dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Size

1.6MB
MD5

66d07aba299e88d9fd0562bdde9ef487
SHA1

3187acda67ed22501f39f2b436d064faf9464045
SHA256

d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914
SHA512

64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2932	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2932	schtasks.exe	29

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/2580-1-0x0000000000230000-0x00000000003D2000-memory.dmp	dcrat
behavioral3/files/0x000500000001a4a2-25.dat	dcrat
behavioral3/files/0x000800000001c6d4-181.dat	dcrat
behavioral3/memory/756-306-0x00000000003D0000-0x0000000000572000-memory.dmp	dcrat
behavioral3/memory/2372-317-0x00000000011E0000-0x0000000001382000-memory.dmp	dcrat
behavioral3/memory/2144-340-0x0000000000060000-0x0000000000202000-memory.dmp	dcrat
behavioral3/memory/1892-352-0x0000000000D10000-0x0000000000EB2000-memory.dmp	dcrat
behavioral3/memory/2320-375-0x0000000001080000-0x0000000001222000-memory.dmp	dcrat
behavioral3/memory/668-420-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3044	powershell.exe
1316	powershell.exe
2184	powershell.exe
772	powershell.exe
1348	powershell.exe
2884	powershell.exe
2588	powershell.exe
2648	powershell.exe
972	powershell.exe
532	powershell.exe
2508	powershell.exe
2544	powershell.exe
2132	powershell.exe
3068	powershell.exe
2688	powershell.exe
1904	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
756	sppsvc.exe
2372	sppsvc.exe
1500	sppsvc.exe
2144	sppsvc.exe
1892	sppsvc.exe
2120	sppsvc.exe
2320	sppsvc.exe
3012	sppsvc.exe
1700	sppsvc.exe
2248	sppsvc.exe
668	sppsvc.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\taskhost.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\6cb0b6c459d5d3	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\RCX27E0.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsm.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsm.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\taskhost.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\b75386f1303e64	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\RCX27A1.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX3D94.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\101b941d020240	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX2CF2.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX3D16.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\RCX41DB.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RCX43FF.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RCX441F.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Reference Assemblies\OSPPSVC.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Reference Assemblies\1610b97d3ab4a7	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX2D03.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Reference Assemblies\OSPPSVC.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\RCX41FB.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\PLA\spoolsv.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\addins\RCX2F74.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\PLA\RCX362E.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\PLA\RCX363E.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\PLA\f3b6ecef712a24	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\addins\RCX2FA3.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\addins\explorer.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\PLA\spoolsv.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\addins\explorer.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\addins\7a0fd90576e088	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
3032	schtasks.exe
2984	schtasks.exe
1584	schtasks.exe
856	schtasks.exe
1120	schtasks.exe
272	schtasks.exe
2064	schtasks.exe
928	schtasks.exe
2880	schtasks.exe
2856	schtasks.exe
2468	schtasks.exe
1556	schtasks.exe
1952	schtasks.exe
836	schtasks.exe
1448	schtasks.exe
2792	schtasks.exe
1348	schtasks.exe
2520	schtasks.exe
456	schtasks.exe
1800	schtasks.exe
236	schtasks.exe
2288	schtasks.exe
904	schtasks.exe
108	schtasks.exe
1032	schtasks.exe
2840	schtasks.exe
3020	schtasks.exe
2724	schtasks.exe
1344	schtasks.exe
2820	schtasks.exe
1796	schtasks.exe
1496	schtasks.exe
1612	schtasks.exe
2180	schtasks.exe
2272	schtasks.exe
2748	schtasks.exe
2744	schtasks.exe
2892	schtasks.exe
3044	schtasks.exe
2144	schtasks.exe
1500	schtasks.exe
1432	schtasks.exe
760	schtasks.exe
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
2688	powershell.exe
2648	powershell.exe
2544	powershell.exe
532	powershell.exe
2588	powershell.exe
3044	powershell.exe
2508	powershell.exe
972	powershell.exe
772	powershell.exe
1904	powershell.exe
2884	powershell.exe
1348	powershell.exe
2184	powershell.exe
2132	powershell.exe
3068	powershell.exe
1316	powershell.exe
756	sppsvc.exe
2372	sppsvc.exe
1500	sppsvc.exe
2144	sppsvc.exe
1892	sppsvc.exe
2120	sppsvc.exe
2320	sppsvc.exe
3012	sppsvc.exe
1700	sppsvc.exe
2248	sppsvc.exe
668	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	756	sppsvc.exe
Token: SeDebugPrivilege	2372	sppsvc.exe
Token: SeDebugPrivilege	1500	sppsvc.exe
Token: SeDebugPrivilege	2144	sppsvc.exe
Token: SeDebugPrivilege	1892	sppsvc.exe
Token: SeDebugPrivilege	2120	sppsvc.exe
Token: SeDebugPrivilege	2320	sppsvc.exe
Token: SeDebugPrivilege	3012	sppsvc.exe
Token: SeDebugPrivilege	1700	sppsvc.exe
Token: SeDebugPrivilege	2248	sppsvc.exe
Token: SeDebugPrivilege	668	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2688	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	76
PID 2580 wrote to memory of 2688	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	76
