dcrat | 7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375.exe
Size

1.3MB
MD5

fcb6ddecd6125b5966c1599a845e71e3
SHA1

65eb40a719bfa3a5277b27631e5140bb203c3995
SHA256

7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375
SHA512

7fc9f137ad0204e781442d2ccac8318f25eb6a91b8bf5d08b0bac767ec85fb8454f8f3dda4709df9c593808f03be511b8752261fdb5e951b6a9b7f6ebd007ce7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2996	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016c80-9.dat	dcrat
behavioral1/memory/764-13-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/924-137-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2744-196-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2180-256-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/2652-316-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/1196-377-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe
1880	powershell.exe
2820	powershell.exe
1972	powershell.exe
2988	powershell.exe
2056	powershell.exe
2792	powershell.exe
1256	powershell.exe
2280	powershell.exe
836	powershell.exe
1576	powershell.exe
3000	powershell.exe
2708	powershell.exe
2556	powershell.exe
2348	powershell.exe
2536	powershell.exe
2732	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
764	DllCommonsvc.exe
924	dwm.exe
2744	dwm.exe
2180	dwm.exe
2652	dwm.exe
1196	dwm.exe
3004	dwm.exe
2936	dwm.exe
2300	dwm.exe
1252	dwm.exe
976	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	cmd.exe
2244	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Icons\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\ja-JP\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2768	schtasks.exe
1480	schtasks.exe
1232	schtasks.exe
1544	schtasks.exe
1716	schtasks.exe
2640	schtasks.exe
1916	schtasks.exe
696	schtasks.exe
872	schtasks.exe
1652	schtasks.exe
952	schtasks.exe
2848	schtasks.exe
2616	schtasks.exe
2360	schtasks.exe
1988	schtasks.exe
2220	schtasks.exe
1276	schtasks.exe
2252	schtasks.exe
2324	schtasks.exe
1620	schtasks.exe
2908	schtasks.exe
688	schtasks.exe
1768	schtasks.exe
980	schtasks.exe
380	schtasks.exe
1344	schtasks.exe
236	schtasks.exe
1720	schtasks.exe
2952	schtasks.exe
2948	schtasks.exe
2624	schtasks.exe
1268	schtasks.exe
1904	schtasks.exe
2832	schtasks.exe
1000	schtasks.exe
2644	schtasks.exe
2216	schtasks.exe
1780	schtasks.exe
1584	schtasks.exe
684	schtasks.exe
2868	schtasks.exe
1936	schtasks.exe
2976	schtasks.exe
2700	schtasks.exe
2120	schtasks.exe
768	schtasks.exe
2352	schtasks.exe
1500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
764	DllCommonsvc.exe
764	DllCommonsvc.exe
764	DllCommonsvc.exe
764	DllCommonsvc.exe
764	DllCommonsvc.exe
764	DllCommonsvc.exe
764	DllCommonsvc.exe
2988	powershell.exe
2536	powershell.exe
1972	powershell.exe
2348	powershell.exe
836	powershell.exe
2708	powershell.exe
2556	powershell.exe
2820	powershell.exe
2792	powershell.exe
3000	powershell.exe
2748	powershell.exe
2280	powershell.exe
2056	powershell.exe
1880	powershell.exe
2732	powershell.exe
1576	powershell.exe
1256	powershell.exe
924	dwm.exe
2744	dwm.exe
2180	dwm.exe
2652	dwm.exe
1196	dwm.exe
3004	dwm.exe
2936	dwm.exe
2300	dwm.exe
1252	dwm.exe
976	dwm.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	DllCommonsvc.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	924	dwm.exe
Token: SeDebugPrivilege	2744	dwm.exe
Token: SeDebugPrivilege	2180	dwm.exe
Token: SeDebugPrivilege	2652	dwm.exe
Token: SeDebugPrivilege	1196	dwm.exe
Token: SeDebugPrivilege	3004	dwm.exe
Token: SeDebugPrivilege	2936	dwm.exe
Token: SeDebugPrivilege	2300	dwm.exe
Token: SeDebugPrivilege	1252	dwm.exe
Token: SeDebugPrivilege	976	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2564	2348	JaffaCakes118_7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375.exe	30
PID 2348 wrote to memory of 2564	2348	JaffaCakes118_7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375.exe	30
