dcrat | b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe
Size

1.3MB
MD5

fe76cbb1b1116a2b0ca20f5dbe8e2652
SHA1

4ae28f39a440b341ed2d47647ed02b626138fa52
SHA256

b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d
SHA512

6a3415db11955ec02c88d8221bc98f9af6e3b0949bd2485e3b42806b10ff5fa75f3d8599af4f41984d71e5b7bfd4908d0fb1d5a4684f3492fab647c21f3357f3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	1564	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1564	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c98-10.dat	dcrat
behavioral2/memory/1968-13-0x0000000000980000-0x0000000000A90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
1928	powershell.exe
2700	powershell.exe
3196	powershell.exe
4176	powershell.exe
752	powershell.exe
1664	powershell.exe
4404	powershell.exe
4624	powershell.exe
2484	powershell.exe
1404	powershell.exe
5032	powershell.exe
3428	powershell.exe
3708	powershell.exe
2840	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 15 IoCs

pid	Process
1968	DllCommonsvc.exe
4108	DllCommonsvc.exe
984	upfc.exe
3548	upfc.exe
4624	upfc.exe
3276	upfc.exe
4700	upfc.exe
2696	upfc.exe
4704	upfc.exe
4836	upfc.exe
1904	upfc.exe
2308	upfc.exe
2676	upfc.exe
1828	upfc.exe
5016	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
51	raw.githubusercontent.com
28	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
44	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
39	raw.githubusercontent.com
46	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\fontdrvhost.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System\Speech\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3752	schtasks.exe
1152	schtasks.exe
2392	schtasks.exe
1152	schtasks.exe
4048	schtasks.exe
5116	schtasks.exe
3620	schtasks.exe
3164	schtasks.exe
1776	schtasks.exe
3276	schtasks.exe
3588	schtasks.exe
4752	schtasks.exe
4448	schtasks.exe
1780	schtasks.exe
2892	schtasks.exe
4068	schtasks.exe
1968	schtasks.exe
4288	schtasks.exe
4156	schtasks.exe
3900	schtasks.exe
3752	schtasks.exe
856	schtasks.exe
2532	schtasks.exe
4056	schtasks.exe
3260	schtasks.exe
2392	schtasks.exe
2696	schtasks.exe
856	schtasks.exe
4876	schtasks.exe
5064	schtasks.exe
2452	schtasks.exe
3228	schtasks.exe
2320	schtasks.exe
4904	schtasks.exe
368	schtasks.exe
2448	schtasks.exe
4672	schtasks.exe
548	schtasks.exe
3476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	DllCommonsvc.exe
3428	powershell.exe
752	powershell.exe
3428	powershell.exe
1664	powershell.exe
4404	powershell.exe
5032	powershell.exe
5032	powershell.exe
752	powershell.exe
1664	powershell.exe
4404	powershell.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4108	DllCommonsvc.exe
4624	powershell.exe
4624	powershell.exe
3196	powershell.exe
3196	powershell.exe
2724	powershell.exe
2724	powershell.exe
1404	powershell.exe
1404	powershell.exe
2840	powershell.exe
2840	powershell.exe
3708	powershell.exe
3708	powershell.exe
2700	powershell.exe
2700	powershell.exe
4176	powershell.exe
4176	powershell.exe
1928	powershell.exe
1928	powershell.exe
2484	powershell.exe
2484	powershell.exe
3708	powershell.exe
1404	powershell.exe
1928	powershell.exe
984	upfc.exe
984	upfc.exe
3196	powershell.exe
4624	powershell.exe
2724	powershell.exe
2840	powershell.exe
2700	powershell.exe
4176	powershell.exe
2484	powershell.exe
3548	upfc.exe
4624	upfc.exe
3276	upfc.exe
4700	upfc.exe
2696	upfc.exe
4704	upfc.exe
4836	upfc.exe
1904	upfc.exe
2308	upfc.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	DllCommonsvc.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4108	DllCommonsvc.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	984	upfc.exe
Token: SeDebugPrivilege	3548	upfc.exe
Token: SeDebugPrivilege	4624	upfc.exe
Token: SeDebugPrivilege	3276	upfc.exe
Token: SeDebugPrivilege	4700	upfc.exe
Token: SeDebugPrivilege	2696	upfc.exe
Token: SeDebugPrivilege	4704	upfc.exe
