dcrat | e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb.exe
Size

1.3MB
MD5

578c44f2292e6a8853e95dd5fee5410d
SHA1

9d73b0fe1c56289c91df8e7afcfdd2e18ebbd736
SHA256

e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb
SHA512

e457ea2eed1e914f9dfc9fe579be97ba288de03cc738107e4575f6530c48b0e4b28825df3a17699e816cbec1088b4c2e11ef59a34eb2b3733bac606b3093972d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2092	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2092	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016cd7-9.dat	dcrat
behavioral1/memory/2496-13-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2160-160-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/1716-574-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2536-634-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2912-695-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
632	powershell.exe
2416	powershell.exe
2608	powershell.exe
2676	powershell.exe
2704	powershell.exe
2856	powershell.exe
572	powershell.exe
3052	powershell.exe
2492	powershell.exe
1648	powershell.exe
2408	powershell.exe
2820	powershell.exe
2696	powershell.exe
2724	powershell.exe
2884	powershell.exe
1324	powershell.exe
2984	powershell.exe
2684	powershell.exe
2744	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2496	DllCommonsvc.exe
2388	DllCommonsvc.exe
2664	DllCommonsvc.exe
2160	conhost.exe
956	conhost.exe
620	conhost.exe
2884	conhost.exe
2108	conhost.exe
1640	conhost.exe
2932	conhost.exe
1716	conhost.exe
2536	conhost.exe
2912	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	cmd.exe
2792	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\24dbde2999530e	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\schtasks.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\3a6fe29a7ceee6	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2408	schtasks.exe
2056	schtasks.exe
2728	schtasks.exe
2540	schtasks.exe
1664	schtasks.exe
2032	schtasks.exe
2248	schtasks.exe
912	schtasks.exe
620	schtasks.exe
1884	schtasks.exe
1620	schtasks.exe
1336	schtasks.exe
2152	schtasks.exe
2708	schtasks.exe
1996	schtasks.exe
2988	schtasks.exe
712	schtasks.exe
1680	schtasks.exe
2740	schtasks.exe
2220	schtasks.exe
2216	schtasks.exe
1792	schtasks.exe
1992	schtasks.exe
900	schtasks.exe
1496	schtasks.exe
3068	schtasks.exe
1776	schtasks.exe
2000	schtasks.exe
2392	schtasks.exe
2244	schtasks.exe
2860	schtasks.exe
2056	schtasks.exe
2548	schtasks.exe
2320	schtasks.exe
1664	schtasks.exe
788	schtasks.exe
1984	schtasks.exe
964	schtasks.exe
1596	schtasks.exe
2060	schtasks.exe
2520	schtasks.exe
924	schtasks.exe
2232	schtasks.exe
1500	schtasks.exe
1592	schtasks.exe
2156	schtasks.exe
972	schtasks.exe
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2496	DllCommonsvc.exe
2496	DllCommonsvc.exe
2496	DllCommonsvc.exe
2984	powershell.exe
2884	powershell.exe
2704	powershell.exe
2696	powershell.exe
2724	powershell.exe
2388	DllCommonsvc.exe
1648	powershell.exe
1324	powershell.exe
2676	powershell.exe
2684	powershell.exe
3052	powershell.exe
2856	powershell.exe
632	powershell.exe
572	powershell.exe
2492	powershell.exe
2608	powershell.exe
2664	DllCommonsvc.exe
2416	powershell.exe
2820	powershell.exe
2744	powershell.exe
2408	powershell.exe
2160	conhost.exe
956	conhost.exe
620	conhost.exe
2884	conhost.exe
2108	conhost.exe
1640	conhost.exe
2932	conhost.exe
1716	conhost.exe
2536	conhost.exe
2912	conhost.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	DllCommonsvc.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2388	DllCommonsvc.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2664	DllCommonsvc.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2160	conhost.exe
Token: SeDebugPrivilege	956	conhost.exe
Token: SeDebugPrivilege	620	conhost.exe
Token: SeDebugPrivilege	2884	conhost.exe
Token: SeDebugPrivilege	2108	conhost.exe
Token: SeDebugPrivilege	1640	conhost.exe
Token: SeDebugPrivilege	2932	conhost.exe
Token: SeDebugPrivilege	1716	conhost.exe
Token: SeDebugPrivilege	2536	conhost.exe
Token: SeDebugPrivilege	2912	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2540	2520	JaffaCakes118_e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb.exe	30
PID 2520 wrote to memory of 2540	2520	JaffaCakes118_e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb.exe	30
PID 2520 wrote to memory of 2540	2520	JaffaCakes118_e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb.exe	30
PID 2520 wrote to memory of 2540	2520	JaffaCakes118_e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb.exe	30
PID 2540 wrote to memory of 2792	2540	WScript.exe	31
