dcrat | 2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480d

Analysis

max time kernel
120s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
Size

1.7MB
MD5

66eded8b72e993eef8ec0b1b19944cc0
SHA1

21b2295f1f9bd380dd114ff5a5c931b281b1f74c
SHA256

2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480d
SHA512

da0079636800e3b463582f90fe68daf8edfa3dd7a5b2837844bd4009607e6b98e6d134ddb92c2f91ebafc251636840e8ab6f5a4fdb87d716a40ca111a84ac787
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1940	schtasks.exe	82

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3012-1-0x0000000000870000-0x0000000000A30000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c96-30.dat	dcrat
behavioral2/files/0x000a000000023c89-106.dat	dcrat
behavioral2/files/0x000c000000023c91-141.dat	dcrat
behavioral2/files/0x000a000000023c9f-164.dat	dcrat
behavioral2/files/0x0009000000023ca1-175.dat	dcrat
behavioral2/files/0x000a000000023ca6-198.dat	dcrat
behavioral2/files/0x000a000000023cb2-234.dat	dcrat
behavioral2/files/0x000a000000023cb9-255.dat	dcrat
behavioral2/memory/1200-433-0x00000000009C0000-0x0000000000B80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3756	powershell.exe
4144	powershell.exe
2188	powershell.exe
3912	powershell.exe
1808	powershell.exe
2564	powershell.exe
2500	powershell.exe
808	powershell.exe
4324	powershell.exe
4836	powershell.exe
1076	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 3 IoCs