Token: SeDebugPrivilege	4836	upfc.exe
Token: SeDebugPrivilege	1904	upfc.exe
Token: SeDebugPrivilege	2308	upfc.exe
Token: SeDebugPrivilege	2676	upfc.exe
Token: SeDebugPrivilege	1828	upfc.exe
Token: SeDebugPrivilege	5016	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 552	3240	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe	85
PID 3240 wrote to memory of 552	3240	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe	85
PID 3240 wrote to memory of 552	3240	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe	85
PID 552 wrote to memory of 3516	552	WScript.exe	87
PID 552 wrote to memory of 3516	552	WScript.exe	87
PID 552 wrote to memory of 3516	552	WScript.exe	87
PID 3516 wrote to memory of 1968	3516	cmd.exe	89
PID 3516 wrote to memory of 1968	3516	cmd.exe	89
PID 1968 wrote to memory of 5032	1968	DllCommonsvc.exe	104
PID 1968 wrote to memory of 5032	1968	DllCommonsvc.exe	104
PID 1968 wrote to memory of 752	1968	DllCommonsvc.exe	105
PID 1968 wrote to memory of 752	1968	DllCommonsvc.exe	105
PID 1968 wrote to memory of 1664	1968	DllCommonsvc.exe	106
PID 1968 wrote to memory of 1664	1968	DllCommonsvc.exe	106
PID 1968 wrote to memory of 4404	1968	DllCommonsvc.exe	107
PID 1968 wrote to memory of 4404	1968	DllCommonsvc.exe	107
PID 1968 wrote to memory of 3428	1968	DllCommonsvc.exe	108
PID 1968 wrote to memory of 3428	1968	DllCommonsvc.exe	108
PID 1968 wrote to memory of 4504	1968	DllCommonsvc.exe	113
PID 1968 wrote to memory of 4504	1968	DllCommonsvc.exe	113
PID 4504 wrote to memory of 1600	4504	cmd.exe	116
PID 4504 wrote to memory of 1600	4504	cmd.exe	116
PID 4504 wrote to memory of 4108	4504	cmd.exe	122
PID 4504 wrote to memory of 4108	4504	cmd.exe	122
PID 4108 wrote to memory of 2724	4108	DllCommonsvc.exe	150
PID 4108 wrote to memory of 2724	4108	DllCommonsvc.exe	150
PID 4108 wrote to memory of 1928	4108	DllCommonsvc.exe	151
PID 4108 wrote to memory of 1928	4108	DllCommonsvc.exe	151
PID 4108 wrote to memory of 4624	4108	DllCommonsvc.exe	152
PID 4108 wrote to memory of 4624	4108	DllCommonsvc.exe	152
PID 4108 wrote to memory of 1404	4108	DllCommonsvc.exe	153
PID 4108 wrote to memory of 1404	4108	DllCommonsvc.exe	153
PID 4108 wrote to memory of 4176	4108	DllCommonsvc.exe	154
PID 4108 wrote to memory of 4176	4108	DllCommonsvc.exe	154
PID 4108 wrote to memory of 2840	4108	DllCommonsvc.exe	155
PID 4108 wrote to memory of 2840	4108	DllCommonsvc.exe	155
PID 4108 wrote to memory of 3708	4108	DllCommonsvc.exe	156
PID 4108 wrote to memory of 3708	4108	DllCommonsvc.exe	156
PID 4108 wrote to memory of 2700	4108	DllCommonsvc.exe	157
PID 4108 wrote to memory of 2700	4108	DllCommonsvc.exe	157
PID 4108 wrote to memory of 2484	4108	DllCommonsvc.exe	158
PID 4108 wrote to memory of 2484	4108	DllCommonsvc.exe	158
PID 4108 wrote to memory of 3196	4108	DllCommonsvc.exe	160
PID 4108 wrote to memory of 3196	4108	DllCommonsvc.exe	160
PID 4108 wrote to memory of 984	4108	DllCommonsvc.exe	170
PID 4108 wrote to memory of 984	4108	DllCommonsvc.exe	170
PID 984 wrote to memory of 1920	984	upfc.exe	176
PID 984 wrote to memory of 1920	984	upfc.exe	176
PID 1920 wrote to memory of 3032	1920	cmd.exe	178
PID 1920 wrote to memory of 3032	1920	cmd.exe	178
PID 1920 wrote to memory of 3548	1920	cmd.exe	181
PID 1920 wrote to memory of 3548	1920	cmd.exe	181
PID 3548 wrote to memory of 2800	3548	upfc.exe	185
PID 3548 wrote to memory of 2800	3548	upfc.exe	185
PID 2800 wrote to memory of 4988	2800	cmd.exe	187
PID 2800 wrote to memory of 4988	2800	cmd.exe	187
PID 2800 wrote to memory of 4624	2800	cmd.exe	190
PID 2800 wrote to memory of 4624	2800	cmd.exe	190
PID 4624 wrote to memory of 548	4624	upfc.exe	192
PID 4624 wrote to memory of 548	4624	upfc.exe	192
PID 548 wrote to memory of 664	548	cmd.exe	194
PID 548 wrote to memory of 664	548	cmd.exe	194
PID 548 wrote to memory of 3276	548	cmd.exe	196
PID 548 wrote to memory of 3276	548	cmd.exe	196

