dcrat | 66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f.exe
Size

1.3MB
MD5

8ad2affe8977d20cb18b81d4565c6017
SHA1

e7b50277342e0965c8643982ba3a3697401e4123
SHA256

66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f
SHA512

fa90a9fafda1129852fdce8d0d6fee41e82aabef12ad43edae7a3f1ecc9428b4b52de24359bf7742a0a5605f37207fb472573ba4a0ee566b1930fbf5dce25d4b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2632	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001686c-12.dat	dcrat
behavioral1/memory/2732-13-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/1524-60-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/1864-268-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1548-329-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/2860-448-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2564-508-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/1792-745-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2912	powershell.exe
2252	powershell.exe
3012	powershell.exe
2832	powershell.exe
2244	powershell.exe
1440	powershell.exe
3024	powershell.exe
1980	powershell.exe
2108	powershell.exe
2340	powershell.exe
2876	powershell.exe
2564	powershell.exe
2740	powershell.exe
2684	powershell.exe
2380	powershell.exe
3004	powershell.exe
2820	powershell.exe
864	powershell.exe
2088	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2732	DllCommonsvc.exe
1524	conhost.exe
1432	conhost.exe
1864	conhost.exe
1548	conhost.exe
1148	conhost.exe
2860	conhost.exe
2564	conhost.exe
860	conhost.exe
1696	conhost.exe
984	conhost.exe
1792	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	cmd.exe
2824	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\it-IT\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
872	schtasks.exe
2920	schtasks.exe
1684	schtasks.exe
568	schtasks.exe
1720	schtasks.exe
1744	schtasks.exe
2080	schtasks.exe
2384	schtasks.exe
1524	schtasks.exe
948	schtasks.exe
664	schtasks.exe
1928	schtasks.exe
700	schtasks.exe
3048	schtasks.exe
1432	schtasks.exe
372	schtasks.exe
2064	schtasks.exe
1320	schtasks.exe
1656	schtasks.exe
860	schtasks.exe
2640	schtasks.exe
2456	schtasks.exe
896	schtasks.exe
2796	schtasks.exe
2548	schtasks.exe
1704	schtasks.exe
2856	schtasks.exe
1996	schtasks.exe
2344	schtasks.exe
836	schtasks.exe
976	schtasks.exe
2308	schtasks.exe
2008	schtasks.exe
1228	schtasks.exe
2808	schtasks.exe
2388	schtasks.exe
320	schtasks.exe
2396	schtasks.exe
1608	schtasks.exe
2712	schtasks.exe
2868	schtasks.exe
2180	schtasks.exe
2132	schtasks.exe
2496	schtasks.exe
1700	schtasks.exe
2420	schtasks.exe
1632	schtasks.exe
1576	schtasks.exe
2404	schtasks.exe
3040	schtasks.exe
2216	schtasks.exe
580	schtasks.exe
2372	schtasks.exe
2224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2740	powershell.exe
3012	powershell.exe
2252	powershell.exe
2912	powershell.exe
3004	powershell.exe
2876	powershell.exe
2820	powershell.exe
2244	powershell.exe
2832	powershell.exe
1980	powershell.exe
1440	powershell.exe
2684	powershell.exe
2108	powershell.exe
2380	powershell.exe
2340	powershell.exe
1524	conhost.exe
3024	powershell.exe
864	powershell.exe
2564	powershell.exe
2088	powershell.exe
1432	conhost.exe
1864	conhost.exe
1548	conhost.exe
1148	conhost.exe
2860	conhost.exe
2564	conhost.exe
860	conhost.exe
1696	conhost.exe
984	conhost.exe
1792	conhost.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	DllCommonsvc.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1524	conhost.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1432	conhost.exe
Token: SeDebugPrivilege	1864	conhost.exe
Token: SeDebugPrivilege	1548	conhost.exe
Token: SeDebugPrivilege	1148	conhost.exe
Token: SeDebugPrivilege	2860	conhost.exe
Token: SeDebugPrivilege	2564	conhost.exe
Token: SeDebugPrivilege	860	conhost.exe
Token: SeDebugPrivilege	1696	conhost.exe
Token: SeDebugPrivilege	984	conhost.exe
Token: SeDebugPrivilege	1792	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2680	2664	66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f.exe	30
PID 2664 wrote to memory of 2680	2664	66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f.exe	30
PID 2664 wrote to memory of 2680	2664	66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f.exe	30
