dcrat | 1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2.exe
Size

1.3MB
MD5

0d9f1cbbbf3e97707ba0d93f687f5084
SHA1

640dc93001c6255c5651760fc641d3cd222cbd20
SHA256

1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2
SHA512

1089a5fe74212a1f056e8badda31273afb16a75bae6993230f6e21a4ef2a2f0c498701e0e9c228ddc05b64032d67dcd9f490cb714f261063c40ea42e4399d9cf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2648	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000170b5-9.dat	dcrat
behavioral1/memory/2624-13-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/1792-151-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/924-211-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1900-271-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2608-450-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/2748-510-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2060-688-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
264	powershell.exe
2192	powershell.exe
2268	powershell.exe
2952	powershell.exe
2816	powershell.exe
2980	powershell.exe
2820	powershell.exe
2752	powershell.exe
2812	powershell.exe
1836	powershell.exe
2700	powershell.exe
2612	powershell.exe
2600	powershell.exe
2920	powershell.exe
1792	powershell.exe
2940	powershell.exe
2796	powershell.exe
2096	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2624	DllCommonsvc.exe
1792	OSPPSVC.exe
924	OSPPSVC.exe
1900	OSPPSVC.exe
2348	OSPPSVC.exe
700	OSPPSVC.exe
2608	OSPPSVC.exe
2748	OSPPSVC.exe
1380	OSPPSVC.exe
1904	OSPPSVC.exe
2060	OSPPSVC.exe
2496	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\servicing\SQM\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
644	schtasks.exe
1752	schtasks.exe
2780	schtasks.exe
2352	schtasks.exe
896	schtasks.exe
2308	schtasks.exe
1852	schtasks.exe
2324	schtasks.exe
604	schtasks.exe
2200	schtasks.exe
1092	schtasks.exe
952	schtasks.exe
1692	schtasks.exe
1948	schtasks.exe
2100	schtasks.exe
2332	schtasks.exe
2392	schtasks.exe
1776	schtasks.exe
532	schtasks.exe
808	schtasks.exe
2140	schtasks.exe
2360	schtasks.exe
876	schtasks.exe
2696	schtasks.exe
340	schtasks.exe
448	schtasks.exe
1572	schtasks.exe
2988	schtasks.exe
1148	schtasks.exe
1272	schtasks.exe
2556	schtasks.exe
1748	schtasks.exe
1664	schtasks.exe
1684	schtasks.exe
2316	schtasks.exe
980	schtasks.exe
2336	schtasks.exe
1580	schtasks.exe
956	schtasks.exe
2516	schtasks.exe
760	schtasks.exe
2860	schtasks.exe
3008	schtasks.exe
2436	schtasks.exe
2872	schtasks.exe
1040	schtasks.exe
840	schtasks.exe
536	schtasks.exe
332	schtasks.exe
2804	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2624	DllCommonsvc.exe
2624	DllCommonsvc.exe
2624	DllCommonsvc.exe
2268	powershell.exe
2940	powershell.exe
2812	powershell.exe
2796	powershell.exe
2192	powershell.exe
2600	powershell.exe
2752	powershell.exe
1792	powershell.exe
1836	powershell.exe
2612	powershell.exe
2820	powershell.exe
2700	powershell.exe
2952	powershell.exe
2980	powershell.exe
264	powershell.exe
2920	powershell.exe
2816	powershell.exe
2096	powershell.exe
1792	OSPPSVC.exe
924	OSPPSVC.exe
1900	OSPPSVC.exe
2348	OSPPSVC.exe
700	OSPPSVC.exe
2608	OSPPSVC.exe
2748	OSPPSVC.exe
1380	OSPPSVC.exe
1904	OSPPSVC.exe
2060	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	DllCommonsvc.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1792	OSPPSVC.exe
Token: SeDebugPrivilege	924	OSPPSVC.exe
Token: SeDebugPrivilege	1900	OSPPSVC.exe
Token: SeDebugPrivilege	2348	OSPPSVC.exe
Token: SeDebugPrivilege	700	OSPPSVC.exe
Token: SeDebugPrivilege	2608	OSPPSVC.exe
Token: SeDebugPrivilege	2748	OSPPSVC.exe
Token: SeDebugPrivilege	1380	OSPPSVC.exe
Token: SeDebugPrivilege	1904	OSPPSVC.exe
Token: SeDebugPrivilege	2060	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 3028	2096	1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2.exe	30
PID 2096 wrote to memory of 3028	2096	1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2.exe	30