pid	Process
1200	upfc.exe
3568	upfc.exe
740	upfc.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXE51B.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Uninstall Information\upfc.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXFF8F.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\wininit.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Internet Explorer\images\StartMenuExperienceHost.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Windows Defender\Idle.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXE51A.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\Uninstall Information\ea1d8f6d871115	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXEBC8.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\Idle.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX485.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\Internet Explorer\images\StartMenuExperienceHost.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\VideoLAN\VLC\lsass.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\MSBuild\fontdrvhost.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\Uninstall Information\upfc.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXF650.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\Internet Explorer\images\55b276f4edf653	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXE044.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\MSBuild\fontdrvhost.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXF5D2.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXFF21.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ea9f0e6c9e2dcd	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCXDB7E.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXE074.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lsass.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\56085415360792	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\MSBuild\RCXE730.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXF34F.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXF350.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\9e8d7a4ca61bd9	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\wininit.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX484.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCX201.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\MSBuild\5b884080fd4f94	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files\VideoLAN\VLC\6203df4a6bafc7	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Windows Defender\6ccacd8608530f	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\MSBuild\RCXE731.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXEBC9.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\6203df4a6bafc7	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCXDB7D.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCX270.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\it-IT\RCXF0DC.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\ja-JP\Idle.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\ja-JP\Idle.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\tracing\RCXE945.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\it-IT\RCXF14B.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\ja-JP\RCXF864.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\ja-JP\RCXF865.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\tracing\886983d96e3d3e	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\OCR\RuntimeBroker.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\it-IT\unsecapp.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\ja-JP\6ccacd8608530f	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\it-IT\unsecapp.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\tracing\csrss.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\tracing\RCXE9C3.tmp	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File opened for modification	C:\Windows\tracing\csrss.exe	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
File created	C:\Windows\it-IT\29c1c3cc0f7685	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2988	schtasks.exe
2864	schtasks.exe
3644	schtasks.exe
4244	schtasks.exe
3436	schtasks.exe
4768	schtasks.exe
324	schtasks.exe
1068	schtasks.exe
4740	schtasks.exe
4648	schtasks.exe
452	schtasks.exe
3688	schtasks.exe
4720	schtasks.exe
4640	schtasks.exe
316	schtasks.exe
2584	schtasks.exe
4836	schtasks.exe
1736	schtasks.exe
1196	schtasks.exe
1124	schtasks.exe
2292	schtasks.exe
2692	schtasks.exe
392	schtasks.exe
4532	schtasks.exe
4208	schtasks.exe
4880	schtasks.exe
3304	schtasks.exe
3624	schtasks.exe
2904	schtasks.exe
4536	schtasks.exe
4176	schtasks.exe
4120	schtasks.exe
1776	schtasks.exe
4124	schtasks.exe
3656	schtasks.exe
2272	schtasks.exe
2760	schtasks.exe
4388	schtasks.exe
1564	schtasks.exe
4324	schtasks.exe
4340	schtasks.exe
4656	schtasks.exe
1252	schtasks.exe
4856	schtasks.exe
4512	schtasks.exe
3808	schtasks.exe
1200	schtasks.exe
2876	schtasks.exe
4560	schtasks.exe
216	schtasks.exe
3952	schtasks.exe
4924	schtasks.exe
2332	schtasks.exe
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
2188	powershell.exe
2188	powershell.exe
808	powershell.exe
808	powershell.exe
4324	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	1200	upfc.exe
Token: SeDebugPrivilege	3568	upfc.exe
Token: SeDebugPrivilege	740	upfc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4324	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	137
PID 3012 wrote to memory of 4324	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	137
PID 3012 wrote to memory of 3912	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	138
PID 3012 wrote to memory of 3912	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	138
PID 3012 wrote to memory of 2188	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	139
PID 3012 wrote to memory of 2188	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	139
PID 3012 wrote to memory of 1076	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	140
PID 3012 wrote to memory of 1076	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	140
PID 3012 wrote to memory of 4144	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	141
PID 3012 wrote to memory of 4144	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	141
PID 3012 wrote to memory of 3756	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	142
PID 3012 wrote to memory of 3756	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	142
PID 3012 wrote to memory of 808	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	143
PID 3012 wrote to memory of 808	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	143
PID 3012 wrote to memory of 2500	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	144
PID 3012 wrote to memory of 2500	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	144
PID 3012 wrote to memory of 2564	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	145
PID 3012 wrote to memory of 2564	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	145
PID 3012 wrote to memory of 4836	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	146
PID 3012 wrote to memory of 4836	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	146
PID 3012 wrote to memory of 1808	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	147
PID 3012 wrote to memory of 1808	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	147
PID 3012 wrote to memory of 1200	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	159
PID 3012 wrote to memory of 1200	3012	2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe	159
PID 1200 wrote to memory of 4524	1200	upfc.exe	163
PID 1200 wrote to memory of 4524	1200	upfc.exe	163
PID 1200 wrote to memory of 3176	1200	upfc.exe	164
PID 1200 wrote to memory of 3176	1200	upfc.exe	164
PID 4524 wrote to memory of 3568	4524	WScript.exe	170
PID 4524 wrote to memory of 3568	4524	WScript.exe	170
PID 3568 wrote to memory of 2276	3568	upfc.exe	171
PID 3568 wrote to memory of 2276	3568	upfc.exe	171
PID 3568 wrote to memory of 4468	3568	upfc.exe	172
PID 3568 wrote to memory of 4468	3568	upfc.exe	172
PID 2276 wrote to memory of 740	2276	WScript.exe	173
PID 2276 wrote to memory of 740	2276	WScript.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe
"C:\Users\Admin\AppData\Local\Temp\2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480dN.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Users\Default\SendTo\upfc.exe
  "C:\Users\Default\SendTo\upfc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef334cff-8d59-4cff-8e47-1b88555478aa.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Users\Default\SendTo\upfc.exe
      C:\Users\Default\SendTo\upfc.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\252e8d8b-7195-43d8-af7f-ea6e120d7431.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Users\Default\SendTo\upfc.exe
        
        C:\Users\Default\SendTo\upfc.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49cac372-aaef-45b3-a758-a4372dad1ff8.vbs"
        5⤵
        
        PID:4468
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1203ca7-a492-4628-85bf-9a53f8b9a7e0.vbs"
    3⤵
    PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\SendTo\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\Idle.exe

Filesize
1.7MB

MD5
815967740b3748ca6a4ad57a2022360e

SHA1
582d4b1d577eeb5500286d31e77f377630683820

SHA256
4c3424fe5b3e6bc547c59a1d480452b22774dca6817a028bc449c20914d49628

SHA512
185ee870b8375e804192e09f6a6de6abc52e3536f8c2e970e05df4a0652d9b9ab617ff3807feed745ce8f572d2a5d6c9673db656860ae43dc26c6d28caaa4727