PID 2580 wrote to memory of 2688	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	76
PID 2580 wrote to memory of 772	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	77
PID 2580 wrote to memory of 772	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	77
PID 2580 wrote to memory of 772	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	77
PID 2580 wrote to memory of 1348	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	79
PID 2580 wrote to memory of 1348	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	79
PID 2580 wrote to memory of 1348	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	79
PID 2580 wrote to memory of 1904	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	81
PID 2580 wrote to memory of 1904	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	81
PID 2580 wrote to memory of 1904	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	81
PID 2580 wrote to memory of 2184	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	83
PID 2580 wrote to memory of 2184	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	83
PID 2580 wrote to memory of 2184	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	83
PID 2580 wrote to memory of 3068	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	84
PID 2580 wrote to memory of 3068	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	84
PID 2580 wrote to memory of 3068	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	84
PID 2580 wrote to memory of 532	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	86
PID 2580 wrote to memory of 532	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	86
PID 2580 wrote to memory of 532	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	86
PID 2580 wrote to memory of 2132	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	87
PID 2580 wrote to memory of 2132	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	87
PID 2580 wrote to memory of 2132	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	87
PID 2580 wrote to memory of 1316	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	88
PID 2580 wrote to memory of 1316	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	88
PID 2580 wrote to memory of 1316	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	88
PID 2580 wrote to memory of 2544	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	89
PID 2580 wrote to memory of 2544	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	89
PID 2580 wrote to memory of 2544	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	89
PID 2580 wrote to memory of 3044	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	90
PID 2580 wrote to memory of 3044	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	90
PID 2580 wrote to memory of 3044	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	90
PID 2580 wrote to memory of 2508	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	91
PID 2580 wrote to memory of 2508	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	91
PID 2580 wrote to memory of 2508	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	91
PID 2580 wrote to memory of 972	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	92
PID 2580 wrote to memory of 972	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	92
PID 2580 wrote to memory of 972	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	92
PID 2580 wrote to memory of 2884	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	93
PID 2580 wrote to memory of 2884	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	93
PID 2580 wrote to memory of 2884	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	93
PID 2580 wrote to memory of 2648	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	94
PID 2580 wrote to memory of 2648	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	94
PID 2580 wrote to memory of 2648	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	94
PID 2580 wrote to memory of 2588	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	95
PID 2580 wrote to memory of 2588	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	95
PID 2580 wrote to memory of 2588	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	95
PID 2580 wrote to memory of 2064	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	108
PID 2580 wrote to memory of 2064	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	108
PID 2580 wrote to memory of 2064	2580	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	108
PID 2064 wrote to memory of 236	2064	cmd.exe	110
PID 2064 wrote to memory of 236	2064	cmd.exe	110
PID 2064 wrote to memory of 236	2064	cmd.exe	110
PID 2064 wrote to memory of 756	2064	cmd.exe	111
PID 2064 wrote to memory of 756	2064	cmd.exe	111
PID 2064 wrote to memory of 756	2064	cmd.exe	111
PID 756 wrote to memory of 2388	756	sppsvc.exe	112
PID 756 wrote to memory of 2388	756	sppsvc.exe	112
PID 756 wrote to memory of 2388	756	sppsvc.exe	112
PID 756 wrote to memory of 2632	756	sppsvc.exe	113
PID 756 wrote to memory of 2632	756	sppsvc.exe	113
PID 756 wrote to memory of 2632	756	sppsvc.exe	113
PID 2388 wrote to memory of 2372	2388	WScript.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
"C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\d3d11\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qf8QHV2QCf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:236
- - C:\Users\Admin\PrintHood\sppsvc.exe
    "C:\Users\Admin\PrintHood\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aa36ffc-c6eb-4304-be4b-1b3181687d60.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\629489c7-bf25-4cf9-b7f9-3822aa76592b.vbs"
        6⤵
        
