dcrat | a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be183db6d4b77c092496c69c3f389b94.exe
Size

5.9MB
MD5

be183db6d4b77c092496c69c3f389b94
SHA1

fb3bfca351c3393d0a5d8cd9720b6427a2e496a3
SHA256

87c09708598a2d92970a4a4e7244fc31589a8e6e6a49240ec5c5862aff099c9a
SHA512

997eba720a5d7895cfce44aa1f67eba74312314a87190e2b5dd8229aaa63d3886224d7f34023d9888922a72fd976a214eedf2f9d746c923c6efbe9683e39173c
SSDEEP

98304:byeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4d:byeU11Rvqmu8TWKnF6N/1ww

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	3996	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3996	schtasks.exe	88

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4208	powershell.exe
4072	powershell.exe
688	powershell.exe
5052	powershell.exe
3812	powershell.exe
2736	powershell.exe
2460	powershell.exe
3740	powershell.exe
4780	powershell.exe
1412	powershell.exe
2464	powershell.exe
1732	powershell.exe
2128	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	be183db6d4b77c092496c69c3f389b94.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	be183db6d4b77c092496c69c3f389b94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 3 IoCs

pid	Process
2400	upfc.exe
2540	upfc.exe
4440	upfc.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be183db6d4b77c092496c69c3f389b94.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
2400	upfc.exe
2400	upfc.exe
2540	upfc.exe
2540	upfc.exe
4440	upfc.exe
4440	upfc.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXFC04.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\sppsvc.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE3E5.tmp	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\5940a34987c991	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\RCXE143.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE3D4.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXF22A.tmp	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\unsecapp.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\29c1c3cc0f7685	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\dllhost.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXFC15.tmp	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\0a1fd5f707cd16	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXDA18.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Windows Mail\ea9f0e6c9e2dcd	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\taskhostw.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXF1FA.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF972.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXDA29.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\RCXE132.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\unsecapp.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF983.tmp	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Windows Mail\taskhostw.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\dllhost.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\sppsvc.exe	be183db6d4b77c092496c69c3f389b94.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\DiagTrack\Settings\66fc9ff0ee96c2	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\addins\RCXFE96.tmp	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Windows\Vss\Writers\System\dwm.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Windows\addins\upfc.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\DiagTrack\Settings\RCXEB1E.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\addins\upfc.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Windows\Vss\Writers\System\6cb0b6c459d5d3	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\DiagTrack\Settings\RCXEB2E.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXF6E0.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXF75E.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\Vss\Writers\System\dwm.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Windows\DiagTrack\Settings\sihost.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Windows\addins\ea1d8f6d871115	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\DiagTrack\Settings\sihost.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\addins\RCXFEA7.tmp	be183db6d4b77c092496c69c3f389b94.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	be183db6d4b77c092496c69c3f389b94.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4280	schtasks.exe
3812	schtasks.exe
4860	schtasks.exe
