dcrat | e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225.exe
Size

1.3MB
MD5

0b145e1aef97fa67044d1f4b5f83875a
SHA1

c89bc784087bc7e38cbed37c877b6248de050362
SHA256

e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225
SHA512

f111cbb00d0371877b153e1c8d2d83705c9f89fd756e6ce2e725bd48c04a6e3c6bc5236d53e9edeb7d165c446326a79642bcdefcdc48b3d4aa13d2154c7fc43e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2316	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173da-12.dat	dcrat
behavioral1/memory/2692-13-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/2652-67-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/616-311-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1808-371-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2688-431-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2400-491-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/2796-610-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/2040-790-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
1588	powershell.exe
2172	powershell.exe
2396	powershell.exe
2176	powershell.exe
1584	powershell.exe
2484	powershell.exe
1644	powershell.exe
1712	powershell.exe
1692	powershell.exe
1988	powershell.exe
2516	powershell.exe
2100	powershell.exe
1580	powershell.exe
892	powershell.exe
2548	powershell.exe
1684	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2692	DllCommonsvc.exe
2652	smss.exe
2880	smss.exe
2300	smss.exe
616	smss.exe
1808	smss.exe
2688	smss.exe
2400	smss.exe
2896	smss.exe
2796	smss.exe
2988	smss.exe
2640	smss.exe
2040	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
344	cmd.exe
344	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2528	schtasks.exe
1280	schtasks.exe
3036	schtasks.exe
728	schtasks.exe
3004	schtasks.exe
1704	schtasks.exe
2020	schtasks.exe
1180	schtasks.exe
440	schtasks.exe
1564	schtasks.exe
2688	schtasks.exe
2456	schtasks.exe
816	schtasks.exe
968	schtasks.exe
2348	schtasks.exe
2984	schtasks.exe
2416	schtasks.exe
2232	schtasks.exe
3056	schtasks.exe
1740	schtasks.exe
900	schtasks.exe
2736	schtasks.exe
2672	schtasks.exe
2648	schtasks.exe
1484	schtasks.exe
2008	schtasks.exe
1696	schtasks.exe
1804	schtasks.exe
2636	schtasks.exe
916	schtasks.exe
2836	schtasks.exe
2616	schtasks.exe
2492	schtasks.exe
2700	schtasks.exe
2000	schtasks.exe
1432	schtasks.exe
692	schtasks.exe
2928	schtasks.exe
1868	schtasks.exe
596	schtasks.exe
588	schtasks.exe
2888	schtasks.exe
1744	schtasks.exe
1620	schtasks.exe
1560	schtasks.exe
3068	schtasks.exe
308	schtasks.exe
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2484	powershell.exe
892	powershell.exe
1580	powershell.exe
1988	powershell.exe
1644	powershell.exe
1712	powershell.exe
1688	powershell.exe
2176	powershell.exe
2652	smss.exe
2100	powershell.exe
1588	powershell.exe
1584	powershell.exe
1684	powershell.exe
1692	powershell.exe
2548	powershell.exe
2516	powershell.exe
2396	powershell.exe
2172	powershell.exe
2880	smss.exe
2300	smss.exe
616	smss.exe
1808	smss.exe
2688	smss.exe
2400	smss.exe
2896	smss.exe
2796	smss.exe
2988	smss.exe
2640	smss.exe
2040	smss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	DllCommonsvc.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2652	smss.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2880	smss.exe
Token: SeDebugPrivilege	2300	smss.exe
Token: SeDebugPrivilege	616	smss.exe
Token: SeDebugPrivilege	1808	smss.exe
Token: SeDebugPrivilege	2688	smss.exe
Token: SeDebugPrivilege	2400	smss.exe
Token: SeDebugPrivilege	2896	smss.exe
Token: SeDebugPrivilege	2796	smss.exe
Token: SeDebugPrivilege	2988	smss.exe
Token: SeDebugPrivilege	2640	smss.exe
Token: SeDebugPrivilege	2040	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1724	1684	JaffaCakes118_e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225.exe	30
PID 1684 wrote to memory of 1724	1684	JaffaCakes118_e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225.exe	30