        PID:2124
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6061e9db-ef75-402f-b991-b287944d1312.vbs"
        8⤵
        
        PID:2648
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2244593a-1af0-4d5c-840e-26b427c4a2f2.vbs"
        10⤵
        
        PID:2468
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65ee3c58-2054-4410-b894-030d16c75fc4.vbs"
        12⤵
        
        PID:856
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f8fb753-6dea-4ffb-9ea3-73a7961542a5.vbs"
        14⤵
        
        PID:2148
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4df3882-858b-4743-af31-8d93054a61db.vbs"
        16⤵
        
        PID:940
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb1fa8cc-4b5f-4ecc-a0db-c4a0a258eceb.vbs"
        18⤵
        
        PID:2136
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee056a09-6467-43c5-891a-4c35e6b2c04b.vbs"
        20⤵
        
        PID:1552
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f96bc7-8148-4734-a24a-a773f738620d.vbs"
        22⤵
        
        PID:2172
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8a7d61-f840-4719-8a89-9d072a6a9b55.vbs"
        24⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55704516-98ab-4d49-99db-61655880df99.vbs"
        24⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f42d3663-921e-406d-ba67-52fce9af38ef.vbs"
        22⤵
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37d4edb2-ca2b-429d-9a06-6c09011ead41.vbs"
        20⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca3c6c1-643d-4f01-a98e-4f845c25244a.vbs"
        18⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a321b05-c8f7-4c7e-98bf-b9dca3bafd02.vbs"
        16⤵
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41a642ca-c125-42e1-b2fc-b49e2582bae1.vbs"
        14⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c34fbf18-b470-4ab1-b1af-e9b6e30c06bf.vbs"
        12⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d27f9d4-0077-4a5e-959c-100eab6ee9b2.vbs"
        10⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ca86f4d-24f6-40cd-bd58-cf9cf0beff50.vbs"
        8⤵
        
        PID:2956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f0682ee-c202-4c4e-b147-467813ea6521.vbs"
        6⤵
        
        PID:584
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b709c63-970a-40b0-90c2-0df13c529bc2.vbs"
      4⤵
      PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914" /sc ONLOGON /tr "'C:\Users\Default\Desktop\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe

Filesize
1.6MB

MD5
5135b935330219bcc418e5a960acadc6

SHA1
ba393b19187638df446d374ec5e06e9b800a1018

SHA256
7146e2779af86041ba3030644d932c6a03f1fb4a09ecdf08552df40f0fba3cda

SHA512
02a119301ba94e41cfb80152f6f46d1746b07d5690cc1a0f8543a76f2d01de77f92cfd7d87fa5d94ea4365d43be271e73954b6e48c18402e378890391d78ec76

Download Submit
C:\Program Files\Reference Assemblies\OSPPSVC.exe

Filesize
1.6MB

MD5
66d07aba299e88d9fd0562bdde9ef487

SHA1
3187acda67ed22501f39f2b436d064faf9464045

SHA256
d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914

SHA512
64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b709c63-970a-40b0-90c2-0df13c529bc2.vbs

Filesize
487B

MD5
f623cde7833104a94c4cff3b07c5ab80

SHA1
1c73ef0a1196f7ead390198b74673228be989417

SHA256
94f89368de69ae0a9c78fdb299eed5676975750640e42970a374f6e7d3c0d69d

SHA512
88d98b65df1bfd2564963fdf860a36439c1e4aba068c7769a182e936c1d05d764f6ab58dd1b383f2dea2e2a860278c19c107417b8ee11274668ad66b5fddf50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1aa36ffc-c6eb-4304-be4b-1b3181687d60.vbs