PID 2096 wrote to memory of 3028	2096	1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2.exe	30
PID 2096 wrote to memory of 3028	2096	1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2.exe	30
PID 3028 wrote to memory of 2760	3028	WScript.exe	31
PID 3028 wrote to memory of 2760	3028	WScript.exe	31
PID 3028 wrote to memory of 2760	3028	WScript.exe	31
PID 3028 wrote to memory of 2760	3028	WScript.exe	31
PID 2760 wrote to memory of 2624	2760	cmd.exe	33
PID 2760 wrote to memory of 2624	2760	cmd.exe	33
PID 2760 wrote to memory of 2624	2760	cmd.exe	33
PID 2760 wrote to memory of 2624	2760	cmd.exe	33
PID 2624 wrote to memory of 2812	2624	DllCommonsvc.exe	86
PID 2624 wrote to memory of 2812	2624	DllCommonsvc.exe	86
PID 2624 wrote to memory of 2812	2624	DllCommonsvc.exe	86
PID 2624 wrote to memory of 2096	2624	DllCommonsvc.exe	87
PID 2624 wrote to memory of 2096	2624	DllCommonsvc.exe	87
PID 2624 wrote to memory of 2096	2624	DllCommonsvc.exe	87
PID 2624 wrote to memory of 2268	2624	DllCommonsvc.exe	89
PID 2624 wrote to memory of 2268	2624	DllCommonsvc.exe	89
PID 2624 wrote to memory of 2268	2624	DllCommonsvc.exe	89
PID 2624 wrote to memory of 2796	2624	DllCommonsvc.exe	90
PID 2624 wrote to memory of 2796	2624	DllCommonsvc.exe	90
PID 2624 wrote to memory of 2796	2624	DllCommonsvc.exe	90
PID 2624 wrote to memory of 2920	2624	DllCommonsvc.exe	91
PID 2624 wrote to memory of 2920	2624	DllCommonsvc.exe	91
PID 2624 wrote to memory of 2920	2624	DllCommonsvc.exe	91
PID 2624 wrote to memory of 2752	2624	DllCommonsvc.exe	92
PID 2624 wrote to memory of 2752	2624	DllCommonsvc.exe	92
PID 2624 wrote to memory of 2752	2624	DllCommonsvc.exe	92
PID 2624 wrote to memory of 2820	2624	DllCommonsvc.exe	93
PID 2624 wrote to memory of 2820	2624	DllCommonsvc.exe	93
PID 2624 wrote to memory of 2820	2624	DllCommonsvc.exe	93
PID 2624 wrote to memory of 2940	2624	DllCommonsvc.exe	94
PID 2624 wrote to memory of 2940	2624	DllCommonsvc.exe	94
PID 2624 wrote to memory of 2940	2624	DllCommonsvc.exe	94
PID 2624 wrote to memory of 2980	2624	DllCommonsvc.exe	96
PID 2624 wrote to memory of 2980	2624	DllCommonsvc.exe	96
PID 2624 wrote to memory of 2980	2624	DllCommonsvc.exe	96
PID 2624 wrote to memory of 2600	2624	DllCommonsvc.exe	99
PID 2624 wrote to memory of 2600	2624	DllCommonsvc.exe	99
PID 2624 wrote to memory of 2600	2624	DllCommonsvc.exe	99
PID 2624 wrote to memory of 1836	2624	DllCommonsvc.exe	100
PID 2624 wrote to memory of 1836	2624	DllCommonsvc.exe	100
PID 2624 wrote to memory of 1836	2624	DllCommonsvc.exe	100
PID 2624 wrote to memory of 2192	2624	DllCommonsvc.exe	101
PID 2624 wrote to memory of 2192	2624	DllCommonsvc.exe	101
PID 2624 wrote to memory of 2192	2624	DllCommonsvc.exe	101
PID 2624 wrote to memory of 2612	2624	DllCommonsvc.exe	102
PID 2624 wrote to memory of 2612	2624	DllCommonsvc.exe	102
PID 2624 wrote to memory of 2612	2624	DllCommonsvc.exe	102
PID 2624 wrote to memory of 1792	2624	DllCommonsvc.exe	103
PID 2624 wrote to memory of 1792	2624	DllCommonsvc.exe	103
PID 2624 wrote to memory of 1792	2624	DllCommonsvc.exe	103
PID 2624 wrote to memory of 2816	2624	DllCommonsvc.exe	108
PID 2624 wrote to memory of 2816	2624	DllCommonsvc.exe	108
PID 2624 wrote to memory of 2816	2624	DllCommonsvc.exe	108
PID 2624 wrote to memory of 264	2624	DllCommonsvc.exe	109
PID 2624 wrote to memory of 264	2624	DllCommonsvc.exe	109
PID 2624 wrote to memory of 264	2624	DllCommonsvc.exe	109
PID 2624 wrote to memory of 2700	2624	DllCommonsvc.exe	110
PID 2624 wrote to memory of 2700	2624	DllCommonsvc.exe	110
PID 2624 wrote to memory of 2700	2624	DllCommonsvc.exe	110
PID 2624 wrote to memory of 2952	2624	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2.exe
"C:\Users\Admin\AppData\Local\Temp\1bf3abfa85526d042d39d615fd7ddbc918700661c833dc62e1886988099afbc2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9XIi1s0926.bat"
        5⤵
        