PID 1684 wrote to memory of 1724	1684	JaffaCakes118_e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225.exe	30
PID 1684 wrote to memory of 1724	1684	JaffaCakes118_e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225.exe	30
PID 1724 wrote to memory of 344	1724	WScript.exe	31
PID 1724 wrote to memory of 344	1724	WScript.exe	31
PID 1724 wrote to memory of 344	1724	WScript.exe	31
PID 1724 wrote to memory of 344	1724	WScript.exe	31
PID 344 wrote to memory of 2692	344	cmd.exe	33
PID 344 wrote to memory of 2692	344	cmd.exe	33
PID 344 wrote to memory of 2692	344	cmd.exe	33
PID 344 wrote to memory of 2692	344	cmd.exe	33
PID 2692 wrote to memory of 2396	2692	DllCommonsvc.exe	83
PID 2692 wrote to memory of 2396	2692	DllCommonsvc.exe	83
PID 2692 wrote to memory of 2396	2692	DllCommonsvc.exe	83
PID 2692 wrote to memory of 892	2692	DllCommonsvc.exe	84
PID 2692 wrote to memory of 892	2692	DllCommonsvc.exe	84
PID 2692 wrote to memory of 892	2692	DllCommonsvc.exe	84
PID 2692 wrote to memory of 1692	2692	DllCommonsvc.exe	85
PID 2692 wrote to memory of 1692	2692	DllCommonsvc.exe	85
PID 2692 wrote to memory of 1692	2692	DllCommonsvc.exe	85
PID 2692 wrote to memory of 2172	2692	DllCommonsvc.exe	87
PID 2692 wrote to memory of 2172	2692	DllCommonsvc.exe	87
PID 2692 wrote to memory of 2172	2692	DllCommonsvc.exe	87
PID 2692 wrote to memory of 2484	2692	DllCommonsvc.exe	88
PID 2692 wrote to memory of 2484	2692	DllCommonsvc.exe	88
PID 2692 wrote to memory of 2484	2692	DllCommonsvc.exe	88
PID 2692 wrote to memory of 2176	2692	DllCommonsvc.exe	89
PID 2692 wrote to memory of 2176	2692	DllCommonsvc.exe	89
PID 2692 wrote to memory of 2176	2692	DllCommonsvc.exe	89
PID 2692 wrote to memory of 1580	2692	DllCommonsvc.exe	90
PID 2692 wrote to memory of 1580	2692	DllCommonsvc.exe	90
PID 2692 wrote to memory of 1580	2692	DllCommonsvc.exe	90
PID 2692 wrote to memory of 1588	2692	DllCommonsvc.exe	91
PID 2692 wrote to memory of 1588	2692	DllCommonsvc.exe	91
PID 2692 wrote to memory of 1588	2692	DllCommonsvc.exe	91
PID 2692 wrote to memory of 1584	2692	DllCommonsvc.exe	92
PID 2692 wrote to memory of 1584	2692	DllCommonsvc.exe	92
PID 2692 wrote to memory of 1584	2692	DllCommonsvc.exe	92
PID 2692 wrote to memory of 1712	2692	DllCommonsvc.exe	93
PID 2692 wrote to memory of 1712	2692	DllCommonsvc.exe	93
PID 2692 wrote to memory of 1712	2692	DllCommonsvc.exe	93
PID 2692 wrote to memory of 2548	2692	DllCommonsvc.exe	94
PID 2692 wrote to memory of 2548	2692	DllCommonsvc.exe	94
PID 2692 wrote to memory of 2548	2692	DllCommonsvc.exe	94
PID 2692 wrote to memory of 1688	2692	DllCommonsvc.exe	95
PID 2692 wrote to memory of 1688	2692	DllCommonsvc.exe	95
PID 2692 wrote to memory of 1688	2692	DllCommonsvc.exe	95
PID 2692 wrote to memory of 1644	2692	DllCommonsvc.exe	98
PID 2692 wrote to memory of 1644	2692	DllCommonsvc.exe	98
PID 2692 wrote to memory of 1644	2692	DllCommonsvc.exe	98
PID 2692 wrote to memory of 1988	2692	DllCommonsvc.exe	99
PID 2692 wrote to memory of 1988	2692	DllCommonsvc.exe	99
PID 2692 wrote to memory of 1988	2692	DllCommonsvc.exe	99
PID 2692 wrote to memory of 1684	2692	DllCommonsvc.exe	100
PID 2692 wrote to memory of 1684	2692	DllCommonsvc.exe	100
PID 2692 wrote to memory of 1684	2692	DllCommonsvc.exe	100
PID 2692 wrote to memory of 2100	2692	DllCommonsvc.exe	101
PID 2692 wrote to memory of 2100	2692	DllCommonsvc.exe	101
PID 2692 wrote to memory of 2100	2692	DllCommonsvc.exe	101
PID 2692 wrote to memory of 2516	2692	DllCommonsvc.exe	102
PID 2692 wrote to memory of 2516	2692	DllCommonsvc.exe	102
PID 2692 wrote to memory of 2516	2692	DllCommonsvc.exe	102
PID 2692 wrote to memory of 2652	2692	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8f3a1b703ebf4334ceed7e05ae8c534520f32896fefc5e1fbb8f8fd651b8225.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:344
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
        6⤵
        