PID 2348 wrote to memory of 2564	2348	JaffaCakes118_7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375.exe	30
PID 2348 wrote to memory of 2564	2348	JaffaCakes118_7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375.exe	30
PID 2564 wrote to memory of 2244	2564	WScript.exe	32
PID 2564 wrote to memory of 2244	2564	WScript.exe	32
PID 2564 wrote to memory of 2244	2564	WScript.exe	32
PID 2564 wrote to memory of 2244	2564	WScript.exe	32
PID 2244 wrote to memory of 764	2244	cmd.exe	34
PID 2244 wrote to memory of 764	2244	cmd.exe	34
PID 2244 wrote to memory of 764	2244	cmd.exe	34
PID 2244 wrote to memory of 764	2244	cmd.exe	34
PID 764 wrote to memory of 1972	764	DllCommonsvc.exe	84
PID 764 wrote to memory of 1972	764	DllCommonsvc.exe	84
PID 764 wrote to memory of 1972	764	DllCommonsvc.exe	84
PID 764 wrote to memory of 2988	764	DllCommonsvc.exe	85
PID 764 wrote to memory of 2988	764	DllCommonsvc.exe	85
PID 764 wrote to memory of 2988	764	DllCommonsvc.exe	85
PID 764 wrote to memory of 1576	764	DllCommonsvc.exe	86
PID 764 wrote to memory of 1576	764	DllCommonsvc.exe	86
PID 764 wrote to memory of 1576	764	DllCommonsvc.exe	86
PID 764 wrote to memory of 836	764	DllCommonsvc.exe	87
PID 764 wrote to memory of 836	764	DllCommonsvc.exe	87
PID 764 wrote to memory of 836	764	DllCommonsvc.exe	87
PID 764 wrote to memory of 2536	764	DllCommonsvc.exe	89
PID 764 wrote to memory of 2536	764	DllCommonsvc.exe	89
PID 764 wrote to memory of 2536	764	DllCommonsvc.exe	89
PID 764 wrote to memory of 2348	764	DllCommonsvc.exe	93
PID 764 wrote to memory of 2348	764	DllCommonsvc.exe	93
PID 764 wrote to memory of 2348	764	DllCommonsvc.exe	93
PID 764 wrote to memory of 2280	764	DllCommonsvc.exe	94
PID 764 wrote to memory of 2280	764	DllCommonsvc.exe	94
PID 764 wrote to memory of 2280	764	DllCommonsvc.exe	94
PID 764 wrote to memory of 2556	764	DllCommonsvc.exe	95
PID 764 wrote to memory of 2556	764	DllCommonsvc.exe	95
PID 764 wrote to memory of 2556	764	DllCommonsvc.exe	95
PID 764 wrote to memory of 2820	764	DllCommonsvc.exe	96
PID 764 wrote to memory of 2820	764	DllCommonsvc.exe	96
PID 764 wrote to memory of 2820	764	DllCommonsvc.exe	96
PID 764 wrote to memory of 1880	764	DllCommonsvc.exe	97
PID 764 wrote to memory of 1880	764	DllCommonsvc.exe	97
PID 764 wrote to memory of 1880	764	DllCommonsvc.exe	97
PID 764 wrote to memory of 2056	764	DllCommonsvc.exe	98
PID 764 wrote to memory of 2056	764	DllCommonsvc.exe	98
PID 764 wrote to memory of 2056	764	DllCommonsvc.exe	98
PID 764 wrote to memory of 2708	764	DllCommonsvc.exe	99
PID 764 wrote to memory of 2708	764	DllCommonsvc.exe	99
PID 764 wrote to memory of 2708	764	DllCommonsvc.exe	99
PID 764 wrote to memory of 1256	764	DllCommonsvc.exe	100
PID 764 wrote to memory of 1256	764	DllCommonsvc.exe	100
PID 764 wrote to memory of 1256	764	DllCommonsvc.exe	100
PID 764 wrote to memory of 2748	764	DllCommonsvc.exe	101
PID 764 wrote to memory of 2748	764	DllCommonsvc.exe	101
PID 764 wrote to memory of 2748	764	DllCommonsvc.exe	101
PID 764 wrote to memory of 2792	764	DllCommonsvc.exe	103
PID 764 wrote to memory of 2792	764	DllCommonsvc.exe	103
PID 764 wrote to memory of 2792	764	DllCommonsvc.exe	103
PID 764 wrote to memory of 3000	764	DllCommonsvc.exe	104
PID 764 wrote to memory of 3000	764	DllCommonsvc.exe	104
PID 764 wrote to memory of 3000	764	DllCommonsvc.exe	104
PID 764 wrote to memory of 2732	764	DllCommonsvc.exe	105
PID 764 wrote to memory of 2732	764	DllCommonsvc.exe	105
PID 764 wrote to memory of 2732	764	DllCommonsvc.exe	105
PID 764 wrote to memory of 1964	764	DllCommonsvc.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ed8f69908acd03cf63e39f0bb67db396c090dab8db3c7d162166d2dc491e375.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\36DhGHo3pV.bat"
        5⤵
        
