dcrat | 916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9

Analysis

max time kernel
94s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Size

1.7MB
MD5

7a6337d1705c5b4e696b224c29fc5233
SHA1

5631625b8754ac8e02f9b441a47b229ac37a6cbc
SHA256

916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9
SHA512

7727e5546724c46ac6c481989860e93f7b0e4537a0fc8a1d8595657181c985213f794390f0198a4a69f7b19f999b4bfef5d044f2a6fd2ecc51be119207753efe
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	5004	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	5004	schtasks.exe	83

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2676-1-0x0000000000480000-0x0000000000636000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbc-29.dat	dcrat
behavioral2/files/0x000c000000023cef-120.dat	dcrat
behavioral2/files/0x000c000000023cf0-131.dat	dcrat
behavioral2/files/0x0008000000023cc7-164.dat	dcrat
behavioral2/files/0x000e000000023cd6-264.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4736	powershell.exe
2664	powershell.exe
1240	powershell.exe
3464	powershell.exe
2824	powershell.exe
3976	powershell.exe
5092	powershell.exe
3180	powershell.exe
872	powershell.exe
1772	powershell.exe
4716	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Executes dropped EXE 2 IoCs

pid	Process
2228	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2216	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Drops file in Program Files directory 55 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\smss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\dotnet\host\fxr\dllhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Crashpad\RCXC378.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE07D.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXE516.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows Sidebar\6203df4a6bafc7	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows Sidebar\lsass.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Crashpad\explorer.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXD4DB.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\c5b4cb5e9653cc	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\lsass.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXDA5E.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE07E.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\6203df4a6bafc7	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\c5b4cb5e9653cc	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Crashpad\RCXC367.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXD559.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\smss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Adobe\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\dllhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXD7DA.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXCD62.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\RCXD258.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\RCXD259.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\RCXBD29.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\RCXBF2D.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXD7DB.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Crashpad\explorer.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCXCAE0.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\2cbf77912deacd	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Crashpad\7a0fd90576e088	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\dotnet\host\fxr\5940a34987c991	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\69ddcba757bf72	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Adobe\c5b4cb5e9653cc	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXDA5D.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\RCXBD28.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXCD63.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Reference Assemblies\22eafd247d37c3	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows Mail\69ddcba757bf72	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\RCXBF3E.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCXCAE1.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXE515.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Provisioning\Cosa\OEM\RCXD053.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\Provisioning\Cosa\OEM\csrss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\Panther\unsecapp.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\Panther\29c1c3cc0f7685	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\Panther\RCXC153.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\Panther\unsecapp.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\Provisioning\Cosa\OEM\RCXCFE5.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\Provisioning\Cosa\OEM\csrss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\Provisioning\Cosa\OEM\886983d96e3d3e	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\Panther\RCXC152.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2012	schtasks.exe
968	schtasks.exe
4268	schtasks.exe
5064	schtasks.exe
3116	schtasks.exe
3912	schtasks.exe
4140	schtasks.exe
4616	schtasks.exe
1140	schtasks.exe
2760	schtasks.exe
4900	schtasks.exe
2324	schtasks.exe
4948	schtasks.exe
2996	schtasks.exe
3168	schtasks.exe
2172	schtasks.exe
3144	schtasks.exe
4028	schtasks.exe
2196	schtasks.exe
3532	schtasks.exe
4276	schtasks.exe
3204	schtasks.exe
3568	schtasks.exe
4016	schtasks.exe
5052	schtasks.exe
1688	schtasks.exe
4420	schtasks.exe
5112	schtasks.exe
4896	schtasks.exe
5008	schtasks.exe
64	schtasks.exe
4712	schtasks.exe
2084	schtasks.exe
2724	schtasks.exe
2880	schtasks.exe
2436	schtasks.exe
688	schtasks.exe
3560	schtasks.exe
2364	schtasks.exe
2320	schtasks.exe
4904	schtasks.exe
1604	schtasks.exe
2636	schtasks.exe
2776	schtasks.exe
444	schtasks.exe
4588	schtasks.exe
4596	schtasks.exe
2652	schtasks.exe
1584	schtasks.exe
3980	schtasks.exe
1120	schtasks.exe
4868	schtasks.exe
844	schtasks.exe
5060	schtasks.exe
2420	schtasks.exe
3132	schtasks.exe
3664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	2228	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Token: SeDebugPrivilege	2216	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3976	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	152
PID 2676 wrote to memory of 3976	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	152
PID 2676 wrote to memory of 4716	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	153
PID 2676 wrote to memory of 4716	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	153
PID 2676 wrote to memory of 2824	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	154
PID 2676 wrote to memory of 2824	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	154
PID 2676 wrote to memory of 3464	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	155
PID 2676 wrote to memory of 3464	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	155
PID 2676 wrote to memory of 1772	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	156
PID 2676 wrote to memory of 1772	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	156
PID 2676 wrote to memory of 872	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	158
PID 2676 wrote to memory of 872	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	158
PID 2676 wrote to memory of 1240	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	159
PID 2676 wrote to memory of 1240	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	159
PID 2676 wrote to memory of 3180	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	160
PID 2676 wrote to memory of 3180	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	160
PID 2676 wrote to memory of 5092	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	161
PID 2676 wrote to memory of 5092	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	161
PID 2676 wrote to memory of 2664	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	162
PID 2676 wrote to memory of 2664	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	162
PID 2676 wrote to memory of 4736	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	164
PID 2676 wrote to memory of 4736	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	164
PID 2676 wrote to memory of 2132	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	173
PID 2676 wrote to memory of 2132	2676	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	173
PID 2132 wrote to memory of 2084	2132	cmd.exe	176
PID 2132 wrote to memory of 2084	2132	cmd.exe	176
PID 2132 wrote to memory of 2228	2132	cmd.exe	178
PID 2132 wrote to memory of 2228	2132	cmd.exe	178
PID 2228 wrote to memory of 2280	2228	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	179
PID 2228 wrote to memory of 2280	2228	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	179
PID 2228 wrote to memory of 2880	2228	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	180
PID 2228 wrote to memory of 2880	2228	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	180
PID 2280 wrote to memory of 2216	2280	WScript.exe	181
PID 2280 wrote to memory of 2216	2280	WScript.exe	181