PID 2664 wrote to memory of 2680	2664	66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f.exe	30
PID 2680 wrote to memory of 2824	2680	WScript.exe	31
PID 2680 wrote to memory of 2824	2680	WScript.exe	31
PID 2680 wrote to memory of 2824	2680	WScript.exe	31
PID 2680 wrote to memory of 2824	2680	WScript.exe	31
PID 2824 wrote to memory of 2732	2824	cmd.exe	33
PID 2824 wrote to memory of 2732	2824	cmd.exe	33
PID 2824 wrote to memory of 2732	2824	cmd.exe	33
PID 2824 wrote to memory of 2732	2824	cmd.exe	33
PID 2732 wrote to memory of 2912	2732	DllCommonsvc.exe	89
PID 2732 wrote to memory of 2912	2732	DllCommonsvc.exe	89
PID 2732 wrote to memory of 2912	2732	DllCommonsvc.exe	89
PID 2732 wrote to memory of 2252	2732	DllCommonsvc.exe	90
PID 2732 wrote to memory of 2252	2732	DllCommonsvc.exe	90
PID 2732 wrote to memory of 2252	2732	DllCommonsvc.exe	90
PID 2732 wrote to memory of 3004	2732	DllCommonsvc.exe	91
PID 2732 wrote to memory of 3004	2732	DllCommonsvc.exe	91
PID 2732 wrote to memory of 3004	2732	DllCommonsvc.exe	91
PID 2732 wrote to memory of 3012	2732	DllCommonsvc.exe	92
PID 2732 wrote to memory of 3012	2732	DllCommonsvc.exe	92
PID 2732 wrote to memory of 3012	2732	DllCommonsvc.exe	92
PID 2732 wrote to memory of 2820	2732	DllCommonsvc.exe	93
PID 2732 wrote to memory of 2820	2732	DllCommonsvc.exe	93
PID 2732 wrote to memory of 2820	2732	DllCommonsvc.exe	93
PID 2732 wrote to memory of 2340	2732	DllCommonsvc.exe	94
PID 2732 wrote to memory of 2340	2732	DllCommonsvc.exe	94
PID 2732 wrote to memory of 2340	2732	DllCommonsvc.exe	94
PID 2732 wrote to memory of 2832	2732	DllCommonsvc.exe	95
PID 2732 wrote to memory of 2832	2732	DllCommonsvc.exe	95
PID 2732 wrote to memory of 2832	2732	DllCommonsvc.exe	95
PID 2732 wrote to memory of 2244	2732	DllCommonsvc.exe	96
PID 2732 wrote to memory of 2244	2732	DllCommonsvc.exe	96
PID 2732 wrote to memory of 2244	2732	DllCommonsvc.exe	96
PID 2732 wrote to memory of 1440	2732	DllCommonsvc.exe	97
PID 2732 wrote to memory of 1440	2732	DllCommonsvc.exe	97
PID 2732 wrote to memory of 1440	2732	DllCommonsvc.exe	97
PID 2732 wrote to memory of 2876	2732	DllCommonsvc.exe	98
PID 2732 wrote to memory of 2876	2732	DllCommonsvc.exe	98
PID 2732 wrote to memory of 2876	2732	DllCommonsvc.exe	98
PID 2732 wrote to memory of 2740	2732	DllCommonsvc.exe	99
PID 2732 wrote to memory of 2740	2732	DllCommonsvc.exe	99
PID 2732 wrote to memory of 2740	2732	DllCommonsvc.exe	99
PID 2732 wrote to memory of 2684	2732	DllCommonsvc.exe	101
PID 2732 wrote to memory of 2684	2732	DllCommonsvc.exe	101
PID 2732 wrote to memory of 2684	2732	DllCommonsvc.exe	101
PID 2732 wrote to memory of 2564	2732	DllCommonsvc.exe	102
PID 2732 wrote to memory of 2564	2732	DllCommonsvc.exe	102
PID 2732 wrote to memory of 2564	2732	DllCommonsvc.exe	102
PID 2732 wrote to memory of 2088	2732	DllCommonsvc.exe	104
PID 2732 wrote to memory of 2088	2732	DllCommonsvc.exe	104
PID 2732 wrote to memory of 2088	2732	DllCommonsvc.exe	104
PID 2732 wrote to memory of 864	2732	DllCommonsvc.exe	106
PID 2732 wrote to memory of 864	2732	DllCommonsvc.exe	106
PID 2732 wrote to memory of 864	2732	DllCommonsvc.exe	106
PID 2732 wrote to memory of 3024	2732	DllCommonsvc.exe	108
PID 2732 wrote to memory of 3024	2732	DllCommonsvc.exe	108
PID 2732 wrote to memory of 3024	2732	DllCommonsvc.exe	108
PID 2732 wrote to memory of 1980	2732	DllCommonsvc.exe	110
PID 2732 wrote to memory of 1980	2732	DllCommonsvc.exe	110
PID 2732 wrote to memory of 1980	2732	DllCommonsvc.exe	110
PID 2732 wrote to memory of 2380	2732	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f.exe
"C:\Users\Admin\AppData\Local\Temp\66c210cba75daafda60db6bf88b79098e1d8937759c21a218b10126b1d0af29f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat"
        6⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1320
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
        8⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1772
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        10⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1752
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
        12⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1684
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat"
        14⤵
        
