dcrat | dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8.exe
Size

1.3MB
MD5

a7cad598b5b545def2c1593a969158dc
SHA1

5ebf1950ef5a9f479f1391cbf6e1239d27e918df
SHA256

dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8
SHA512

2c978dbeb914574b5d7c85d73ea3b8ae23a2aa53fa73d29c644229f240d3381527d9ca61244361f85c227a79621ac28bcd07f319fc156ca40ba4e89c73284f77
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2896	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2896	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016dd1-10.dat	dcrat
behavioral1/memory/2436-13-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/2840-64-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/3016-205-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2716-265-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/1736-503-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2224-563-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2336-623-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2620-683-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/files/0x0008000000016eca-801.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1040	powershell.exe
1640	powershell.exe
1900	powershell.exe
2424	powershell.exe
2636	powershell.exe
2772	powershell.exe
2844	powershell.exe
804	powershell.exe
1532	powershell.exe
3048	powershell.exe
3064	powershell.exe
2836	powershell.exe
2260	powershell.exe
1600	powershell.exe
1568	powershell.exe
2328	powershell.exe
2656	powershell.exe
2820	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2436	DllCommonsvc.exe
2840	dllhost.exe
3016	dllhost.exe
2716	dllhost.exe
2604	dllhost.exe
1400	dllhost.exe
2108	dllhost.exe
1736	dllhost.exe
2224	dllhost.exe
2336	dllhost.exe
2620	dllhost.exe
2812	dllhost.exe
2148	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	cmd.exe
2320	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1204	schtasks.exe
2204	schtasks.exe
1980	schtasks.exe
2032	schtasks.exe
564	schtasks.exe
3016	schtasks.exe
2980	schtasks.exe
984	schtasks.exe
280	schtasks.exe
1200	schtasks.exe
112	schtasks.exe
2808	schtasks.exe
1360	schtasks.exe
620	schtasks.exe
1524	schtasks.exe
2504	schtasks.exe
1636	schtasks.exe
2624	schtasks.exe
2344	schtasks.exe
2428	schtasks.exe
2960	schtasks.exe
2324	schtasks.exe
1436	schtasks.exe
1400	schtasks.exe
1924	schtasks.exe
1044	schtasks.exe
1216	schtasks.exe
1944	schtasks.exe
1860	schtasks.exe
900	schtasks.exe
2288	schtasks.exe
2572	schtasks.exe
2172	schtasks.exe
832	schtasks.exe
332	schtasks.exe
2840	schtasks.exe
2780	schtasks.exe
2948	schtasks.exe
2716	schtasks.exe
2776	schtasks.exe
308	schtasks.exe
744	schtasks.exe
1700	schtasks.exe
1424	schtasks.exe
1740	schtasks.exe
2120	schtasks.exe
2244	schtasks.exe
2368	schtasks.exe
1576	schtasks.exe
2952	schtasks.exe
1316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2436	DllCommonsvc.exe
2436	DllCommonsvc.exe
2436	DllCommonsvc.exe
2436	DllCommonsvc.exe
2436	DllCommonsvc.exe
1568	powershell.exe
1640	powershell.exe
1532	powershell.exe
2656	powershell.exe
3064	powershell.exe
2772	powershell.exe
1900	powershell.exe
2836	powershell.exe
1040	powershell.exe
2636	powershell.exe
2424	powershell.exe
1600	powershell.exe
2844	powershell.exe
2328	powershell.exe
2820	powershell.exe
2260	powershell.exe
804	powershell.exe
3048	powershell.exe
2840	dllhost.exe
3016	dllhost.exe
2716	dllhost.exe
2604	dllhost.exe
1400	dllhost.exe
2108	dllhost.exe
1736	dllhost.exe
2224	dllhost.exe
2336	dllhost.exe
2620	dllhost.exe
2812	dllhost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	DllCommonsvc.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2840	dllhost.exe
Token: SeDebugPrivilege	3016	dllhost.exe
Token: SeDebugPrivilege	2716	dllhost.exe
Token: SeDebugPrivilege	2604	dllhost.exe
Token: SeDebugPrivilege	1400	dllhost.exe
Token: SeDebugPrivilege	2108	dllhost.exe
Token: SeDebugPrivilege	1736	dllhost.exe
Token: SeDebugPrivilege	2224	dllhost.exe
Token: SeDebugPrivilege	2336	dllhost.exe
Token: SeDebugPrivilege	2620	dllhost.exe
Token: SeDebugPrivilege	2812	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 536	2516	dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8.exe	30
PID 2516 wrote to memory of 536	2516	dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8.exe	30
PID 2516 wrote to memory of 536	2516	dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8.exe	30