Download Submit
C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe

Filesize
1.7MB

MD5
563ebc1070904a0ca7aa3cc9eeca59d6

SHA1
be04549dd6ffd6cbf159d5e5fe4d08c248284d0a

SHA256
eccc5eee2a5883968321918a2a276b3ca3c4b8cc24e5823b7ec0480c8156d5b2

SHA512
2fe083ca2fef2ae0f1f8a1008d102f5052b5989e76866db2bea2d11dda1928e2579f849291efb847986a8e780e50bf5bc7afde85bf367c757e27e379aaf28c0b

Download Submit
C:\Program Files\VideoLAN\VLC\lsass.exe

Filesize
1.7MB

MD5
66eded8b72e993eef8ec0b1b19944cc0

SHA1
21b2295f1f9bd380dd114ff5a5c931b281b1f74c

SHA256
2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480d

SHA512
da0079636800e3b463582f90fe68daf8edfa3dd7a5b2837844bd4009607e6b98e6d134ddb92c2f91ebafc251636840e8ab6f5a4fdb87d716a40ca111a84ac787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85c74ff3a8677d107f3219483ec80325

SHA1
c6b2d8ce3b3d966f2d068cddbfb8860508d4943c

SHA256
4f74283225f70ff6fa70c633a9c6003e65b9aaffb60506d771c8ca50248c5434

SHA512
27a5b01dcec2fd15c0dc5820d0f230cc36dbed1846c2fc073bbf00d9f5c0d6c27488b4789dabca90122162c18c3530f79dfacee904b5869e14b036f23da10769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\252e8d8b-7195-43d8-af7f-ea6e120d7431.vbs

Filesize
708B

MD5
6b1a8b3e6321725bacca19a87171e3e1

SHA1
da221d0b3dc770851722e807ac75d57b65921f85

SHA256
dcb5dc7998efd7f5be01de32e95a40a8e2619690f779cfd7a9af80e4c7b9da6e

SHA512
a48458e6f39aa28ff52922ef9aa02315d5f1df818e3b6e497317c6af75b2c29c13c216e2e1679ae8c0a30c750a581b53ba6ca924349f15762b401232a09cd7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oo32scjp.wva.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1203ca7-a492-4628-85bf-9a53f8b9a7e0.vbs

Filesize
484B

MD5
331c8802ee861af57fe7b5c90ce57a75

SHA1
0d7e01f060a0bb3839262e1ef6964c3a21afed65

SHA256
bae911f3beac0a2dcdf0375da301812b6d2c555d19fddc6756bcfe13dd419b0d

SHA512
152415280e6668d74ab682ada20af26ed1bd36790b0009e76d71c709515a41cc1dd99b137cc96839e13b5c13b5ec2f0091bd0097d3fd20382fbc6351d4a12439

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef334cff-8d59-4cff-8e47-1b88555478aa.vbs

Filesize
708B

MD5
b6517ed562b471bd892fa731ce922129

SHA1
1561873ce65f2c1b98a6bf47beb2b609a9912ef5

SHA256
73b705d6b85104a20a90bd688f68f5f953235c07c8b2c1551383b5806182f343

SHA512
20726e4c4a2c6856ba35e86f3abb3c6ecc9aefd1478f7fb0d6fceaec21172fd3331a851828f5541464f66849016dbe088012b24d3c0effd0be954a5f31072c32

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\upfc.exe

Filesize
1.7MB

MD5
dc5b015c64d6270cde75a56a7bbfbe11

SHA1
ea5ca4ee7007046878314defe88b7d95f27a5a0b

SHA256
49c22d1efd609c6b8c0fbd8055e6a2318951236bf1747e751a9cae0036795dfd

SHA512
6053664ec204baf142fed661bcdd544e7b93816563917aacad8fb32c7b216236e90f061dbca50f0d7894d05d45aac6f378b7fdcf55f238f7cbbd8d56d21a2e03

Download Submit
C:\Users\Default\Downloads\explorer.exe

Filesize
1.7MB

MD5
28e0ed25cc0f9bd08f30ff371b160297

SHA1
34587f93e7f7ca4402578e8a278e7f14c496fe22

SHA256
e1010230866e52a47df1efde09a6cedd226a41e1ca77876feba4a97703c304bf

SHA512
bab12f8ac3f5ddf7407cefa27af908b8bdc207bdad64f11728ceee23707452079251e6dbc3cae01b03bbefca0a13f6484e297930eb5cafee06c90707aac9447d