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe
"C:\Users\Admin\AppData\Local\Temp\b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0hJeiPq3jy.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1600
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\unsecapp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3032
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4988
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:664
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
        14⤵
        
        PID:976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:5116
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        16⤵
        
        PID:4192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4308
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        18⤵
        
        PID:3488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1928
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
        20⤵
        
        PID:3428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:532
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        22⤵
        
        PID:1320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5108
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        24⤵
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2936
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        26⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4308
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"
        28⤵
        
        PID:3548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1928
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        30⤵
        
        PID:4248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4772
        
        C:\providercommon\upfc.exe
        
        "C:\providercommon\upfc.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lua\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
329e67b656834b36b529ff5a745a61aa

SHA1
85e9d41fd3f88f1d65ac85f7c3ddfa3e63d3936e

SHA256
b2a9f53f28e620dbec9fb8f44fc6431d619bc225124bffacd32dbc9cb94856c4

SHA512
ceeb20c6162e8a94745b59d685fce506df22b85870a0a472869e1949124cc70d3beeababd49444dee4e9a1e387947b66a17dca25870234514c20e7e5c28d4dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57d2e799bc6966dca9da8dc3120bf345

SHA1
e1c706bd6faa27ea04a5c6cd7c10e158395cb65e

SHA256
25ccd4b996f178c04b3603cc41ce81886f66ddc50299d401bcbc52227c7f61ba

SHA512
8586ca7c0678aff0553d5a387807c8bcd4f51d0a0539ec1a33f8da7cc6332ca7c0e76b9fc1d821de6bd0fd19abaf6bcb7389762785c8badb2450ba12d447150c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e59140d6693b6a0f6a8617b45bdef9fe

SHA1
7157a22b2533d10fe8ed91d2c5782b44c79bbcde

SHA256
baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

SHA512
117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17e45724e81fad9d4f4eda74fe6b349e

SHA1
0ef309ee5638e1055c0f0fe7cd693a5643a1e4a3

SHA256
444084a5dd84f5aeaa084a27da160ea4501574fbb27da9d7aab3c6c5b3269eb6

SHA512
c1b0dd77c2ae9c15843b3bac8de6874609ebeffa5e10e552b364340c51bde690ac563c132dbc14f93e68d3a7939ea840fa687eb1bd603d646acf88a3430b6e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
081f27915d0d0eb090c40bf0e3562c68

SHA1
60519eef2376ac733640e4a10f7fef3954f12651

SHA256
9b08a00f3713a5097cc4503403f36e045228f55ac1049390aea0564ce115b660

SHA512
18a60774a20c3c0f2a1bbdc8c084d7360ed424e205e4b68a530927bf3a70dad6e7143f633b070e1368a2d3c88f5f5acebe424b519f02de9538a981fbe5bc245f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hJeiPq3jy.bat