        PID:3012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1880
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
        16⤵
        
        PID:1472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:880
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        18⤵
        
        PID:1208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2284
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
        20⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:896
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        22⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2720
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        24⤵
        
        PID:1816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2216
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c30e52ea8c10e1d7b882fe1c7488bc93

SHA1
bfe5973204e102a243bad9b279f394b74403e1e2

SHA256
f11ce4a16307b62e959a9ce735f01d7671a2a1e99b8bf0a21ecade4b72667ef0

SHA512
f79469121d325c74f42329bc4e3645d7747f4c441f15432c1f9eb6a3f5f9e56524e8753ed4264f64d5e9bed834c96a67e7d62f1d00ff2c1351513b2e207a5bbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8666742c646f4defc3f1d410a8dcc9d9

SHA1
d76a8906b775e38895490508556baa2325926021

SHA256
7f710daf32117507bec1142f34f41e6c8ce83d6252e9694a493eb18f856ea3aa

SHA512
2c45cac2c5c6982f63f91a642770a5210934814c32affaa814ee673f1342cd54145af230ed95ea17da838313b8aa03ef40a7628270205fb4a3244d0a3a46a681

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a0a6c5bd8f219b6c8b5bab4c2b560b1

SHA1
f462083d26a64df87300a65d7a67800d0ddffa64

SHA256
91c4fc95f0e65cf1390d1e59a12c3c753f867b898e334c19b7b9abd37530cbea

SHA512
9cd475f607ee4c7976dae4ac47d17a0460f41bb16b2774393936a67bd0f59946f8cfbe4b204d9a02eb923abf0714f73843ede2c4b1be40ef120f37552620c078

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c76ab66be7a9869e6945acf5ebc14d

SHA1
d5e502895627da91060e897644e95b80099975e9

SHA256
87609d23aecd87cd9c8aa4d7cb7d411de632751a02e4a17a094da814b08e371a

SHA512
7e3037ca32aa9c6bb5d19695eea39e1fb3f603cca5ceb03dee0ef6eb8c021e1cc5ac6a7987e51035eea7fa6dccb8b22f14987240aa4a5b45d8e5d3a5cc4f1665

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5317249e865dba2cf9f0b20d50a9435