Download Submit
C:\Users\Default\winlogon.exe

Filesize
1.7MB

MD5
11fa83e9f189a89a173314cdd90f7ef3

SHA1
7c9d433b04b383318862f0983bbd12d18454a932

SHA256
5e713523ccba41bea82cabab1746bf2aada67401149df4ef4e3f6317c086407d

SHA512
e701f05d4649baad1c051cd6c17aee6e0e5d09b9dc575eb4ff0566fb49c4160a394ecc62e9df40486cbabb76aa8ba675c6cceb865f1bc7c92fa5824426a52c1e

Download Submit
C:\Windows\it-IT\unsecapp.exe

Filesize
1.7MB

MD5
724731cf2aa06d0e1febe18c79a4ff23

SHA1
f4e76f588a0baa5fc3b5194140c1f8f7d42ee415

SHA256
60d35f3e744fe42c12c37a8db16f28335d13c242ce9810ffadede15d4b8cdacc

SHA512
22e8b279889de04a6486e84494601aa35d210519e52a76db5243131f98d1c8d767e83f026cb5df735a04f37110c5263479994a735cb0fa1a0ec384abd8ab940e

Download Submit
C:\Windows\tracing\csrss.exe

Filesize
1.7MB

MD5
d4dbc1312dc6744b136d737230c189d3

SHA1
85a9097cc1bca60d8b928cc9026881623f5ee91c

SHA256
865da1859193c45cf4d6eebb5daba623b3aebd4e22b7b2810b1ee8e92f049f1c

SHA512
ea5cb72f8d01d7c5cd12f2297c07b6cd257a52f06d812af7e90b533e34960860bc9e4f9cc1e6945b1b6cf118322076128a7580177e83a811b93aff5d4a98b0d7

Download Submit
memory/1076-321-0x000002834B080000-0x000002834B0A2000-memory.dmp

Filesize
136KB

Download
memory/1200-433-0x00000000009C0000-0x0000000000B80000-memory.dmp

Filesize
1.8MB

Download
memory/3012-12-0x000000001BD20000-0x000000001BD32000-memory.dmp

Filesize
72KB

Download
memory/3012-17-0x000000001BE60000-0x000000001BE68000-memory.dmp

Filesize
32KB

Download
memory/3012-0-0x00007FFB411C3000-0x00007FFB411C5000-memory.dmp

Filesize
8KB

Download
memory/3012-23-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/3012-155-0x00007FFB411C3000-0x00007FFB411C5000-memory.dmp

Filesize
8KB

Download
memory/3012-16-0x000000001BFE0000-0x000000001BFEE000-memory.dmp

Filesize
56KB

Download
memory/3012-15-0x000000001BFD0000-0x000000001BFDA000-memory.dmp

Filesize
40KB

Download
memory/3012-178-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/3012-14-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/3012-213-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/3012-13-0x000000001C280000-0x000000001C7A8000-memory.dmp

Filesize
5.2MB

Download
memory/3012-22-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/3012-1-0x0000000000870000-0x0000000000A30000-memory.dmp

Filesize
1.8MB

Download
memory/3012-19-0x000000001BE80000-0x000000001BE8C000-memory.dmp

Filesize
48KB

Download
memory/3012-18-0x000000001BE70000-0x000000001BE7C000-memory.dmp

Filesize
48KB

Download
memory/3012-432-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/3012-9-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/3012-8-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Filesize
64KB

Download
memory/3012-7-0x000000001BC80000-0x000000001BC96000-memory.dmp

Filesize
88KB

Download
memory/3012-4-0x000000001BCD0000-0x000000001BD20000-memory.dmp

Filesize
320KB

Download
memory/3012-5-0x0000000001400000-0x0000000001408000-memory.dmp

Filesize
32KB

Download
memory/3012-6-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download
memory/3012-3-0x000000001BC60000-0x000000001BC7C000-memory.dmp

Filesize
112KB

Download
memory/3012-2-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/3012-10-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

Filesize
32KB

Download
memory/3568-469-0x000000001B440000-0x000000001B452000-memory.dmp

Filesize
72KB

Download