PID 2516 wrote to memory of 536	2516	dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8.exe	30
PID 536 wrote to memory of 2320	536	WScript.exe	32
PID 536 wrote to memory of 2320	536	WScript.exe	32
PID 536 wrote to memory of 2320	536	WScript.exe	32
PID 536 wrote to memory of 2320	536	WScript.exe	32
PID 2320 wrote to memory of 2436	2320	cmd.exe	34
PID 2320 wrote to memory of 2436	2320	cmd.exe	34
PID 2320 wrote to memory of 2436	2320	cmd.exe	34
PID 2320 wrote to memory of 2436	2320	cmd.exe	34
PID 2436 wrote to memory of 1640	2436	DllCommonsvc.exe	87
PID 2436 wrote to memory of 1640	2436	DllCommonsvc.exe	87
PID 2436 wrote to memory of 1640	2436	DllCommonsvc.exe	87
PID 2436 wrote to memory of 1532	2436	DllCommonsvc.exe	88
PID 2436 wrote to memory of 1532	2436	DllCommonsvc.exe	88
PID 2436 wrote to memory of 1532	2436	DllCommonsvc.exe	88
PID 2436 wrote to memory of 2328	2436	DllCommonsvc.exe	89
PID 2436 wrote to memory of 2328	2436	DllCommonsvc.exe	89
PID 2436 wrote to memory of 2328	2436	DllCommonsvc.exe	89
PID 2436 wrote to memory of 1568	2436	DllCommonsvc.exe	91
PID 2436 wrote to memory of 1568	2436	DllCommonsvc.exe	91
PID 2436 wrote to memory of 1568	2436	DllCommonsvc.exe	91
PID 2436 wrote to memory of 1040	2436	DllCommonsvc.exe	93
PID 2436 wrote to memory of 1040	2436	DllCommonsvc.exe	93
PID 2436 wrote to memory of 1040	2436	DllCommonsvc.exe	93
PID 2436 wrote to memory of 1600	2436	DllCommonsvc.exe	95
PID 2436 wrote to memory of 1600	2436	DllCommonsvc.exe	95
PID 2436 wrote to memory of 1600	2436	DllCommonsvc.exe	95
PID 2436 wrote to memory of 2424	2436	DllCommonsvc.exe	97
PID 2436 wrote to memory of 2424	2436	DllCommonsvc.exe	97
PID 2436 wrote to memory of 2424	2436	DllCommonsvc.exe	97
PID 2436 wrote to memory of 1900	2436	DllCommonsvc.exe	98
PID 2436 wrote to memory of 1900	2436	DllCommonsvc.exe	98
PID 2436 wrote to memory of 1900	2436	DllCommonsvc.exe	98
PID 2436 wrote to memory of 2260	2436	DllCommonsvc.exe	100
PID 2436 wrote to memory of 2260	2436	DllCommonsvc.exe	100
PID 2436 wrote to memory of 2260	2436	DllCommonsvc.exe	100
PID 2436 wrote to memory of 804	2436	DllCommonsvc.exe	101
PID 2436 wrote to memory of 804	2436	DllCommonsvc.exe	101
PID 2436 wrote to memory of 804	2436	DllCommonsvc.exe	101
PID 2436 wrote to memory of 2836	2436	DllCommonsvc.exe	102
PID 2436 wrote to memory of 2836	2436	DllCommonsvc.exe	102
PID 2436 wrote to memory of 2836	2436	DllCommonsvc.exe	102
PID 2436 wrote to memory of 2844	2436	DllCommonsvc.exe	103
PID 2436 wrote to memory of 2844	2436	DllCommonsvc.exe	103
PID 2436 wrote to memory of 2844	2436	DllCommonsvc.exe	103
PID 2436 wrote to memory of 2820	2436	DllCommonsvc.exe	104
PID 2436 wrote to memory of 2820	2436	DllCommonsvc.exe	104
PID 2436 wrote to memory of 2820	2436	DllCommonsvc.exe	104
PID 2436 wrote to memory of 2772	2436	DllCommonsvc.exe	105
PID 2436 wrote to memory of 2772	2436	DllCommonsvc.exe	105
PID 2436 wrote to memory of 2772	2436	DllCommonsvc.exe	105
PID 2436 wrote to memory of 3064	2436	DllCommonsvc.exe	106
PID 2436 wrote to memory of 3064	2436	DllCommonsvc.exe	106
PID 2436 wrote to memory of 3064	2436	DllCommonsvc.exe	106
PID 2436 wrote to memory of 2636	2436	DllCommonsvc.exe	107
PID 2436 wrote to memory of 2636	2436	DllCommonsvc.exe	107
PID 2436 wrote to memory of 2636	2436	DllCommonsvc.exe	107
PID 2436 wrote to memory of 3048	2436	DllCommonsvc.exe	108
PID 2436 wrote to memory of 3048	2436	DllCommonsvc.exe	108
PID 2436 wrote to memory of 3048	2436	DllCommonsvc.exe	108
PID 2436 wrote to memory of 2656	2436	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8.exe
"C:\Users\Admin\AppData\Local\Temp\dc47650efb70b2f8645308d72e062e3a2131c3ff941743f02a8e6524d7042fb8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        6⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1292
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        8⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2744
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        10⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:744
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        12⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2928
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        14⤵
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2188
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
        16⤵
        