PID 2540 wrote to memory of 2792	2540	WScript.exe	31
PID 2540 wrote to memory of 2792	2540	WScript.exe	31
PID 2540 wrote to memory of 2792	2540	WScript.exe	31
PID 2792 wrote to memory of 2496	2792	cmd.exe	33
PID 2792 wrote to memory of 2496	2792	cmd.exe	33
PID 2792 wrote to memory of 2496	2792	cmd.exe	33
PID 2792 wrote to memory of 2496	2792	cmd.exe	33
PID 2496 wrote to memory of 2696	2496	DllCommonsvc.exe	47
PID 2496 wrote to memory of 2696	2496	DllCommonsvc.exe	47
PID 2496 wrote to memory of 2696	2496	DllCommonsvc.exe	47
PID 2496 wrote to memory of 2704	2496	DllCommonsvc.exe	48
PID 2496 wrote to memory of 2704	2496	DllCommonsvc.exe	48
PID 2496 wrote to memory of 2704	2496	DllCommonsvc.exe	48
PID 2496 wrote to memory of 2724	2496	DllCommonsvc.exe	49
PID 2496 wrote to memory of 2724	2496	DllCommonsvc.exe	49
PID 2496 wrote to memory of 2724	2496	DllCommonsvc.exe	49
PID 2496 wrote to memory of 2884	2496	DllCommonsvc.exe	50
PID 2496 wrote to memory of 2884	2496	DllCommonsvc.exe	50
PID 2496 wrote to memory of 2884	2496	DllCommonsvc.exe	50
PID 2496 wrote to memory of 2984	2496	DllCommonsvc.exe	51
PID 2496 wrote to memory of 2984	2496	DllCommonsvc.exe	51
PID 2496 wrote to memory of 2984	2496	DllCommonsvc.exe	51
PID 2496 wrote to memory of 2388	2496	DllCommonsvc.exe	57
PID 2496 wrote to memory of 2388	2496	DllCommonsvc.exe	57
PID 2496 wrote to memory of 2388	2496	DllCommonsvc.exe	57
PID 2388 wrote to memory of 2856	2388	DllCommonsvc.exe	85
PID 2388 wrote to memory of 2856	2388	DllCommonsvc.exe	85
PID 2388 wrote to memory of 2856	2388	DllCommonsvc.exe	85
PID 2388 wrote to memory of 1324	2388	DllCommonsvc.exe	86
PID 2388 wrote to memory of 1324	2388	DllCommonsvc.exe	86
PID 2388 wrote to memory of 1324	2388	DllCommonsvc.exe	86
PID 2388 wrote to memory of 2684	2388	DllCommonsvc.exe	87
PID 2388 wrote to memory of 2684	2388	DllCommonsvc.exe	87
PID 2388 wrote to memory of 2684	2388	DllCommonsvc.exe	87
PID 2388 wrote to memory of 2492	2388	DllCommonsvc.exe	88
PID 2388 wrote to memory of 2492	2388	DllCommonsvc.exe	88
PID 2388 wrote to memory of 2492	2388	DllCommonsvc.exe	88
PID 2388 wrote to memory of 632	2388	DllCommonsvc.exe	89
PID 2388 wrote to memory of 632	2388	DllCommonsvc.exe	89
PID 2388 wrote to memory of 632	2388	DllCommonsvc.exe	89
PID 2388 wrote to memory of 572	2388	DllCommonsvc.exe	90
PID 2388 wrote to memory of 572	2388	DllCommonsvc.exe	90
PID 2388 wrote to memory of 572	2388	DllCommonsvc.exe	90
PID 2388 wrote to memory of 3052	2388	DllCommonsvc.exe	91
PID 2388 wrote to memory of 3052	2388	DllCommonsvc.exe	91
PID 2388 wrote to memory of 3052	2388	DllCommonsvc.exe	91
PID 2388 wrote to memory of 1648	2388	DllCommonsvc.exe	92
PID 2388 wrote to memory of 1648	2388	DllCommonsvc.exe	92
PID 2388 wrote to memory of 1648	2388	DllCommonsvc.exe	92
PID 2388 wrote to memory of 2676	2388	DllCommonsvc.exe	93
PID 2388 wrote to memory of 2676	2388	DllCommonsvc.exe	93
PID 2388 wrote to memory of 2676	2388	DllCommonsvc.exe	93
PID 2388 wrote to memory of 2608	2388	DllCommonsvc.exe	94
PID 2388 wrote to memory of 2608	2388	DllCommonsvc.exe	94
PID 2388 wrote to memory of 2608	2388	DllCommonsvc.exe	94
PID 2388 wrote to memory of 2664	2388	DllCommonsvc.exe	105
PID 2388 wrote to memory of 2664	2388	DllCommonsvc.exe	105
PID 2388 wrote to memory of 2664	2388	DllCommonsvc.exe	105
PID 2664 wrote to memory of 2408	2664	DllCommonsvc.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1b10607e29f1532e9b58f20f334462bb599badeb313765621539016c73c44fb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\lsm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DjfEt6epAa.bat"
        7⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2728
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        9⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2924
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
        11⤵
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2080
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"
        13⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2416
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
        15⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2420
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
        17⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:844
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"
        19⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2872
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
        21⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1132
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
        23⤵
        