        PID:608
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2124
      - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
        7⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2768
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
        9⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2956
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat"
        11⤵
        
        PID:608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2696
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        13⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1060
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat"
        15⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2636
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        17⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2692
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
        19⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1796
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
        21⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2892
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        23⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2448
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"
        25⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1764
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe"
        26⤵
        Executes dropped EXE
        
        PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Reports\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab730cd9a9e30553d044ccb79fed1c5c

SHA1
97aa0d1fafe966b731d5fd617632dd4230775c8c

SHA256
30ce90917294780bfd2a31c418fcd153347a4588249d24f71773423af26b0e05

SHA512
b411ab44c086df618a87dda022e164a282d26b8a53e65766eee41eecdc19da0b0bba0ef24ee6ce4344030de7db31055368ac23c545153d2b13589d528e56140d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a02b03e4c198ada2631e1738cacfa2d

SHA1
9435e433f2efe27de61049c32ab873d79680629f

SHA256
bce8e71f74bd764a5fc55e7e7f9c1d691b7fcdfe0b88514d2953313efda972b9

SHA512
88fd304dd318ad0b6a7088b9e43d99669f79e61f9940bc0cfae315c04d246b189ea4ddc0547e84aa538b60a9cb5c6acea0a3f31003f6ae476e53232c59bd6147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9d1feb128d141271e89814383030307

SHA1
d02e85cb92ca5ce3d71034179c8803a066cb1f89

SHA256
b0b50d131266073e644b82682741cde8321d3e8f6a8700c931881adf35c080ab

SHA512
531893c45b8fab28841b60d82b678195e7bfcf6580ade8abce893de0feece985fedd1f79e0d7b8aefec8189be3d9245de6387c642fc22139dc722e6a1c42d06a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b0e800d893098ad2e35b4695018b11d

SHA1
f811766350156d70e206264d8d0f4de82c1a6873

SHA256
efdeec182fbd38a85c40b699b7c41390b90af326de5e8a384524086a6ec9fbdb

SHA512
d459aaf53f765596886274d9458b52618b263b0dca1ddae2d83da47844e6e4a8cbff8b020d1b61cd36118a06f674b238c62629cb51e7da0183bc2c03d6628666

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c41f69e0082b9bdadbcce1905f18ed14

SHA1
8938704165ec96f0403ca6c51755d5809d563e70

SHA256
2338b00eb6a86844a2982a279beec93cbb4b9e5b0cc343c902064bd642224b69

SHA512
01be4b8d578c26b4c365af955b3377d167951eea660ca2c80a4d9a2143d4ac34eaf1bef6a702ba96c6ce419e98e47ded6a3f359ffdbcfd5b5a5b94bbdff203b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2155c862e30886770ccbd0dc44ab0b2