3540	schtasks.exe
4380	schtasks.exe
4744	schtasks.exe
112	schtasks.exe
3576	schtasks.exe
4284	schtasks.exe
2328	schtasks.exe
2460	schtasks.exe
828	schtasks.exe
4952	schtasks.exe
1152	schtasks.exe
2992	schtasks.exe
2976	schtasks.exe
552	schtasks.exe
4976	schtasks.exe
232	schtasks.exe
1960	schtasks.exe
1868	schtasks.exe
4780	schtasks.exe
3868	schtasks.exe
3780	schtasks.exe
3108	schtasks.exe
952	schtasks.exe
2740	schtasks.exe
4240	schtasks.exe
948	schtasks.exe
2580	schtasks.exe
4476	schtasks.exe
4548	schtasks.exe
1996	schtasks.exe
4984	schtasks.exe
2900	schtasks.exe
1904	schtasks.exe
624	schtasks.exe
2428	schtasks.exe
5112	schtasks.exe
1648	schtasks.exe
1412	schtasks.exe
4352	schtasks.exe
4652	schtasks.exe
384	schtasks.exe
1688	schtasks.exe
4552	schtasks.exe
4920	schtasks.exe
688	schtasks.exe
5052	schtasks.exe
3572	schtasks.exe
4140	schtasks.exe
2060	schtasks.exe
2676	schtasks.exe
4636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
4368	be183db6d4b77c092496c69c3f389b94.exe
2464	powershell.exe
2464	powershell.exe
4208	powershell.exe
4208	powershell.exe
4780	powershell.exe
4780	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	be183db6d4b77c092496c69c3f389b94.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2400	upfc.exe
Token: SeDebugPrivilege	2540	upfc.exe
Token: SeDebugPrivilege	4440	upfc.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1412	4368	be183db6d4b77c092496c69c3f389b94.exe	148
PID 4368 wrote to memory of 1412	4368	be183db6d4b77c092496c69c3f389b94.exe	148
PID 4368 wrote to memory of 2464	4368	be183db6d4b77c092496c69c3f389b94.exe	149
PID 4368 wrote to memory of 2464	4368	be183db6d4b77c092496c69c3f389b94.exe	149
PID 4368 wrote to memory of 4072	4368	be183db6d4b77c092496c69c3f389b94.exe	150
PID 4368 wrote to memory of 4072	4368	be183db6d4b77c092496c69c3f389b94.exe	150
PID 4368 wrote to memory of 688	4368	be183db6d4b77c092496c69c3f389b94.exe	151
PID 4368 wrote to memory of 688	4368	be183db6d4b77c092496c69c3f389b94.exe	151
PID 4368 wrote to memory of 1732	4368	be183db6d4b77c092496c69c3f389b94.exe	152
PID 4368 wrote to memory of 1732	4368	be183db6d4b77c092496c69c3f389b94.exe	152
PID 4368 wrote to memory of 5052	4368	be183db6d4b77c092496c69c3f389b94.exe	153
PID 4368 wrote to memory of 5052	4368	be183db6d4b77c092496c69c3f389b94.exe	153
PID 4368 wrote to memory of 2128	4368	be183db6d4b77c092496c69c3f389b94.exe	154
PID 4368 wrote to memory of 2128	4368	be183db6d4b77c092496c69c3f389b94.exe	154
PID 4368 wrote to memory of 4208	4368	be183db6d4b77c092496c69c3f389b94.exe	155
PID 4368 wrote to memory of 4208	4368	be183db6d4b77c092496c69c3f389b94.exe	155
PID 4368 wrote to memory of 4780	4368	be183db6d4b77c092496c69c3f389b94.exe	156
PID 4368 wrote to memory of 4780	4368	be183db6d4b77c092496c69c3f389b94.exe	156
PID 4368 wrote to memory of 3740	4368	be183db6d4b77c092496c69c3f389b94.exe	157
PID 4368 wrote to memory of 3740	4368	be183db6d4b77c092496c69c3f389b94.exe	157
PID 4368 wrote to memory of 2460	4368	be183db6d4b77c092496c69c3f389b94.exe	158
PID 4368 wrote to memory of 2460	4368	be183db6d4b77c092496c69c3f389b94.exe	158
PID 4368 wrote to memory of 2736	4368	be183db6d4b77c092496c69c3f389b94.exe	159
PID 4368 wrote to memory of 2736	4368	be183db6d4b77c092496c69c3f389b94.exe	159
PID 4368 wrote to memory of 3812	4368	be183db6d4b77c092496c69c3f389b94.exe	160
PID 4368 wrote to memory of 3812	4368	be183db6d4b77c092496c69c3f389b94.exe	160
PID 4368 wrote to memory of 2400	4368	be183db6d4b77c092496c69c3f389b94.exe	174
PID 4368 wrote to memory of 2400	4368	be183db6d4b77c092496c69c3f389b94.exe	174
PID 2400 wrote to memory of 5720	2400	upfc.exe	176
PID 2400 wrote to memory of 5720	2400	upfc.exe	176
PID 2400 wrote to memory of 5764	2400	upfc.exe	177
PID 2400 wrote to memory of 5764	2400	upfc.exe	177
PID 5720 wrote to memory of 2540	5720	WScript.exe	186
PID 5720 wrote to memory of 2540	5720	WScript.exe	186
PID 2540 wrote to memory of 1456	2540	upfc.exe	187
PID 2540 wrote to memory of 1456	2540	upfc.exe	187
PID 2540 wrote to memory of 5220	2540	upfc.exe	188
PID 2540 wrote to memory of 5220	2540	upfc.exe	188
PID 1456 wrote to memory of 4440	1456	WScript.exe	190
PID 1456 wrote to memory of 4440	1456	WScript.exe	190
PID 4440 wrote to memory of 4704	4440	upfc.exe	191
PID 4440 wrote to memory of 4704	4440	upfc.exe	191
PID 4440 wrote to memory of 5736	4440	upfc.exe	192
PID 4440 wrote to memory of 5736	4440	upfc.exe	192