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
"C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CpN9sJ8yxz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2084
- - C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
    "C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b7a7026-27bf-431b-b235-79480510aede.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e74c8b6-165d-4499-b54c-e190b0d34205.vbs"
      4⤵
      PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb99" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb99" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\locale\as_IN\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Panther\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Crashpad\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Cosa\OEM\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\OEM\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Cosa\OEM\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\fxr\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\host\fxr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Links\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\RCXE515.tmp

Filesize
1.7MB

MD5
deca7660c0dc6fce23688a737f50aab1

SHA1
fc803685f61070d25aa9201934d80baf0263dbee

SHA256
e38c0e7c0782d84349885d2c440db540425a57dbe7967b974df9fa6b4c968fab

SHA512
f1dd4068ecb5db42c2bcd5119750711623badb3eacf9a85af7544114c47d10b561c9d6dc2e6e0153a42f41708298de129f86fabcd1669f75c318fbb1d22f4f12

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
1.7MB

MD5
1d58922a1d69502cd68bdf29704f85b3

SHA1
ea559cc1a5ea00638b08fe1b40d756164c2186c7

SHA256
d72d26f446919540b654f0d816eee7b1343dd4c969933fa1d5be5f6593b78624

SHA512
e3154a57f35b0f7c646e484346223ba66b9176d9076f052d52530548a1363670dec54a347efccb2cc9cbe10002af90f44ceafb14d6d43bae4217e7a6ebfce7a1

Download Submit
C:\Recovery\WindowsRE\sihost.exe

Filesize
1.7MB

MD5
7a6337d1705c5b4e696b224c29fc5233

SHA1
5631625b8754ac8e02f9b441a47b229ac37a6cbc

SHA256
916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9

SHA512
7727e5546724c46ac6c481989860e93f7b0e4537a0fc8a1d8595657181c985213f794390f0198a4a69f7b19f999b4bfef5d044f2a6fd2ecc51be119207753efe