        PID:304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2792
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        8⤵
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:272
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"
        10⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1620
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"
        12⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1944
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
        14⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1252
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        16⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1540
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        18⤵
        
        PID:816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2024
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        20⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2820
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"
        22⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2052
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        24⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1752
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
        26⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2900
        
        C:\Program Files\Reference Assemblies\smss.exe
        
        "C:\Program Files\Reference Assemblies\smss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be02221eb18f38409352f14a866b1304

SHA1
5b96b6a94061d966d41299e8e8751e8fdfaab942

SHA256
13081124831d952d61324579dcf12b3f8d37e4d1622b44658ea4f8a5c0f36bc4

SHA512
ead5d4968e8b752f671e898932f2e6e87d659a3bae3b65c8bcc859c4d364f19fea381fb3199d26f1daf9db72e4c077dc608c817cddf36f589032c0022a2f6c2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
181c30510a401e544f5e9253a63d630d

SHA1
e5627577a66f9f55aa3b17afe4fb7b113e12809d

SHA256
99a964f22462afb542e458f8787e1dc0ad8a3675686014b95516c460a67023b6

SHA512
72737d4a31b82be7f781c5457b52fc0c1c3a3b21f1842a49238b4c1639ff0c5b078bbc169bd6b5f77dd150ad50638a3c7eeba8a8ea9c53ef9ef1fda9e040436c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9a64fc7b17449e81ce67387a77f5e9e

SHA1
e562fbd7f4983fa44fe10fb74fcbf553c0b12580

SHA256
2324047347bfb6ad795d555b0a87a1e7f377f69a19a0ee1b124f1c0deeb24e02

SHA512
01840f0d9d0abf9b2956398356985726379c9923086276d56212c041286e848dbfb063e48d4cbf1c5fcc721ac04de6f8b6c984aab729e5e98060055ab8d43db8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2030e14be7452ded9221a27f923bb62d

SHA1
cc399bb85282dd48e1f59b5b0ed93a51a90c7f2b

SHA256
ceb1cd359457c472bdb12be8c516a8fc1693d6adcf5675b5e12fc100b7a22707

SHA512
1dc234095184ee4fe2f4772e1b2855d59ce5fcfd489d41847fc4d3df8858419616e336a6c3900b06221232db792d9d04fbd61d456fcbef79b5b121a9cf57f9e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3431075a14272061bf7cfeb146e23b39

SHA1
8b79dc61655e38c15323314b6eefb9d858e41f95

SHA256
889d58333c6d51b6e23ef9b9d88296c34e5f18532a44dead4357198f2cd2c762

SHA512
c3a6efc34d062f84ff36125db442361333171b2c19363db6bea547a14c47a0b7482538a9092546e45ec2c39e69d635ee4f1918c397e3b8464dd1d7961d7ea862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13c6ad4561666ba0c2f44a38b684307a

SHA1
eba2ad9c2d29b44bfea478f9760e542a7cf9e1e5

SHA256
6323943b125c773badadf0c79a6d9b5797eba1e74793bf0ce0fb2eb83a016846

SHA512
553c3e149769b6e42d6e98e95f36022f61822c79c3c7aeed0576ba6c7448775ac363ca99a823c19d86d659fcccd913f81fe0ab4fc8d511f023e1d1a626b5b358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa38bdf0557e7efec0e3c1f827a1a207