        PID:612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1508
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
        18⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2900
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        20⤵
        
        PID:1268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1688
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        22⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2964
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
        24⤵
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1548
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        26⤵
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1684
        
        C:\Users\Public\Libraries\dllhost.exe
        
        "C:\Users\Public\Libraries\dllhost.exe"
        27⤵
        Executes dropped EXE
        
        PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Cookies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a70739c03dadb056420e609cd8d237c1

SHA1
329de02f7234fbb7391150c4acc19f6fd121f193

SHA256
12c4c8ba0597d1560c38538eae424f6188a2e420fe3c6e7a11ae158b519b163b

SHA512
cf1b28e0993de0b2975af1c166c713e5060548ea93715a721dae4acc854b4612ea3f27152e4b8689e0bc6ef5c158b92094a9d5c12713a7eee881dafa098af909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
722090ccd3b1a7d90fd0e617e756eb91

SHA1
d588e9a7c6d0edc02f053ed14ad46e34cbfa5301

SHA256
44dcbc86c3300d419c0fba4da029947419ed7ef21329672ef494201ed7559042

SHA512
666a7bf8b2b22d9d0f8bb9838062e2de0d48be0c97a2dd39c7cf78aa58b493544b4c246a599ca99c21695120044fc83a5774fc70c76de75c29b74b989c510f2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0f1e66b5b64148bad84f1ce593d6ca6

SHA1
9eb885a98b1d2eb8b676fb52b3d0773d9379c7ca

SHA256
7d79978504faaf793f5e3e4500d8d1dbd4132a36fc671d7294f4f08a899c22c0

SHA512
26c5945b052f3bac8165231d2bef124d0d60b8666728f6f601f1698df5e87338166630daf4436f9e1f64c43bb48683baf5ef69396bd20fd55563261aade6ca75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58a9f971c74d8d9853fcaeb349915da3

SHA1
a8840ab969559b5bf657ed26227b2f4706db11d2

SHA256
78bb69b8ba246cf935fbd47be663248e9d543ff087e2cfa45ca8365ef69e1928

SHA512
c7feab07543c529a218f0068cd08b954d0083161e84fb354c36154cb8ac0eff38c02f8255a248fdd82cb76389cd1a4141d58b6a3d62a5ee4b4a048bed2848fe8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9306e2899c103f54adf950d3a3b9520

SHA1
a084b80005dcec0eba1531d2f9acf6f06baabb0c

SHA256
95ca29061dff2592d8ab5233cbbc33135ae9c62d0aaa62be00a84c7f682ef82f

SHA512
8e04233cbef20e5cc346efe9ded07c02dee8384c4243ccb8608c4d9ac46dac64186becef2be2d8bcd6e1190a5ca2fa95639e2dda98a6a9947055cf7c13d990ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9893d3f8800091bd183fdbc315e5bf30

SHA1
9dca65cc1fcb10597f4578502ae733b24ace27d3

SHA256
4f1c45ec72f95da0bd108f4f48b2221d1fb5020eadb7dcaf35531099f49483f4

SHA512
1fc36397fba3f807f3cb173d226e33c8d3f49152440d3bb67e1d44e1041ea1cd87b9c56b547ec5e791896595f1f320ca02d0ae5f22807ba0e8a2dd25017e86cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69a73e05c33ca47008fe87f049520f53