        PID:1964
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1824
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        7⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1344
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
        9⤵
        
        PID:1404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2756
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        11⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1964
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
        13⤵
        
        PID:788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2084
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
        15⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2396
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat"
        17⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2640
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
        19⤵
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1448
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        21⤵
        
        PID:2496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:872
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        23⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:572
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat"
        25⤵
        
        PID:972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14b5a98f0451934e9fbeb16ff92f0d83

SHA1
5b613e8d64138a9448b449048cac2c5813b69d37

SHA256
0f9b0048b63c0e6d0969bce49a8228ba4f558eb4832702dc50729cb24dc31faf

SHA512
50754458fd6f1c0d4c342098a3cd9337501cb3100bc2310981f211dd7c291b504b71d526195c8619f762e742c3f1703e663fe3c3db351ced2649c8f285541b33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e92c5967633968b59b972e13833e429

SHA1
96df606c2989d8ff47929acf3e4087ce9550518a

SHA256
1ba8b8002244f25dd616ac390fa3dffae8ee219f8b18217597379eda2007f1cd

SHA512
895a519b84d950535028046c4c2246fff38f7fccf216c9e06edf702436b8e033de259762268bddefdd3403911a64fe006e998cb84e80f30c7d1aa74c7d3f5924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e5834dceb5ddde0dcbf45e792341498

SHA1
bd875e3b6f4d57bdece93da1ebf1fcaf33ddcb3c

SHA256
ee76dff45ec36cee66f0d262db3b04e8aae6c0323e5502ad1dfe20b116393aa6

SHA512
7c707e89db0709939843982d0503717866ecb251df8d180d50dedcb35cbfc14a4cdd1451ccda83fd97e70d03d1d649d6f0ca42ccf2660ee7ff9aa93928c4ec28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7aa8904a5bf0d73e62097e278b6df60

SHA1
ff2ab457d8d4fabb8e90f39b4f7d0cb89eed18d6

SHA256
98b7c56a5a449326611c0a35cc27eeed401664773c6dd94e8734f094b760e7b3

SHA512
088e38817621c0ee5327e9e45d0b6112b74a10ab2026dd69ea6740b270a86bc4a0dd580de9ddb2f6e6ddd43ce700eabc8cca2e60c875bbe341db51984927d8a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
633bbec47fd1048320c54c8e7b652614

SHA1
a24a03acc2eb9f65d81ebdb639f5e5abecced39e

SHA256
da1714f8b19f4e79d2e27e5410f869186452d5fdd58239c388a0fe9b6e6f2ced

SHA512
f1bb7b358d06f9cbb703e97b30b169116e2bfeefa455a49c263cf6547b5bdc43fabe18c2fe807b9ec0491f91e52c2a326cb3a282d2b1a0e44fa910c39d7778b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
826c010e5a57aa7e1e1bbce26cf5d67e