SHA1
589fb1eef5db12555be370788748b3f1cf9cfda3

SHA256
8967169d3a08b1971080bd01809e1d2aef82fbbeb8c8f83696b2f79c66395094

SHA512
17f737cd68adf48d13716bfc0bf53bf2fefe43f36d645214eb77fa85579775777e83eae4d23b98501b5c6719817ca7aafde33673f4aa4a90449a73c9545e1e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a070aa37635ea0a5a9b3d9a133c7393

SHA1
c329d17dadd65f0d00813b423d738b4c686f0e3c

SHA256
92a0e7bd4435b449516db8f4bef208fe7008a02d9cecf288bf2b0a532ddfdef8

SHA512
49dd0e2e06326d1a979bf87506e527b433db858ccb14ccfce20177027b3c346528711add8117e36b1a989fbc2f4a369639b7fd2f1e85abc4199d68af35b4b123

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a5422948da250b0da1cb24ce8c64e30

SHA1
5c76f1edc3cb47c4259e002af4c41d0a2d3c17c7

SHA256
bbb47def7dd80a287fb78ced64a2cb2f175d01db11663be6dc1e3725d1a6cfe3

SHA512
1b1ee417b4b548fb0f5d4d2a21b1dc30e7712276f9f42159d9857618cacc5d32e1a63a592d094056decdb2b943dc4763d984b10d2a96b3281fb49593caf128bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6249941f98382ab8b07880a598afaf62

SHA1
fa7cc63b61a84f1e22f290af10bcd2040298d699

SHA256
fdebfd274059b8a774f836eefb90fde81efebde8cf8d69537402381a75d5cc31

SHA512
e577ff10c48f297a3a33790df4ee274807aaaeee259d8282ff201d3c3e770bbb17239b243fa9577cea01402d6788294ee9896a5f5bb73d2f84e18cbe2181fc87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a98a55b020e65fdd87e9c654433abf9

SHA1
4e14fbb8bbde9fec5e4a38772cc98dafdf6f4abc

SHA256
ab6d8a1cb105d7bb9673a576b71a612528890de7b4c3f77ead8d83bb0788b044

SHA512
b52bb33e1ec44abd1bc9a9ccdb56bc24a143a4f17b7d5a7eb3b20418fd048a97f50e7463f197cbc13339f0a8e2a56dc7b69382c6e367dcb7b7eba0e63efcfa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat

Filesize
198B

MD5
f6e2b958203a42d018d607e94304a012

SHA1
43c6cdd83296b7e291bdd24151ebd527d327905a

SHA256
079bed3884787f89db8b32583ccf07adbb5c3852c15b46b61e9e92e6596660be

SHA512
b43e36a68bdec77a5666c966ff516424ed198bbfb51db8e93533db1f55ce6f7e6de899b89627cd382daf9d7c30f84e25c1690bf498ab218cecd5f059e487e468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5785.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
198B

MD5
aff1064c8e81aa8bf5397080e321b158

SHA1
c22a8290a65a65533a9e2fe08156c232ea9b7e35

SHA256
b34950685102e741b33c62d16cafd3f869ca459dd9fd2dce00b408fd619b3563

SHA512
bb5a65e2eba2a3f190c1a8fb49986fdcdea70ba930043e0b722e31ac1ed33f92f1b42fd021b8359f5d957dd4f7e1e947829a5acb361c0897a026764623220506

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

Filesize
198B

MD5
b0a70f8d9b342060bf124ef59e22e3a6

SHA1
3dc11e3026e2c3294d73164722d9a0078703894e

SHA256
be93f3cede15ab7ed5ac1e44112ea2cd25468ec09e8d4646c340258eca992714

SHA512
55bed8329629ae5923aab289cabd5bf58fe48b724cdc81700808cae0b608cfa13e3bcc658a962c3dd1232b2b16322a41bb4503f0bef12ca1fcd52c9119e0502b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar57A7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
198B