SHA1
6dbd87446f3ee2ffd726d71599fced501a0deb4d

SHA256
ba45e80a85b67a05571675dc465168fa3d410ee8fa605edad413836d58ce3f4d

SHA512
dea8122c4e2d8ab8c2e6f53b03997e5d21af6eec185f3631e145da74c04f71630f6290ad0e2ed6a44b84845023c83c004071672967885f8a51972897869b93ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d86948d52ada0e1e935eaea9354a8328

SHA1
c6490d4484ed30baf1afa67eaf1d3edb43099360

SHA256
4dad166f1b74b84e256f5cd462663a261dd34a43d73cdd486068da0633095bb0

SHA512
0857efb4dc83d3b6f4a45dd23cc4764c1a85760dea9367a0ff8d24107121dfddea87aa34f7bdce1a25f823069fece135fcbfb99e345ed044e850596600a9792d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96e7d1971179a0730424f53b0609d3ed

SHA1
63eac2c25e259ec9ce3777436f3eb221edfedfaa

SHA256
fa97fbbc0083fda652c02308391bcf900b73d4ba9fe0bf65a2804d4e56509890

SHA512
abeccc5b1a872377224494f0833431bb73314604ad580c0be67a3475ed37217cf14b65b9297e8d96cfb12614738e56b0c1aa807eb6a935030056689ee98aebc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a225c72dc12dec2f55ca7e06667f8ac9

SHA1
df382812c097b848962ea28ba3c1acc9151bb6eb

SHA256
150d17f542873aaff916aabec6945b19f8ad1a36c1662a3865f1a7b4ec1da7c9

SHA512
c380eec5f36075888a99e20f66661a5cb2c9f4efe61277ed7ebf89f92a2adf0a7facc6b56ea2c3b3eda200800bd270ed7cd4c43441f42b9fd70f12a8819ab7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

Filesize
202B

MD5
2d6787dfde37bc2a547b6f9267e45b13

SHA1
83db5696be7a37bf6fcd83fa8ac4568a0a727062

SHA256
a0b889d1a857bce5e68bf1aebbf1f1bdf01f4439ef349653da88e80fc425ae96

SHA512
280d219f7cd5f237ec97b2d1b7e643b5f56214079476b6034a10d97f4015dcddbcd0fd64d501842305fd93dd071160ca4f4338cbeaddd4462f8669d1f4d1bd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
202B

MD5
b5a893957af5a37fa40b7e63b0b0382d

SHA1
e62b10ff7237bef6bbe84a99d515fbca6cdee2b5

SHA256
ad024a5a71a3fccd19058494b20b69d3608d61b50fcf0c454543c495c68369d8

SHA512
12cfa865565ed7c13050eeec4782415f820fa6f213f4a2a39e58cce0fceb513dd34fdde404a138800418d0d628d98af00796ec03329ea3d6588d334fb91316f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
202B

MD5
8c8221e66214e28505fbe885e90ceb4d

SHA1
2dd128f5fc888595b2e100a50da0b6450398f092

SHA256
8d868f884e9ee919acfb39f2f39cb8981666cf7ec16bb3406d56ba826a3fdb21

SHA512
fddd4101dad1fb3472881414b556e7c9c362427a63a2d89a96c880f7bc9759aeb428e1a0f18aba7477f9516752bc0ec3947a41959f4a37d9e65cff7d2d3261c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab17D6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
202B

MD5
6e0677f10fdc1a73234f2e281434557e

SHA1
96e1c55b329fb26f42581b109813b25621538a7e

SHA256
c3df42f4fdd744d0bebd6efa51078cd63f9ae387d502711b478000f7285abc97

SHA512
b68d33360e1fb3a95fe006d992f699f5482ae262a1baee7b774c2af920b899966626687205b923c1002571004659dca022cd62cbfc58340ca7ed9870d1b47ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
202B

MD5
4287ddc10168a94d8dd9706d86f7b56c

SHA1
e1c8c9b62814d48fbffffb4f53980837e4d7ae79

SHA256
28eff7e370b0590087458346a9977661e360d3f69b48b2f5cecb8a135420b7d4

SHA512
1884705d6353392a7f0738d589f5ef2304a3f61385a2276335f24969f9c1b5784566e29d169f66bc6c6f3cccf6a5a2e0bcbfb49814b868f3ae8955a1a4c201f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar17E9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat

Filesize
202B

MD5
7f1dae2ee9053cada61e2e9aa6d864a3

SHA1
2f98625bd640d55bf7917131958126d261ab0d48

SHA256
e79d79d1039110633c7ffee32eeab0b4b69e8b0b1675cf2be2603119141c5cc9

SHA512
7a3c47d8ef2ff7edd1dfc58b6d9a1f4f675479fa1e25ec052b67347ed0812daa4e35b2a74e15881a9c85fe475aa673965b3b7a558bcb474bcb31d4d92565fbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
202B

MD5
72551325cb1045834589c9e9d4c18ccb

SHA1
e63ea5088b9bd2e5f4ae45fb5544d1423efa638f

SHA256
b73cd63e07fbfece9d14d9415bc638d0b461bc12bf01e2404911122939fd2343

SHA512
b625782bc05e3057c48a8f1c244c777560bd2c66df19c1e454673e5d36c4b53672fde68de65f83bccd4e83e6858ac873a09d6a042c5d4b552b6ed9c03a784986

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
202B

MD5
4861c5cba778b09c9e51b7f2b2a6175f

SHA1
cf95ae82f7d3b932628b6f51109181ad20e2f8e5

SHA256
bc4b6dc6f219f57f53633b2ea26f2f5dfa75c4c071623346ecfba6a3b5036da9

SHA512
af12656cba4cf3f4f2ed4a3cdb7aa5b2ffd174598eb4eb4a203450c7db841274051dcc061fd1f915b8cbbaf8a8687d0eb1ba1ef2a11a4295d25bb8a045d0002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
202B

MD5
07bc657887f4f67f1cd2956a7859abc1

SHA1
b5651ab3222b68319b03be0c447114d2cd097cba

SHA256
2e5cd3698f811ecc40696c008c5a670ab507076139cf1e76bb1e46e6cfb4627f

SHA512
a4bda1f8702295d7740a9eb581c4cc5b29a93f306f42355bec7bc33bedaa2edb960c98f20861face91f8c730bcea3bfc5c3953bfcf2bb6c6cb5e498f73b61673

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

Filesize
202B

MD5
e022e86d645a8baaf663121cb4f6eb19

SHA1
92162fcd365429087d3e350777088267f4f36a57

SHA256
f2dd20b09a9b3eec84c7da99d0b800a51e42fb3f5a1a2b556da4368cfff49b15

SHA512
9ff49065583eac31f8a7aab93f7bae2c6c7d689f95b098d137b4d240aa476a70a3aea10d32dc2f840939889fa71fb441b093db97e0319c418ce1a16738d0557c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
202B

MD5
63504573819f66c70ebe2ca045d55607

SHA1
95a8b0354dc4eaa143d431f30251f31d3e9a2a97

SHA256
e539d69717ebf6cb4776d734496732bb3298e4f8aeba70bebfa73b3098d63356

SHA512
89ab487cd7df48d5689007477964edbc4bd92119e9b26a4c5419a12129f521c72653eb0234475ef4aae49b2d8034e6227b9ff65f3b39019ff8dd70adc7d55d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d23770e869bc3617975869f524553a43

SHA1
3e1cebe73c88aae5e75a9e83d30a1bc0dd62249c

SHA256
5ccc5e01084ec6a1c28ad338ed2b77252da1ba187239f9247ff8c6e1389815cc

SHA512
94aa24779db0975e330bc8d80391aae9b3058bfbbb17c68a5236ba4c95445247b22c964293b64d10710319a931dcddaf8cf2a3b6661870a557313592ec32506d

Download Submit
C:\Users\Public\Libraries\dllhost.exe

Filesize
598KB

MD5
ce4e4de4ec9bdd3dcfb4429d280a9d3c

SHA1
69736be5a034d69478f52a00ed0cf399fe61717b

SHA256
57a3a58850815a7191ba6f2fde2ec0b7387eb142474e0b70f566218620ce3651

SHA512
56e3e8f3769be3aa3a97b5502ad797bdc370ab34af036d0076851c9c429a6ec2c2a237ac9b71e6025508e7f2bf458bec146bebc1175c80628a0a04d0f0845a6b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1568-67-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1568-66-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1736-503-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2224-563-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2336-623-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2436-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2436-17-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2436-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2436-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2436-13-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/2604-325-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2620-683-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2716-265-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/2840-64-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/3016-205-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download