Download Submit
C:\Recovery\WindowsRE\sihost.exe

Filesize
1.7MB

MD5
7a7f2f87142a3fd4eb81a00b28b6a5f6

SHA1
25a24de17612f06f55392983178a43af411f573e

SHA256
6527c9bf66fb9628dc426506ac79408446d775cb701722ac42a03f86f00d4cb4

SHA512
3b811c2f36b738940d931f9d2e55b9f46b7b02dd87fc60b2c2e5b3368f6e4ac0e47e250310484f9c3ce35837129a7aa19dd28113fdde903deba630f96038d2a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e74c8b6-165d-4499-b54c-e190b0d34205.vbs

Filesize
563B

MD5
7de1bbb973495c977fe92602b464773a

SHA1
d002bbf17d14bc5912919a4be9b1bb0cfe13c05f

SHA256
9321f6178456e96181a182588fcfe7403c544cface6e7dbc819e432cc6c21256

SHA512
0575d634517f739fc8aa3f2344918dc95975fd7ab024f78166e257543c83e1f9739341acbc2f0726948e1cd9f98273bd036342b4b89984d18f9617de327d6ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b7a7026-27bf-431b-b235-79480510aede.vbs

Filesize
787B

MD5
2cafd558a433095c97d510fb629e7c3c

SHA1
167de686c90f2dd3f8c60afa2f3c537091e0d362

SHA256
3885a0941ea254b3a5f7e0635ea1401e44db4270b3f08b5d56f9b17beb5aa96b

SHA512
95c3cfd929766a18162ce457c4ec38a766c8ab6f784862fcfab428ae85bb6051e7c9a6b936ace67ba944d901d8074d7a7cfb1edf3176f29dda948f0cd17cdb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CpN9sJ8yxz.bat

Filesize
276B

MD5
82025d5572ca49de1f42f5812ffecb4d

SHA1
e14ffbc7024e42425e43dbb4195eb3e4cc665d79

SHA256
abeeaaee874cc3e1e8f4abb06899558410ef4a197f334cdcbc383aa43b9a578f

SHA512
b3938bee758cddfe13e07191a4d20066de18e1328bf7888ba3f32d99bea917cad558268120277d219462513606dd68ca308b08d88e6cd1a03e44e141040f33c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fyhfb43v.jjz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Provisioning\Cosa\OEM\csrss.exe

Filesize
1.7MB

MD5
59a9def606fc51becf63d350d710b0ce

SHA1
be51e95dfa87fb3f7f0b36a77bc8cafe9a1312ed

SHA256
1c667befd70d05d73bc64394ef1ea623fcb648875316e61c548e8c4c4596b972

SHA512
8961ac55549c7221f8ad47a0763035a641fb93616fc6017d12896813d6eec0be3a519316d86a34f1d6815b9ea1655895984acd23f29666bbf53ace89aa34830f

Download Submit
memory/2676-10-0x00000000027C0000-0x00000000027CC000-memory.dmp

Filesize
48KB

Download
memory/2676-6-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2676-16-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/2676-14-0x0000000002960000-0x000000000296C000-memory.dmp

Filesize
48KB

Download
memory/2676-19-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/2676-18-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

Filesize
48KB

Download
memory/2676-17-0x0000000002990000-0x000000000299C000-memory.dmp

Filesize
48KB

Download
memory/2676-15-0x0000000002970000-0x000000000297A000-memory.dmp

Filesize
40KB

Download
memory/2676-13-0x0000000002950000-0x000000000295C000-memory.dmp

Filesize
48KB

Download
memory/2676-167-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/2676-189-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/2676-225-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/2676-11-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2676-1-0x0000000000480000-0x0000000000636000-memory.dmp

Filesize
1.7MB

Download
memory/2676-0-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/2676-300-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/2676-9-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2676-7-0x0000000002790000-0x00000000027A6000-memory.dmp

Filesize
88KB

Download
memory/2676-8-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/2676-20-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/2676-5-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/2676-4-0x0000000002900000-0x0000000002950000-memory.dmp

Filesize
320KB

Download
memory/2676-3-0x0000000002760000-0x000000000277C000-memory.dmp

Filesize
112KB

Download
memory/2676-2-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/3180-294-0x00000241FEE30000-0x00000241FEE52000-memory.dmp

Filesize
136KB

Download