SHA1
83547c9345470ab42d034141df2dbe47e98f3281

SHA256
880c689aa5f57e88ae7c5013295a61006470c351ac4c3541386657c43c037fd8

SHA512
9e3c46a8a6978c8d8ee6b5ba2e80c4f4ae96e0a9e086a5392b1c6d2ed2dc5e3cd18ac88b237d0f799ed8a571c76803f1411941be635af148b8db1c5f4a8d5244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f34ab7fe86d59f64f9cf0342efd631eb

SHA1
a300cebfccfc52146c990f62e19985b1aa2fb761

SHA256
38684545d66dc38b4d4533d35b75053921c1d1637ea69a6e7baeb40bf61dc1f5

SHA512
9936670fc0d918d477ead6a810cefb06684c4d6c6d9aab163d8c3c4ede2a537cdd844e7631650e790a0db16cce61d94498bd26c96e3ea7fb909155c17604a30e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
694b27f052f24132c72dfdbdd452c189

SHA1
9e2a35cefae517a46f2bf0216207671909d57a02

SHA256
7b1dd1ad0562ae741890610b8beb64ef7a397f1274053534cee1557815179740

SHA512
4739cb737ef8dfef68765d0c87555ecf468e979ac128d89791803d1407a960408ccd3ab317c1aef43de0267acedafacbd5cf698dc1bba3c0d601a68a422f6ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8461bdee601fecbc7c5a1b4d5d5d01c0

SHA1
aabf08576c1a89155187cab5348374a2b02e1ebb

SHA256
7f8d78386ae39d43e34d5b9c5547f019e1c27e1cc3ef550967ca2b5a410faa14

SHA512
0d585c5ee1e412ec3a06b94387b00ffc3efe443ae90a6fc3b008b8c53a88d9b28a6593425457e055445802cae22e1fade237a0d100fa86af569c8c6d9953209d

Download Submit
C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat

Filesize
211B

MD5
34dac854e7a7d32cefdf11688486fc50

SHA1
60bb02c3a7d3c29c2d877ee5a1cacfb07ee4603e

SHA256
9df904a3cb5f4f7232cf8a0351d5acc5be516a39d08494f8731eca84d4f3c28f

SHA512
16a4a00f63c07f935d1fa6c37e8fea735c1f4bee4a051c295a86ad8aba6096a7440b4e39720fd97ef3e878ec0157b2feb7fd2a8c5303104eec745623170c6caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

Filesize
211B

MD5
ea58c4cb284e769c4d00842f40f63108

SHA1
2a624711f519f77696ed156714a060b343edc887

SHA256
51994afe5725354d2a4f2c404e12a94163dad52594aa3ebeaed8d57563ad549c

SHA512
9930ab9d7d6f9b6702bb3cc1402d732de46b965810c17d4f35484e62d0d473f1bc05fc4ee981ad2d52386592a5e3c12193096e28e2e26b28fbc2e550f4416e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat

Filesize
211B

MD5
96f6ba4d1d1adf2954c708a66eb9a927

SHA1
0e18739b5ccc9ff4bef915d51219e63585be28a5

SHA256
41110a24afa8dc58b854369771042cfa37d29870077d17f4912bc5299cde8098

SHA512
263117d5845470683ac1da09d9d12645c727759761d6d9592aef0f38c47d3896a68cb0a7fac4c93abb2336e9ba13effb4442a366246cbefe1d34c79f75832c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBECF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
211B

MD5
c686154bc533576c1ed35a6c7efb0302

SHA1
4ecd01ce1b5855f5bdc7c930b4513b1e4d6093f2

SHA256
eac395cb632197ae6a8202c6bc50894d065d82c48c87f98a22fb87e9df30e64f

SHA512
38e5153f5e9e88a08ee74dc191b5a30ad6841bc0bfce5c4d31ce0474ef6a77577dae35dff178916695b826d0566c0204594224d7ee40e2fcaeac8000b4a258cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBEF1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat