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\be183db6d4b77c092496c69c3f389b94.exe
"C:\Users\Admin\AppData\Local\Temp\be183db6d4b77c092496c69c3f389b94.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/0154351536fc379faee1/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/3ac54ddf2ad44faa6035cf/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\addins\upfc.exe
  "C:\Windows\addins\upfc.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2400
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18681e4a-8df7-4a61-8c4e-2e80b74fbba8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5720
  - - C:\Windows\addins\upfc.exe
      C:\Windows\addins\upfc.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2540
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a036a02-6662-475d-9ed1-a21a9d924485.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\addins\upfc.exe
        
        C:\Windows\addins\upfc.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64ab624c-1ef5-4e83-9fac-90d6820b0b5c.vbs"
        7⤵
        
        PID:4704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b700bbb-79d9-41f6-9c51-c9a576e72975.vbs"
        7⤵
        
        PID:5736
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a576735b-bb3b-4894-9255-bd10e269a3fd.vbs"
        5⤵
        
        PID:5220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a124b631-359a-40d5-b9c4-9878be683889.vbs"
    3⤵
    PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\3ac54ddf2ad44faa6035cf\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\3ac54ddf2ad44faa6035cf\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\DiagTrack\Settings\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\DiagTrack\Settings\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\0154351536fc379faee1\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\addins\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\3ac54ddf2ad44faa6035cf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\StartMenuExperienceHost.exe

Filesize
5.9MB

MD5
10268e02b467f28f032f7f51a250ef81

SHA1
123849cca9496c3fd3ba045392b7c6dd197715f9

SHA256
74ced2d22befb5d5ffc98272572bd3d2f78459e77729ee0cd4cc4962e28a31b0

SHA512
78ce9dd67b92a21cc000e6af6971c0d0fd0533dc4a811960a7fbf784af54f0a954ca28bfc516d2b3353d78c825834f60a20f61a376fd2831a6ba97cb00ebf366

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\unsecapp.exe

Filesize
5.9MB

MD5
be183db6d4b77c092496c69c3f389b94

SHA1
fb3bfca351c3393d0a5d8cd9720b6427a2e496a3

SHA256
87c09708598a2d92970a4a4e7244fc31589a8e6e6a49240ec5c5862aff099c9a

SHA512
997eba720a5d7895cfce44aa1f67eba74312314a87190e2b5dd8229aaa63d3886224d7f34023d9888922a72fd976a214eedf2f9d746c923c6efbe9683e39173c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2749a36c2b278075380f504683bd5cee