Filesize
710B

MD5
65f7ab88bfabe89d9c76ff1a83fd7993

SHA1
db51960b72d7be284de81ff86f3903d1c3678f4c

SHA256
239e2eb0f33c440bf7755cf71640ceacc5f1244107fd3cbe8d3661c905dce55f

SHA512
aa23bea352238f93dcf43aa770f3e86d5591a0f48d003e025ffdd7418677678a9362ea183d0366f1fa8fe3397866a948e431ef22f12033eb13340f581c1c08b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2244593a-1af0-4d5c-840e-26b427c4a2f2.vbs

Filesize
711B

MD5
92fbfde02f2206a02b96d7dc293e0704

SHA1
df6710d0aad5ea57f153e65a02ed696fbe2fd223

SHA256
c0d2d03a943e8f883caba7096f60536f89267788ec29c18c84a11afd38f0e869

SHA512
c5037e8af4137f0820a78ec5bd8c2ae8b8d43f8c3afe59ef1eb73febf43631a419df8d2f2c4f620d10c4a695899a5d5a8cc41dbf0507c7d42dcda37a929f412d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f8fb753-6dea-4ffb-9ea3-73a7961542a5.vbs

Filesize
711B

MD5
bbd74063e219290533a4ccfe134061b3

SHA1
fd49a61bb53cd37e67d6140b6e3abef6f29b39c1

SHA256
e3968bbc5f4b7ec5cfc0e159f57672594bea757ff2d83390480373b6d58a20c5

SHA512
905c2337b1c3661b3e8dd4f7ca76e02f43e5ef2d3c7c73dc75dfd3f6315041bb0e77cf938a2500cbccdbb1548328e979863bc58eb1bde6f68314be703ca1dff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6061e9db-ef75-402f-b991-b287944d1312.vbs

Filesize
711B

MD5
a48b4bf3fe0ca34b95337265164773a9

SHA1
bdb13890bc283ac5e1c9619d6f4e257f1a6ebf38

SHA256
a300bd1745bf1e81ea6fbed537f2d3f69c2e20c635c865dbaf7cbcb5fc574514

SHA512
57590eea58784d7c682ee93c790899ee8061aa978e2795d4f0b23025b4fa9ad53a110e3b4dbd24805e9afd1b9659ecd3d2e4a6c5c2ed04859e564701c5aee1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\629489c7-bf25-4cf9-b7f9-3822aa76592b.vbs

Filesize
711B

MD5
654b3a90bd9bcd65d3d5c1bc8147b4dd

SHA1
b59cf9aa95f5681e6a64aef8f373f36042e8b3e6

SHA256
c847ccae43ae9271142ad4113b038a1a759150623475ca21a3a67314b165c52e

SHA512
860a99e10e5cea07c43dc5af5177fd3d4c7cbc6ab6f123fcdb519a38fe40802bde905a2bb29732fad9f747f073b185a334b8414d4c91567f4f8a45501e87aa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\65ee3c58-2054-4410-b894-030d16c75fc4.vbs

Filesize
711B

MD5
c492547b1237503dc38a694ead1efd8d

SHA1
37337258bb573e9f4812f0a7a7678a792f2d7734

SHA256
ee6ff1e5ed680c9c72528ddb237d35945fd4bb2f12d24765bb2fe48cdca545d3

SHA512
3caed71fac5f599db665ac0abf1a1a93938a0ed07b172067d5e936ed1b628f765c87d477dff8c30ac6ba3516ef1a7f9dca2d9c3c1017727058c6ee8b09dc997f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d8a7d61-f840-4719-8a89-9d072a6a9b55.vbs

Filesize
710B

MD5
9bd9efaa150f6f9b99f5082bacdb674a

SHA1
b78665fdb53e9bb255a0cdace3bc7946d5b7d0d0

SHA256
e61f761275f22d9a74430af1903d5e076d115df6ad9c45a46bae324b1c71848a

SHA512
30157ceaf8617235376c80bf6b5c36c970f1b2d384a95cb6a2d0262d5fe2ad5b59edef30d2a32eaa265ec59dd86ea3212cefd4f2f27027a700b4b3a42299bdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\80f96bc7-8148-4734-a24a-a773f738620d.vbs