SHA1
6c206c15a5f6c5fb0975e30496ea90c00f4e25d1

SHA256
01ef6eefa4ff6730990a7971321111245af3d336a8ea1fc32c33f85244c777e2

SHA512
1650b3e457d354b7972108595e08c25713557412bc44d8148aa283e8ae74be8c81be31f2eea4a8a463834a1aa74577bd5cde36f2bc7c0ade525f92a45573cc06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83e0ed3faf9aad72cbeafbf42a941ef5

SHA1
1c6f393b7c67a0b00cb5d2214b2cf6d0b966b056

SHA256
5a1ffd360e52fca888d7565cf234f06d0976a2a8289aba1b275572497f8059c5

SHA512
9a8024016560ec899f67d70429cd7d3eb333715a543732375c405a0b148d5a89a5c977999724a09e4ebca796cefc9c22bad396bdbdf1af5712c99da7e27e8db4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
484421e26a8f826a523386adbc207dd5

SHA1
2369eef78ac81eade5a3b36c1abbf44c2ad43fe9

SHA256
8d59474aa1f9f1e95556be2a125883f5bd940eb24930421578609af5c6d2c40d

SHA512
b3f67c2eae5cc6132b88b95267a17afe07a7be5ca0f9824e26dd125028e2692c214ac2ab13477f25f855967586e603fdcbf092e3fdb19938619c3fcd79181381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12582c20e858e0a8d25d2e2df06b0edf

SHA1
a92cc50ecdc2e626aede2cb367671a2ef6489782

SHA256
c3cbcb3ec261478d2a89fdc59b337fc79828821f8ab06a76f684b02186c54c46

SHA512
7b363f7b72253210fdf50957baf6daac1619c0a6f2dae3935dbe9956e26e5d6c3a962ee144c72b3a88c49eba0339a6788c60f3d2fa89e722089518c2d4c5ac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat

Filesize
239B

MD5
bdf099351a9919094784aec21a17eba0

SHA1
af21c2f548f6549dcc1b7ec1d35c827e0d51a599

SHA256
ae3e0dca11339f1ce00ceb981a44e7024e2b8eede987dfb5122b3eaf7f014419

SHA512
67a738d1582049a4e2063f4e93904b9ea22ef2bd99cbab05f4162969db924cf3bc53a48f7b4d3fd3cdb015c1a7819f6297356ab85c0f1b90c03e1dde262b231e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9XIi1s0926.bat

Filesize
239B

MD5
1293b0cffc65645502e4962d6d6b3a25

SHA1
59349d7ba1d487eb9344e0f17f0cc0f95bbc8981

SHA256
c3268767143ae47ba5d9c8a8e2b60de5b90a89323f81bf842116d87c0374e163

SHA512
14ba243cedf9817c875533113c2c5579e4f5fe9df10a2701753848884e2d576fccbb418f91e856d4af67edcca7374062d167e5af6bc7b39781d687b882e032f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

Filesize
239B

MD5
1d67a0b4948ae9edddb49c5f65cd2a7f

SHA1
aa29b397128d1182dd790b6055f51e9e1e61d62b

SHA256
a58dc98519b3a9e435350bb253b25952e8a7703273742c3faab4eba4dafd752c

SHA512
f6f322fbf5d9861b66576e7abce49ef0a0090e5e5cbf544c2248e16661146eef7a16450f4ef2a0845f383e738aa5672d2f6fc522c4a1a4c29b7a9fb7285f38e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC27.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat

Filesize
239B

MD5
ae0c1f4ed5ae6048295e73bdaa2e0fdb

SHA1
470ebc2c6b108957687fc995103d5a6ea7ae6db8

SHA256
369c8a16036c0af9c868a3029db0649a016b6f5c608b4bbfb5f658131076afa4

SHA512
134dd4ea1ee7df710ae7c85dd090c59cbd79486e71e66d13bf79f886fe35345d5a41aba1220e960cd14784f85372eba4378379740b34728d30f29a8f32cf6dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat

Filesize
239B

MD5
8225593db6def9cb3aa0c41d09f0babd

SHA1
1ff498e4ccc2b601210560962a8f823601cea006

SHA256
d85945547252e1447f55d95da254f6ca71de8a3988357a1cbe4bb96d53a60ff4

SHA512
4fc9f6ca02a2b88497f004d575d79ca434d6ec9ea4810f3a1fb27ea9a9fa1683cb1de7b81b88c31417c51eb606ad1621109242c1713a000af6bf9380ae759567

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
239B

MD5
ae0e9d85dc0a58c94169246c88d5fad4

SHA1
24ea10574ad58c828730b0e7f7ba3d07e9c6ae87

SHA256
53053ee2e84122c91d8d63099302dc5e9a41e27bc353c0762ec92c7825c364d7

SHA512
d9229f62ab77861e73b60d3718a9263238ec390f3d68f2bd19236240393fcb86488560dae9394d23b5bf7ae5b3b9f2c7dc8a5985a8484d70e8fe81d0b91f2894

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC3A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat

Filesize
239B

MD5
01612c523dc4e420b47913851aea83b8

SHA1
79917b96b1534f2a1cc3d92e5d19762e525a19c4

SHA256
a795a69e1a6a8ccfa931a160630b77cd3707241bd8e49a9559ae5217c6573857

SHA512
8d3e16c554e4e7ddf2fad5ce35546e28a68acfb58594d13e48385696e81fe131ad90e2045a7169c4c9c80012f92a4c0433c840a71e15f80acfd758dd3787c5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

Filesize
239B

MD5
3652f4e4da143c483aab383871bd3977

SHA1
b57db535e0f4933d1dc3b4891ca4c4c6e9928b1a

SHA256
ddc654a65aadcd30e7787c2285c7aed69753539262d35d9c1f3e2f211883d4d2

SHA512
17fa450a83bcce38f6a34c1e9fd4ba5c74f9cfd56f146776ccf7f9ba68e482ff239014b421ec7f54d9e2555af94df7edd06d930d99f18cac2de5e8b5aba163b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
239B

MD5
38389861849411f54fc828959f9cd8d7

SHA1
7db4a93d2f826beeccc3d1ec7b97b83367f07a17

SHA256
cd62df70d169a5fa3d97f74892b3652250f0003381b6ba478629d294f10a65fb

SHA512
ea835980325d7875d6b2f51b5a4284fc822f1cd50133341e61b77d02f2cdfda6124f3642ae681b501f7191007391741e990ad3e36a34669352f625cc0a057bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

Filesize
239B

MD5
57b4966413e0d14556db7e901189286a

SHA1
0214e917a17c0da5e46376b6773d0af01ddb2172

SHA256
dda0fba4388de9fa1a6829ddcef0b3e1d2f4bacb9c0a176960e6480e3197de8e

SHA512
d79fb0741269d9348119b3dd170fa1619653dfee6166cc84d01687cf85645511bf0dd8d4a1c80c839cede4b45f4b037c66cc39503db4aefea83e3b7e2da3df10

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

Filesize
239B

MD5
c9968ba8bab3ade75886bd1b19122970

SHA1
af4834f70fa1792c205570f8d9634c2600d92f69

SHA256
e58845ee7f852c81abf436c57af2f6fba261c75e7c6c7d3083d28d7adef2d4f2

SHA512
8525077638258516028b48e5c1a20e094ad5cb7dad613e2fee9447327ed17008bfa7e8838dfd90973164b742c8e0606f4dd2de81b39db915d3300e1634ca2aef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b4189f5b139c3ba8d1efbf0340b531f4

SHA1
bcaacded601b192a6f59dd8e25b67e75ce15a4a9

SHA256
b457c1a1ece8d4d525db2afb486f78bac741af0c63ac14a6e7b098a62ded63fb

SHA512
4993b860669ce8c3c19aa47ec3db36b9e1b1bda079eb0ecd628485d6c42c395211d1342e2db9b16e4de8fe9b3fd4b46f7a545c48620a3cc1f0a54acd96167330

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/924-211-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/1792-152-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1792-151-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/1900-271-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2060-688-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2268-82-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2348-331-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2608-450-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2624-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2624-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2624-13-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/2624-16-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2624-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2748-510-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2940-80-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download