SHA1
c23bb7d2b851cad0a5f4287d4224360bdda8b3ee

SHA256
812e34151ba4ce116dbb3b52e8be2340e56288a65a1b014f865a977995c92bbb

SHA512
9daa927ccccf406b68e71b1b21767584ccdceb46a4c481a335c4e037a681c45baa89e2b13e176602faae4e6d128e7753d533966b60ad60e8c7118775eb956179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d94b136a497a8c1beaaf955c992734f9

SHA1
348c76a56e5ec3accd3903948a6262e3b0c9fb0c

SHA256
a53904d41847344f94d71c7e7566cf9c43402af8be8615748cf80dffecc8dfaf

SHA512
6d06fa36aa5f74979d512ababd05904bb0cdb8925659929d95500ed536e4ce25c3e0e4a966ae6cb97c845888573c23ece08fa8580fb3cf5ebfa22e346ffe29e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed9dffa3f4203bdf0d24ef01ad922a2b

SHA1
5f8f2679b45e17aa2809512591489bc69eff2e3d

SHA256
ae7faca264a7588b574a722a51b6811b63007bee1817209e714493e42037a3bb

SHA512
739d4a200699f83f52af1815cae6c3c5fd4b7addec44796a69c10d6790eb4349e94f2dd49b914c4a1f89aa7795a76684d3a5e3acf64bee4b314909d503650fdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
379dfa7fc7f214d25049351cc067be5d

SHA1
895c8f3bc6c9d75ea6387894acdb21d66f83f0af

SHA256
c8aede0eb3d47053b69e00960ba7ec3325608bafb739deb0d13e4de1aef0399a

SHA512
06852ab22aee643e7febb5c70c34615687867269711ad4974562fe8297d5bf31d4078e9f2e3c3a72a1e70d1139ad88c9033e661b6b24ef53f4606515e3deb844

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
240B

MD5
31c427213f3513b79c0329680e62ed3a

SHA1
62712ac39834c40e6ada45cc44e0d862f344e8b8

SHA256
3e5838fad9a1b357125ec3ff876f80a9b5616984e5726d547a5b4be62ec48df5

SHA512
d5750ef600a7ad50e6ee4540d17f6e5f977bd2bb621579f9e39919d0492c73e28aadbfa906b2d2306ddafbb1707d12d7344c18213bb94eea7bac74e826f6ece9

Download Submit
C:\Users\Admin\AppData\Local\Temp\36DhGHo3pV.bat

Filesize
240B

MD5
6c7d0a7db01f9bcfec50fe9da615bb27

SHA1
4605c76dd696d4a1c560fcb2dca63a1a346d0035

SHA256
66ab2cc099326a9674f7c22417bf21abdb3f17e0b26ff2526c1c3c69f9618945

SHA512
0d008f26f42eed5cf7454f23e3a1c62f25b3f13a92b3b884beb34b025994618756b5641a53da652bde33766abe325b7a0bd773ffa00ebdac5b2875ac8e7493be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2445.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat

Filesize
240B

MD5
2eea9534ffac2f53da2b852d1bd5646b

SHA1
1659cdaeb3fa89c51d3850d2d7e8a5e7a6e36e5d

SHA256
694505119d3d7f37d0bbcfefaa7790c14701fe4da97ff5e19c53fed23e882c0c

SHA512
1de2df3e4cae85a7266caa944513af18544ba5242a081691ce0a481c19bbf30278910ac90f5b5ee742f3e6de8e422712e80375b2602f85418c443ab7145d3669

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
240B

MD5
b1477e4b2dc26b22b16114ca7965ee10

SHA1
7f12ed0c853392848dff6a95bda69a749a11fc62

SHA256
73de759cc68f0541d77ce9f997c185ab0f3669b6f3e95d4fd60619ab1ebcf207

SHA512
fa5c567a242ab73cb2f932313a35e9581b116b2dabb957f8ffb49898879670761ff0c1059ba75da7f9fc1185adf9f5e24fb3cdc4aeb8bc5b9b42d0428022dc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat

Filesize
240B

MD5
e80881d7b2178246d8843ec2a8a388eb

SHA1
9421a24f91842c3f197fcf649904b8a3969b0203

SHA256
94cd41246a83e24c25a408a9a427307ad64a91d885162d15cf4b4f31b1a0b790

SHA512
fb4b1e22efc2c0a1a45473a897e6e2f9f8fbde275022c2b08134149605498ea985f79c4dfb612370854f33fd8b05b26be9ea473c4160d97f871afa624a23b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
240B

MD5
ce2001e9e66dbe14c647f2f27750440b

SHA1
1a6785082141f5dc689663de9d86105dfdb8fcb7

SHA256
14ad4c365319fcd1ccf5373133c07588faaba88abd1127e8f7164f95e6f2a830

SHA512
41f73d018f81ff784cdbbc8eb2f5c33ff92a2d3dedd8a52003d1af832f2a3d8d63d0253a8fbe527ec1123333fe2e6d3467c175f73a96705cd640716776f5e7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2467.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
240B

MD5
73e2cac2c7bb47b3f14f7455cb14f265

SHA1
60cd4b2a4817947f78c49ea9dc7036980c32ccca

SHA256
5414d0d7f8ff3152a1fb2420a95e850a16d9106c99084243bb8f1f723ad06994

SHA512
05ddc982686d484e2e428a865247f86028323fe0c5809cc8d71019dae973ce291ae7630c2aaade99cad1cff2315396bb011aff9510b32c32be4d7997c82f6c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

Filesize
240B

MD5
cac6b5fcf42634ab3ba0bedae2578294

SHA1
7063ffddf8bda52f411ee87c465c1d5d0cfad815

SHA256
7bcb064de42a00e2cadd40fb48b7deeab94a18a77e9294001b3f58f7419f47ee

SHA512
07f05786a6d2675cd535be13ad6993ec807290b64f6ca92a6145a0bd6a4e0d5abeeb4c3a803d4138cd9603852ad90cc4625c1fd1d96c9f7d5aa7091359ae2f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat

Filesize
240B

MD5
7210aded4bc3a240b542e0347634ca87

SHA1
3aa0bb106a2791e1f80b4f603e177343f5bd158b

SHA256
5310236d573a81255af3e22946259d6b643f4b6be417adb012c46971e4d87cab

SHA512
f3cbeca61b5d24faafefac9f253ad676eb426a9a1697aa517daf939c214117ede0f75bdcf26d5a95dc520c5faba02972eed113be2693b66902d9c1e815f4d043

Download Submit
C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat

Filesize
240B

MD5
0d3b505d413f67bfbe11046a94e59ccb

SHA1
d1ffafa6d035241ad0242d07d2665f1ae7f2af0a

SHA256
2c4fabd140cb7788541ba329669431b714cf58e3762e01dc664239007eccdc20

SHA512
960ab639f61e9c30cdf44c8266cf9aec876e502a2b8ba49466b06629c52a8319c71434fe8f6fc0867115d256f7159bd358dbc041c3dffa6ace72b249b0853e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat

Filesize
240B

MD5
96815513a061f06aa5cd1fd93d9bfd62

SHA1
92f386d8b3f289198ff89162e43013c557946af0

SHA256
42e814a24ae9137813e1a0ff068f8b6948657940439da2af8d9cef9a0a5740e7

SHA512
f3013d6bf6ea03f31a1d462d2399ac2607225b4a9ac4f14c45341a6b8953a241a850ba2dffd2c64cda37bfe9e299c20c4c33c1b11d990b7c573888c6ec1cd72f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5211f6d7775876dc9a2cfdb56d1e0db7

SHA1
74822e5eaff8625ed62383ad769429bc70265496

SHA256
4177a7dfb978efde82ab46eb7059e6d6c18d7ed7faa290c25720c0ac5b66d9a4

SHA512
bf042e6113454eef4caaaba1990e399e324ba9e21d0a39c47cfd8e11b1c3680fcde50bc99c1296d029159d56b608aa1a1a3ac2dc2ff373dd5c89eaec337dc089

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/764-17-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/764-13-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/764-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/764-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/764-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/924-137-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/1196-377-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2180-256-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/2652-316-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2652-317-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2744-196-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2988-59-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2988-60-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download