SHA1
b9a979f925fb1eca0e9ae2d1d534e405b50fc76c

SHA256
2b98324b3679bdfc3c56f4c73452bd66683bd453e1f49e1bdde9c5c3fcc9472e

SHA512
995068fe85262ab552fa273f0b8302bdbadf1e1bbf16b21f416977f33f5f6f1a66b07a5de464ff77cf8a3f078bf22023f6a9db32a520a127ed098c3c7c4f8ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e348622866b20e881135e0384075ab84

SHA1
d770bf7171f0d184bba9830e2cc896f2913f068b

SHA256
80bdda48e9513fc808d445af95c69370d760a1cb982dfcffa4f6c02016314494

SHA512
00f37657dd1f54fc38c8d568a19cf66d32d5f6423bf0ddc497394037e197202a227ed5d17e37e0606ee4fdf9b987fde216dccefa843c6cbe47188b1a44efe5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a5a1b68ad6facd1636fe5f5e1c4359

SHA1
e4fee6d6a2476904d9ba14d9045341df3616ca4a

SHA256
7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

SHA512
1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4b25365534f6e80f784bf0e0d4059973

SHA1
c599ef0f1d9ba1265eeb3bb02db8ea30eebee19c

SHA256
ea3d1a91d3248163412b2df35c0fcafbdc2ad4754c82e202b8f3b142af2b760c

SHA512
96deef1eba434a1784105a51888ca0cedd460bf05743e91e06a2b3dfff690099a5c3aad8b15297d3f84a10d8ddc24cfafa622217139ac1356fe40f18fd410c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af1324e7a4e3e6cfc7ee7add0391f0b9

SHA1
19117163248a95e5ceb83b6dc8c21e396f33bcaf

SHA256
a31abfc5cc0132c488495c81046d7f3c7eed1e7a6923d94ffd85b58436871a52

SHA512
6a05a892ec41527782b418a2f232300da84eff105b2d9c1cb55c7e9ce1ef13beab2d57b4bf3cc73d1e5b2710010f3622500c4d8e0cb2fa8e5365b6ff007e9d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\18681e4a-8df7-4a61-8c4e-2e80b74fbba8.vbs

Filesize
702B

MD5
d3847b7e373da5679fba9fb019e6c114

SHA1
041b103ed93947798f5398f7378e3d177596f5dc

SHA256
a7e5350704a7f1428d94bd257ae49bede298a5d0a262e3cd6e3572d40c9b16b9

SHA512
08b98bf11e4d0e9bfdef7b35f3bde3bd83f0f1a02ab5903b7d05907950b0334455d6c35298d7233c87ff2d88d1885750786702526fde298badd5387d1f141d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a036a02-6662-475d-9ed1-a21a9d924485.vbs

Filesize
702B

MD5
7514dc30b239694a2e675b7daae027f8

SHA1
92a776a24b74f9cec7ffce81a94b532518bc62ea

SHA256
c53416c694ff2dab6b39c5e375f56f208207a529f8f1946be81482391ccb6117

SHA512
d3efebd48377528067dc855766cc57365064741329dcb9190edcb45c69a7301ec5dd247a170e564fb97bbaeeaffc5836c617f66c397e2ab417b0fc083b03d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\64ab624c-1ef5-4e83-9fac-90d6820b0b5c.vbs

Filesize
702B

MD5
a2906c678c8c31e8b1bfa75b4463a987

SHA1
3b77708431576368609e3f7b72532e321c427dff

SHA256
b37e94aaf4ee32afca7f1dea87c713a672da9abfcff27471e046843f7de29c93

SHA512
3d14b2a0bd1523be60732e6c1f3653a63ab6eaafbb86837abdf1b11cc7e821d3cc97f56926f7030309eeeefb0585f6aa1f3da696e7459043d37c7681e525298f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmsxven3.njg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a124b631-359a-40d5-b9c4-9878be683889.vbs