MD5
58cd611e1a0420d1c05e03de9250ed86

SHA1
5c8a956ef10be773b1a382648201899391b8b027

SHA256
c066da83273dd0286014dc9f6d7e0aac36c1ad0be0b38615a36dc83d6fb94d8e

SHA512
073381cff2791a76da124c752c69ebeb73b34bb39476923f341df3024058d3e26762cdbf23b65198d66900281f854573705b0f7a37bf2cb58737dc0ae7051638

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
198B

MD5
3bbb1ee795f271081902bb7658d8e396

SHA1
2c464080ae76e18733cd64e9d3e2ab0d6acdca3c

SHA256
680df2a648429da855c9759d062a5cb0530c0310f71beef8c063bade0126f842

SHA512
20eb8f0b6d8b16e5f0a6365269ede4bb2af4241d76e3f3495e6aee60b335887baf21d66ddef82cc5c96d2703cc7af014e4df629e22fdaea5c92d56b95812d370

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

Filesize
198B

MD5
e702b5d98cda6dce6386d7ed6690f78d

SHA1
a9eacb910cc64805dfdd8eb10a1d0fa2f536aad1

SHA256
991be06c27a9d359ccaf604950024f5befa2be82b7c4744d77b77563b8412588

SHA512
ec0f1450bc31bbdaa0511bf767fc530abbafe46475e6ee0fd48a99fd7cbdf32a9e7252757adf807c70e483a7168ee534fec2ba9c371898ebaa3480aa1032c6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
198B

MD5
ef1b5b13221de8da56611c3256f9357b

SHA1
c06df198fa14edb3a8ada3ffffe61e67dec9019a

SHA256
7805aec6fb34cea01bd28833d73f2649aabc0ba366395ddfd8485efd9dc0e19d

SHA512
2821ab299a66e6c92723c8cf21611f82c7f3acd27e1778dabe072beaab8c5d695cf9219b02cfdd9bc5e3677a3f3de5c6f123437547e987db05f1df07ce044b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

Filesize
198B

MD5
448163090cbc1aac981fae49e80b902e

SHA1
1c36f378bd6a8e91d16ef0cc0e6a3714e7729a63

SHA256
3d8c685c0c0cf78bcaaf3f34c8dc96b405d22cf19c100a31b7912e39e97e9a55

SHA512
8ca5bb38a9eb384b2c97fe57a543a9f48a34b524a051ea1dd890c5ed2703e8c9f5a89a45b9e541531131b5903456958ee63690efb50c725078a3ef94df874cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat

Filesize
198B

MD5
6b063e0ad4d2951b5a416bcea3431c15

SHA1
830744acf7ff933e46bd6935c1873b855ca77f6c

SHA256
54c43c4464fc17a1b0505732a6ff40f2cca467f76ddb8ce8456da27c9c209798

SHA512
c9c2a774060841de5f798c24bd0d8673f8d73d7cef189c7df4a3fdd46787ac7fd4df94ff63a6d4141d8539942dfa66b957e62de8d58212354bbeeaf56588c77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

Filesize
198B

MD5
909476a744b869bb2e6b6798c063950a

SHA1
37d79fa685b52564d50a4b9816b2b41b70754a31

SHA256
5ada81c4ce3d6c647a56e045dfd85ed5fab7c4a73a8435320d4cad736a992504

SHA512
5c50e33ce87e05ea1c136c329639576cc89acb3d5629b07207ceff1604cde79d3ca1b27373b0454fdc7df005648bb7ff93e1a09264a9761c06ce847b30b6ad2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a2dcc4b106e58166238a85d6f1903c6b

SHA1
b8892018742237e1d344c2ed04b5436768d31eb3

SHA256
b3a96f18ef29aa594eaccf43d1d730ba53f26ac3fb8ca2b0acad489bd77ac364

SHA512
8ebb56bad2dad4acc89a9f2d4bc4d794a4a77b8de74ff6084f4f104a568512f59c951d2961736373294417cc2e1b28d6c954e4f65e427a71e2bc3e21beead266

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1524-60-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/1548-329-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/1792-745-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/1864-269-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1864-268-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2252-71-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2564-508-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/2732-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2732-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2732-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2732-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2732-13-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2740-86-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2860-448-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download