Filesize
199B

MD5
d1f6d79e5a80579ee44451d43c6784f9

SHA1
244d05915ca43a7c3fe5ac0ea7e41bb07ac66856

SHA256
ce7181397e754c60dc97f464d61327f69998d114a09fd95bd714f3531d492e62

SHA512
58adb030be233abf137852e91045d47622938cdf651f5590190cd07939e4e6c6b8bbd059214e08ef5efa5783a75011a2c2b5bfb5b1ab337d7d38459077e215b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
191B

MD5
56c03e4ebd5ff608ccd8be32400bcce8

SHA1
c4ae73732c21ae89e31301d6e1bf545f65eec581

SHA256
1e8281b1d97e7ef322884bfc70033a7a591b4fabf151ac421194491b3162a752

SHA512
768ed0deb19b07fa8a67f9f430cc1d7043374cadd72c08c2b68c800f283045de6bba13bb7a26fa9087b596d04da666825d232e10c34ba85e9d2a938ae8e19a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
191B

MD5
c41522782e12b9ee785b002338863166

SHA1
1b5c071da1bc60a84531d7b566e5fb692d2c9b05

SHA256
1e4ec7077d17bfebd5ef1938048e2fb65814986e34350831312e61593ad69ef2

SHA512
8ebacfbabdc7f233aaf5cbd4d641ec3da360acb855c3a7413cb8474db4b0985cdbdee120d3dc5457b056432c7122615fbc786a0f5497cbd02f275cd47803c1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

Filesize
191B

MD5
3abfa3582496c97ff2f23e36e39b63f5

SHA1
a0302cacc5c47caeccb5f107bab078e09c0b6f88

SHA256
0f6276ee0fd9497ee69e4cf535dd59865c1f89319c0dec1245835ddf8d8b7db5

SHA512
b5819e7b58a2536709c0fd63db568ba93d7537b916ec8831186f60621a8d47928d943621196734d12c71d65818411f872cbb943223eca5417f5f63e55b7076ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
191B

MD5
1285a2fad61128c0a769b2a3cade7169

SHA1
a69ec2e1a32bfb3de3ae5711869a3981e4390ad4

SHA256
6066eeddb21a7a2d3778dfd061b575a265bed431bc3fc7ca3c8d19ea3c349d08

SHA512
83fc9cd04ecf9eeb1db69eee5fc798ae4db160dd140924d1e13878c49b6a786b6ecea6cbe6fedbee3f660c3a816c786bfe89f0b1a3a4ceb963dfba6e19f087e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
191B

MD5
d9c0adfdbcdfe86925b75c2eeb1af034

SHA1
3123284227269aa939643d08efc5257c9f2d210b

SHA256
c57a30f0d51aed76888d9d4d22cb46b17affabc264c948c3dacff08f1db8df9a

SHA512
bb3c6b8c705e365db7483e3bdacaa609d4a613a38554c6d1965dcc2592745805e776fc85ee3b12f29351203c8099adb8dae13376c1c9b7b7f89f25d252014196

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat

Filesize
191B

MD5
3f1d8506daff14f916501005c7fe73e2

SHA1
7e11e4111bb1c693bfc0ea353d0ef3d260047966

SHA256
9629135a0e4719b683d6952921567c00e42b34b6546d9d34a4b55cf4208f265e

SHA512
03535da9be2d2093a662756b288947af014ff21f9b6fc9fdacf228c9c27b9e995b6c6d3c8af722bfb0c05d9b747665e0600b6f63a6eff4245730c00dd71ea29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epcx5vnw.qhc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
191B

MD5
04481c2f4a755928286021ea294f3a4d

SHA1
7d8ac15a9e108b013dd06c5f7c52d4fa6364c9c3

SHA256
3922cda0db689f0359b4141f0d89e170c7d5680e69c400bbfdc7ca0e1107d1a4

SHA512
4012f9b20a77052d3e7ff32d4453ccc266ce59ef0f818bc8e4c05b6db701e7a3e8a855b2e76792f09a87f3f305c23253baf60a84c4544ccb5a7846ce1ee32ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