Filesize
478B

MD5
abd77c7cf5ccd0fed792d5f118f4ecec

SHA1
9d75dd7c1fb1c8b84bf5b88d47f0ac25a4793387

SHA256
7b020eb11b257178d30fed04c8f8eb74d3c8a635def7ea83b551fb85773ef0cb

SHA512
a36cf7918c608b7ebe9fbb18b2803d747509ab8b21d8542cf261e0db102847cc7101ea003d2be582a8cfd6bf8f5a2284f1758307077cee9b74f3a6536e2c2623

Download Submit
C:\Users\Admin\AppData\Local\Temp\f09449975fe845951e854325380ddd8d6585d1d1.exe

Filesize
5.9MB

MD5
bd5a0db72402bd1791aada69009a79bd

SHA1
a760380074d9f7b48b60c55f39fb4431daa74bde

SHA256
d3abfbafdf76b8626ac108d61dba19736674923e2f197f42473e6b40e564f7d2

SHA512
1d207a94567d4a2c7d9c9a1904a5f4431cfc7abf7448e5da1ddcf0392fec091b28c96c0d2391ac2449f425f42c9bffa33abfd72e460acc12a436273eb33aae89

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\sppsvc.exe

Filesize
5.9MB

MD5
8e3cd7302bd3703c2fa4e47bcddba553

SHA1
e3a8b432221e78cc0005b8e027c7a4c1c0cc14cf

SHA256
bf61444be8418879a60fc493b192f37d0217dd33dd91431d493bfe946429289d

SHA512
dc2636edda2ec89ae7f9ce811e8b27a7a7a32f91862380dedd9e6d283f1f07bfdf29990e288520c28b86e0e52a6c9f1ae15b822e4150c1994e3deb09ee172a0d

Download Submit
C:\Windows\Vss\Writers\System\dwm.exe

Filesize
5.9MB

MD5
75f55b88b00c797c199c570d9405d578

SHA1
f774b5ca22ae8f57b79a7701e6e84c22dd5a42d2

SHA256
0847568344b5e187ab3893dd078becafe2be034f0bee6bf8458d338f8dec3096

SHA512
57628cc0fe5834302bb79b043cb0227e4011e73f07213dbaba2ed1de3b28933fd3b697919bfd6401fd1820ef064bd12e1b6630a4e0c255e843a7b8beabb70540