Filesize
711B

MD5
234859449629d2c872875e0ee16da13f

SHA1
a415f0f2290801062bc49dba9fd006e1290b9073

SHA256
5849f6c66da0c8fdaaba59c72d0c506744c9e69cb7a29c9818f88e631bd167e3

SHA512
2941aa88934e8ae231b5163b66e35bd60a95e8581d20ae4e5d4c054844827c6191cdc2cabefcfaba7ef099f42f8298b803f7cf0190e842eb7d309ed222d6c70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qf8QHV2QCf.bat

Filesize
200B

MD5
726e970688bc3925f1323aec55689f15

SHA1
601a5e82caca771a260dbde9e6443430923f4ce2

SHA256
61d02644cbbcc3fc9599bc6c5a76e8a94b8a98fa70637ce0fad6de9b3da052fd

SHA512
cfca12d55f7cf71f30d5d888083a52a0731ea34579a80651ad5256783f62c5555a476448d4f5f4dabdb3e71ab67121b2c382b5a0226eb5cc3d2affde2f46a214

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4df3882-858b-4743-af31-8d93054a61db.vbs

Filesize
711B

MD5
9955a905695b05cfbd48c7e43b1efe1e

SHA1
94d58bae119c34317a7d64eea83c651e04c82fc6

SHA256
cbed8b2bc556277228973d0f353c81c67caf726b9313749d989abec48e6fa10a

SHA512
23ee1bbdaa1631438d702a0aa7beb531426f6d267f1716ac3a48b0c80764e6f897e121f77ba4580b30742f7bb91fa32e4af93a7cba4012c1d6a586791789c983

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee056a09-6467-43c5-891a-4c35e6b2c04b.vbs

Filesize
711B

MD5
e87a9834b4d2417dc2e6b11c9fcdcb5f

SHA1
adb5a9b4af73df6ac37036bfa07e9f5bcd9ed9f9

SHA256
da3a2b57d7dad217549b6f7649dc57de16eadea1617d52e5ca97632414a6a7c0

SHA512
707399f9a6c24935b441466e7038d211569f136e1c9bfa7adc206d0c0b493cc1895e274f1cacf8b2177584beed8da3c7db2a0d1385c93d0ed8ddba51b7bd9e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb1fa8cc-4b5f-4ecc-a0db-c4a0a258eceb.vbs

Filesize
711B

MD5
b19f9683622910ccf55ca8322ed7c923

SHA1
36f85db8517fc5f1fbe8868dce1425ac4c39ed07

SHA256
4ee129efbfd70adacd0a03b7977b7a2cfbb4a5c691ccc6d229e6188564fb9c0f

SHA512
d91ec95ed8b1d5ab17f496a36acbefd6b6e9377dd7ed69b9211bf748694c4bd6cae885f3bc7454c3bc1d85cfc68131220164e90fb756c20fadaf2b97215838c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L2YPCRLWC0NDIDD0FSNZ.temp

Filesize
7KB

MD5
ca6c5b6ea4c50f70a38037e971f39e9d

SHA1
7627fb801f292d16b9aafdae20489abaa3779966

SHA256
3078b50fb3b2743e5bc4dafae5655c443607902da8b14391eb00e5ce2760e191

SHA512
504b0933d70dbef57a803aaaf9eb38b1123609aa72c50f3b9aae4037daa6f81a0597d618de85d4f80dc3bf3c913354f4aeb08bfb872de7701e043e0b4327db24

Download Submit
memory/668-420-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/756-306-0x00000000003D0000-0x0000000000572000-memory.dmp

Filesize
1.6MB

Download
memory/1892-352-0x0000000000D10000-0x0000000000EB2000-memory.dmp

Filesize
1.6MB

Download
memory/2144-340-0x0000000000060000-0x0000000000202000-memory.dmp

Filesize
1.6MB

Download
memory/2184-302-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2320-375-0x0000000001080000-0x0000000001222000-memory.dmp

Filesize
1.6MB

Download
memory/2372-317-0x00000000011E0000-0x0000000001382000-memory.dmp

Filesize
1.6MB

Download
memory/2580-8-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2580-64-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000000230000-0x00000000003D2000-memory.dmp

Filesize
1.6MB

Download
memory/2580-224-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-9-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2580-12-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2580-10-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2580-7-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2580-6-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2580-101-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-5-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/2580-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2580-4-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2580-3-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/2580-11-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2580-16-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2580-15-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/2580-14-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2580-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-13-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2648-303-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download