1061f416b284edf1c8b015632903618469029ea155f62e9838c6d77dd404ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zk04ra24.opd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a274f714-5bff-43a8-883b-51fa3336224b.vbs

Filesize
709B

MD5
16d3e933eeab765a7229ac8339ae85c8

SHA1
d12e7586a44c581ca9dbfcef3e6769992f7a6598

SHA256
d9ab89e049d5a155171bb72b8bd662df92e8d3d127a3c62ee03e12296f02bb45

SHA512
f9e265e19afdb0cfe7921c2ad5499d345bd6be9d8e3e6d1c589811bf206c21d9dc1dfb97f16019e926bf251e9d7c3b9236cd9e7bb4a9cd57df255b968576273f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c02ad96e-bd2f-4036-a859-aba7486c661d.vbs

Filesize
709B

MD5
8590d7011987c576f76cecbe3de51709

SHA1
63830b1efcd48b9d8d17e557cf8b62ce68a3c23d

SHA256
c77a4e4d41e1951b4e2c8d96cf1f64ebc5657fb408137e854d377f273cb7ea11

SHA512
29152d30dcc2536c19291bd1492595b27ae609884e19a93625655e6b96e17ff4a809e8154a7967e29a255e8b5ef70934cfd2fa98c648a70cfb47e5bae75ec37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf7059f4-ce8c-49a8-a143-9914eac32d43.vbs

Filesize
708B

MD5
306f0195c6ad1cf63aa0ba4327e55730

SHA1
6d61939f7ba94e4f5a924f6665e8b491ddc32526

SHA256
61f75ac16928ab04d741ae84ddb5b65c731d5e554dbfb331f63eb1747760f76f

SHA512
c9503af10d8f94bd3df16ab6584f1f327f9e150711076889f93ce98f36da3755dab71b6b81ac8dba8e4c31c1f5f2caa502ffdd3752a0e52c2579e93443616f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3b7804e-8302-46ad-9b6f-08c04a4f2d7b.vbs

Filesize
708B

MD5
6669dc578dd7cade70a0723a56d59bdf

SHA1
8ebf712c3028f68cdcb022c211261a8e4ef4e815

SHA256
9991980a1a09a35c945ad78e9f6315c92c31bf01c1a128619b1eee74d1824f19

SHA512
f3f17aef291fb6b5143e6da4d7ea778d403d6b72f9081be30e1112f6a17a9902260685d20cf40eb8b19deb9d086c3511b4311d56e6ff12c6da9e294b70532cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc256fc2-dfd7-4c57-bcdd-fb132e5be8be.vbs

Filesize
709B

MD5
3956342e9ec4ce46bbbdd446d3d00ae9

SHA1
28df6aa6225150b674987976a243cb01ae33559b

SHA256
55cceb515a0f4fb2922524a308e576fc33a8b584e8821a138444330f8781a86c

SHA512
2600b8804a5151bf68731304a073ad89cfe1ea8ba534909a057386e392da8c945ea5652ce701eee11f2a9466a610f37f2809aebd65745925bdcb1eddf2e79a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcddb96f-1ca4-4177-bea2-54584e3fb557.vbs

Filesize
709B

MD5
8e00df50937eafed48b9061d032ac5e6

SHA1
ff014dc769b6c8799123da206d33bea0e1004ae7

SHA256
526027e46524505ba03983763539e7fa4b301796e875a9b9e5bb61726e299609

SHA512
c1bb1e863d37a797b33d42bf191b22a142a933444380011a810a494d48bab9622b1912fbe41771c141f1bf43276bd4cd8e3369d361d401ab379032c88a16f0ef

Download Submit
C:\Users\Admin\Videos\sysmon.exe

Filesize
1.6MB

MD5
7255e9ff5ae867f3d876852ef042c7ac

SHA1
6765da406b1716df9968446326ece6cd64577add

SHA256
d8e552956210f3cec0a8e3f54af4890c074c0583b65835c859343f422f0aa99e

SHA512
0f65756b5910d2c9a8bf414c8c433724b058cac476d83cae0d8c62b430766b97c5f4857b813bce4b94b372b60421737dce89599e78b595db9779fd22152371b9

Download Submit
C:\Windows\schemas\AvailableNetwork\taskhostw.exe

Filesize
1.6MB

MD5
3cd73840c35ba68fa8e3a0002a067d4c

SHA1
939a6846983c19bd55d93da169c7715c9f814e84

SHA256
3a33d73f4d762446c076ce0e3cfcb40d08815b2e02a4ac7a31adac8cb7c73ba7

SHA512
b1ec32800b09a2134bc170f1bbfc460a737348216292dffa54e88792cb1ca7aae6b8cb45df5c575de99725564961aef1b0696de3b1820fd843d27ae2e96b3a36

Download Submit
memory/3580-12-0x000000001C2D0000-0x000000001C2DA000-memory.dmp

Filesize
40KB

Download
memory/3580-11-0x000000001BAB0000-0x000000001BABC000-memory.dmp

Filesize
48KB

Download
memory/3580-1-0x0000000000C80000-0x0000000000E22000-memory.dmp

Filesize
1.6MB

Download
memory/3580-189-0x00007FFA30640000-0x00007FFA31101000-memory.dmp

Filesize
10.8MB

Download
memory/3580-171-0x00007FFA30643000-0x00007FFA30645000-memory.dmp

Filesize
8KB

Download
memory/3580-17-0x000000001C320000-0x000000001C32C000-memory.dmp

Filesize
48KB

Download
memory/3580-16-0x000000001C310000-0x000000001C31A000-memory.dmp

Filesize
40KB

Download
memory/3580-13-0x000000001C2E0000-0x000000001C2EE000-memory.dmp

Filesize
56KB

Download
memory/3580-14-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

Filesize
32KB

Download
memory/3580-15-0x000000001C300000-0x000000001C308000-memory.dmp

Filesize
32KB

Download
memory/3580-0-0x00007FFA30643000-0x00007FFA30645000-memory.dmp

Filesize
8KB

Download
memory/3580-207-0x00007FFA30640000-0x00007FFA31101000-memory.dmp

Filesize
10.8MB

Download
memory/3580-10-0x000000001BA90000-0x000000001BA9C000-memory.dmp

Filesize
48KB

Download
memory/3580-9-0x000000001BA80000-0x000000001BA88000-memory.dmp

Filesize
32KB

Download
memory/3580-8-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

Filesize
64KB

Download
memory/3580-7-0x0000000002EB0000-0x0000000002EB8000-memory.dmp

Filesize
32KB

Download
memory/3580-6-0x000000001BA60000-0x000000001BA76000-memory.dmp

Filesize
88KB

Download
memory/3580-5-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/3580-4-0x000000001C0D0000-0x000000001C120000-memory.dmp

Filesize
320KB

Download
memory/3580-3-0x000000001B8F0000-0x000000001B90C000-memory.dmp

Filesize
112KB

Download
memory/3580-2-0x00007FFA30640000-0x00007FFA31101000-memory.dmp

Filesize
10.8MB

Download
memory/6128-200-0x00000159A5D90000-0x00000159A5DB2000-memory.dmp

Filesize
136KB

Download