Filesize
211B

MD5
0b3f59efa20889328345c789d001e62b

SHA1
e09403313d338e5ef6fc0cdc92ec2430ef3a9b32

SHA256
447646ed3d40d802fa46979280cbf57a94fe3fcfdac44bd8d06c632055228e90

SHA512
99fe71cd2108e4b19cb46025ae19ca7fae4bc11006deba9b7c87ac78cac7e461e0adc83b69b0be4d30a3559e16378a5622320467f8124010cfeca73e2f7ce974

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
211B

MD5
0ebf909aad8b4be628e4cf529ee683bc

SHA1
547c8cb9c075ddb5210753915320a3991bf4e425

SHA256
c6d8e1e49b179f4ef7411b1397f6a25446d78a198b6cc7baeb21e1f259ffc2e8

SHA512
a50005c6dc9fd55c7792c73e37d62de36dc68fb323d57b92cf7d87b42d586e1c6b668711811e1b7dd3d2e79b64c7b14b1e2d9f1e7e9122c6948fd8c0906677e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
211B

MD5
d8859073a40fd78b9a64da2695adad81

SHA1
82796e14068427c4fec865b3c2dbd0c80be087b5

SHA256
e20564c5d20171f8672cf76d8f551c3693854b4ab99da1dc8c1f54539551d8e8

SHA512
af87d92b0884c476b992e194d8dd08e90459ac07d9e4d25c475404c7ea03404f46ed12891fa6405034c0e3e034c55ae64dc1c202ee0263793c5635b6e2caee2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat

Filesize
211B

MD5
676fdfc65bc582007b5080712c943e34

SHA1
df03e21b8a4226ef620c83039be5f7a1c7966fd1

SHA256
2e6dba0839bba9a91c0ddbffb105f0c47a0a4b067638c08cba064943cd8a7c1e

SHA512
a7c62ae05a90100825b46aab5736667128ccbc82d6b09ff48f441cef60dac15a293ca4f152fa263945317bea2b96bf43956512d8468e84d777d301f5ad3826d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

Filesize
211B

MD5
2be02ba0c3014d5e926be3ac310cf6e5

SHA1
3d8d59cab2d8db6bdf2cbfedd85e7ec2ac60f90e

SHA256
67e366dca69f1312d5abec484f922aed9267186b2ebbad9165bd8b2b2a525e8e

SHA512
8841f45bf34f2ad7db84fb66307c638bdfbc12e61918cd063a4a934775a0c71245b4ca48ce87f7276d59ba4018d73927f0434cd58675e511f6038073d89112c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
211B

MD5
bfffdb936419a7e4e2bc1571a78dc223

SHA1
9bc2e6a58c759c9af66e04e5c897b11e3ed873cc

SHA256
7515a55c61cdaca46ffb6602e9a990a7bbdc5de2be08cc02b500383a4f1ceacc

SHA512
25a512b2fb94d41aae75b53875edc01970b4acdfe3453542fb033ece6c272c6260f2e0cc16ed16601cbb3af34bb3c3268aa5d20532498cba254e9390438e30a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
211B

MD5
71eef2e8aba1409ee180f885bc3b967d

SHA1
024f6623195abb779c241e3e9b2bf475a4b41a2a

SHA256
26be95dd8b89b6c091dacada053bb78dfc72b67e645064a2328201b2f29d0aae

SHA512
177915061bfce61e50769d35c42d1a3177e1ffff85e6a311239faa41435510bcd4638324d0510f9171267d2efffeac2a760520884616ca8970fbaf70b62a4b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c387064f5f67bbcf88b0833e7f9522b0

SHA1
a5ac1bbeed644cf86913943e3c76282509b8d7d2

SHA256
34d7b511ac6f24d8c00b0bab62c57cb8d2562b5d9e7a7026658bf52de372c698

SHA512
5dd8390195b1a4aa7385ed9ec8ea1fe8d695396539be33ed409112900302e34249f28af0236d647b025165b668eaf986ae35f105295e730849edf585bfec6c90

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/616-311-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1808-371-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2040-790-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2400-491-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/2484-69-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2484-68-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2640-730-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2652-67-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2688-431-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2692-17-0x0000000002040000-0x000000000204C000-memory.dmp

Filesize
48KB

Download
memory/2692-13-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/2692-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2692-15-0x0000000002030000-0x000000000203C000-memory.dmp

Filesize
48KB

Download
memory/2692-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2796-610-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/2988-670-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download