Filesize
191B

MD5
82b2eb262a43fec7d0113e6c12f2f823

SHA1
5080d65fc1a386d4603d10877b8dd677bdac9edd

SHA256
68589963fceac5d4c1f96b46cdf80345282772eaf942989b603274f075798ee8

SHA512
530d51b490796a8c2a1103b9777e5c2de0512c879d7a48a2e397430156214bf921caf7a66273d3198026a2021885e04ab1773225d940b849b04402007525678c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
191B

MD5
7f0051a3405d694a596c970d98177387

SHA1
bd2c35cd523171cf8e395a33c2ab5b942e6a2971

SHA256
9ed0d737a3c990b7c3cfbdfe3e195a9e7d48149821d91460e342ecfc6a0d88a7

SHA512
d97496a46529724e333dbde8833aaa4c209cf0404b6c0aa2745a61d1d97c2561670620583a156b0a27d763a222fda24a44ed1d080f2addb8d57f338dffc22417

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

Filesize
191B

MD5
8207179cbdf9151c4d361dcdc389c9bc

SHA1
c98c2022c499af2e264b0f7e84b181156f9a680b

SHA256
13bf217db17c447ecd4b762b2c9f3760eae0b991e2f84aef38e42b01197a3962

SHA512
78883f51eaf550a33a2b95634d14383dc6b2b05e06f9f3bd456922b2540f6f18c56f2a3f33829d422ffc64d90e174312e9ef5ddd8ab7ae84c0f085263daa64ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
191B

MD5
a0f566fd8b507a20c5a03fd11160775c

SHA1
e6b8c00ddca8cd231721a63e5d0b0c7d18ac4b01

SHA256
f2a111d458c8b19043bc4f5a61a930a92d4b26ededa4b0923d8c74d7022371e1

SHA512
06cfca488f104ff59621590e81678d4ea304af7fa2cf600b348a76b82168ecdaf15952a2cd2d6f4bfdf64941dd2c2a9506477be232c41a691a976503badee32d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/984-237-0x000000001BD60000-0x000000001BECA000-memory.dmp

Filesize
1.4MB

Download
memory/984-211-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/1968-12-0x00007FFA9A023000-0x00007FFA9A025000-memory.dmp

Filesize
8KB

Download
memory/1968-13-0x0000000000980000-0x0000000000A90000-memory.dmp

Filesize
1.1MB

Download
memory/1968-14-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/1968-15-0x0000000002CB0000-0x0000000002CBC000-memory.dmp

Filesize
48KB

Download
memory/1968-16-0x0000000002CC0000-0x0000000002CCC000-memory.dmp

Filesize
48KB

Download
memory/1968-17-0x0000000002CD0000-0x0000000002CDC000-memory.dmp

Filesize
48KB

Download
memory/2308-299-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/2696-277-0x000000001C6D0000-0x000000001C771000-memory.dmp

Filesize
644KB

Download
memory/2696-278-0x000000001C780000-0x000000001C929000-memory.dmp

Filesize
1.7MB

Download
memory/3276-262-0x000000001C420000-0x000000001C5C9000-memory.dmp

Filesize
1.7MB

Download
memory/3276-261-0x000000001C370000-0x000000001C411000-memory.dmp

Filesize
644KB

Download
memory/3276-256-0x0000000001200000-0x0000000001212000-memory.dmp

Filesize
72KB

Download
memory/3428-40-0x000001DFC0120000-0x000001DFC0142000-memory.dmp

Filesize
136KB

Download
memory/3548-244-0x000000001B740000-0x000000001B842000-memory.dmp

Filesize
1.0MB

Download
memory/4108-91-0x0000000002E90000-0x0000000002EA2000-memory.dmp

Filesize
72KB

Download
memory/4624-253-0x000000001CBB0000-0x000000001CD59000-memory.dmp

Filesize
1.7MB

Download
memory/4624-252-0x000000001CB00000-0x000000001CBA1000-memory.dmp

Filesize
644KB

Download
memory/4624-247-0x0000000003220000-0x0000000003232000-memory.dmp

Filesize
72KB

Download
memory/4700-270-0x000000001BE30000-0x000000001BFD9000-memory.dmp

Filesize
1.7MB

Download
memory/4700-269-0x000000001BD80000-0x000000001BE21000-memory.dmp

Filesize
644KB

Download