Download Submit
memory/2400-489-0x0000000002EC0000-0x0000000002ED2000-memory.dmp

Filesize
72KB

Download
memory/2400-490-0x000000001D200000-0x000000001D256000-memory.dmp

Filesize
344KB

Download
memory/4368-34-0x000000001DAE0000-0x000000001DAEE000-memory.dmp

Filesize
56KB

Download
memory/4368-212-0x00007FFBB5070000-0x00007FFBB5B31000-memory.dmp

Filesize
10.8MB

Download
memory/4368-24-0x000000001DA30000-0x000000001DA42000-memory.dmp

Filesize
72KB

Download
memory/4368-25-0x000000001E060000-0x000000001E588000-memory.dmp

Filesize
5.2MB

Download
memory/4368-26-0x000000001DA60000-0x000000001DA6C000-memory.dmp

Filesize
48KB

Download
memory/4368-27-0x000000001DA70000-0x000000001DA7C000-memory.dmp

Filesize
48KB

Download
memory/4368-29-0x000000001DA90000-0x000000001DA9C000-memory.dmp

Filesize
48KB

Download
memory/4368-30-0x000000001DAA0000-0x000000001DAAC000-memory.dmp

Filesize
48KB

Download
memory/4368-32-0x000000001DAC0000-0x000000001DACC000-memory.dmp

Filesize
48KB

Download
memory/4368-28-0x000000001DA80000-0x000000001DA88000-memory.dmp

Filesize
32KB

Download
memory/4368-31-0x000000001DAB0000-0x000000001DAB8000-memory.dmp

Filesize
32KB

Download
memory/4368-0-0x00007FFBB5073000-0x00007FFBB5075000-memory.dmp

Filesize
8KB

Download
memory/4368-33-0x000000001DAD0000-0x000000001DADA000-memory.dmp

Filesize
40KB

Download
memory/4368-36-0x000000001DB00000-0x000000001DB0E000-memory.dmp

Filesize
56KB

Download
memory/4368-37-0x000000001DB10000-0x000000001DB18000-memory.dmp

Filesize
32KB

Download
memory/4368-40-0x000000001DD50000-0x000000001DD5A000-memory.dmp

Filesize
40KB

Download
memory/4368-35-0x000000001DAF0000-0x000000001DAF8000-memory.dmp

Filesize
32KB

Download
memory/4368-41-0x000000001DD60000-0x000000001DD6C000-memory.dmp

Filesize
48KB

Download
memory/4368-39-0x000000001DD40000-0x000000001DD48000-memory.dmp

Filesize
32KB

Download
memory/4368-38-0x000000001DD30000-0x000000001DD3C000-memory.dmp

Filesize
48KB

Download
memory/4368-21-0x000000001DB20000-0x000000001DB2C000-memory.dmp

Filesize
48KB

Download
memory/4368-20-0x000000001DA10000-0x000000001DA18000-memory.dmp

Filesize
32KB

Download
memory/4368-176-0x00007FFBB5073000-0x00007FFBB5075000-memory.dmp

Filesize
8KB

Download
memory/4368-22-0x000000001DA20000-0x000000001DA28000-memory.dmp

Filesize
32KB

Download
memory/4368-19-0x000000001DA00000-0x000000001DA0C000-memory.dmp

Filesize
48KB

Download
memory/4368-18-0x000000001C0F0000-0x000000001C146000-memory.dmp

Filesize
344KB

Download
memory/4368-17-0x000000001C0E0000-0x000000001C0EA000-memory.dmp

Filesize
40KB

Download
memory/4368-1-0x0000000000AB0000-0x00000000013A8000-memory.dmp

Filesize
9.0MB

Download
memory/4368-460-0x00007FFBB5070000-0x00007FFBB5B31000-memory.dmp

Filesize
10.8MB

Download
memory/4368-16-0x000000001C0D0000-0x000000001C0E0000-memory.dmp

Filesize
64KB

Download
memory/4368-15-0x000000001C060000-0x000000001C068000-memory.dmp

Filesize
32KB

Download
memory/4368-14-0x000000001C040000-0x000000001C04C000-memory.dmp

Filesize
48KB

Download
memory/4368-9-0x00000000035C0000-0x00000000035C8000-memory.dmp

Filesize
32KB

Download
memory/4368-10-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/4368-11-0x000000001C010000-0x000000001C026000-memory.dmp

Filesize
88KB

Download
memory/4368-13-0x000000001C050000-0x000000001C062000-memory.dmp

Filesize
72KB

Download
memory/4368-12-0x000000001C030000-0x000000001C038000-memory.dmp

Filesize
32KB

Download
memory/4368-8-0x000000001C080000-0x000000001C0D0000-memory.dmp

Filesize
320KB

Download
memory/4368-7-0x00000000035A0000-0x00000000035BC000-memory.dmp

Filesize
112KB

Download
memory/4368-6-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/4368-5-0x0000000001C80000-0x0000000001C8E000-memory.dmp

Filesize
56KB

Download
memory/4368-4-0x0000000001C70000-0x0000000001C7E000-memory.dmp

Filesize
56KB

Download
memory/4368-3-0x00007FFBB5070000-0x00007FFBB5B31000-memory.dmp

Filesize
10.8MB

Download
memory/4368-2-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/4440-516-0x0000000003780000-0x00000000037D6000-memory.dmp

Filesize
344KB

Download
memory/4780-331-0x000002A348B50000-0x000002A348B72000-memory.dmp

Filesize
136KB

Download