        PID:972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1000
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        25⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2104
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\Templates\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\Templates\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa130cc439836a2f54247f572116c80e

SHA1
24c5a63eb64c9d921a8316c2eadaa25053758b33

SHA256
440041495687f1377f37bb5a8dabd56b3395664b6f344e1495404d1b95901ad5

SHA512
aec44f45dd5bc37e13617972b582b1a87860d9349a94b76a5e9c3e924392ece5de15cdc9437e35ffb5277942e971930a3432a9db968b8becf8193cd709afa82e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e061b33f46625aedb472016b98075f50

SHA1
c993341809c7af3fe6c5e33f520f877b0f686801

SHA256
0216e9e9268dee65e4eab8b089a3d1a69e3fdd4779e94be4f936128861d467cb

SHA512
405cc399becbe8a498b86ee00ed356872e9f514a3b858a60eddd0e068e4a293373590ad2ddd14faad38611403e80a14831904d51264cf737840e5ea62faed591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ca6208ef148502f67018ee7a6e3ccdb

SHA1
2f012f9f6c6fe348115f830e4e5404f26b8c27a4

SHA256
ba462e26d6671eec82d52cd94183a935b4320a7f6d660652fd034f2f06e51b0a

SHA512
40889ae331aeeb7c8da9c175d3b5b534903a5d6d732bb79d5b39da407b3f136371e1775c25c2bc39502dab32c9e1199cb3e6a24e85e179aae7073c1b64a95074

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebe47a58c835f943a46e32f2c2af93c1

SHA1
632ff2c2cd3497c4f76fcfa86cf58a67015bc1e0

SHA256
81af98bc725ddab9587762e5b517530a036963a97c2e8a619159080ec41f2700

SHA512
e065ff4aa91bcc78f0abf613d975c2d0fe7c2c4d2ce0b51de1524113ace8b357f8dac186b96d1a6c797f6c1c73d7559ab29241017ff819bb725620ba56877d08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18366cf708bf9c4d3d21289f9b0d9d4a

SHA1
e3416f6fa3f229ee74c62d36a5ef8934adcb72c7

SHA256
cfa204f905f909ea6890d5bf5f89a5bc55121e59b0595da80866090ee48d8d3d

SHA512
822569154fbb82b9f3c07f18f327274f337b7ae3bb7e6eb14b9c526411625b64fb561ae52141a86a693bd11ed7b1611dd92962337b436f8a602de6476dd2af2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77f38ba05b0750859965aebb5bb28c8f

SHA1
97380f42bae32fda88169723113a61936eb75f09

SHA256
f4f5da2165c6784c7cfde19cad5ab6210b5c8007a47bc21e4942e3883a4b6f30

SHA512
f80962ddd189529d17e5fac3bf89addb27ce557c7b00211a7962cc85c440f133587bf49f88361ca3e3720ccc579303fec115f04520616f3b839ccfb6e0d894eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
989d83fa31a3889f52d6afbd89e2b0a7

SHA1
3e8a5a1ce6b02052abe3daf70f86f12de715ac5e

SHA256
73445616328e216759738e3b8191f8ac69b426daf0904a0b053a0885ebaa2da6

SHA512
d1a0294f93d28ba35ed70970f883f52b2837c107e77fb3514b8b2b9e7b85a7ba2117295921920815d28707c7c0fc454c7c40490a6905f78a827f8738816464e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72e618b4b471b260cb6b04cd559f9c1e

SHA1
13d02125a77000e8de18e0e56dabd637744e8a4e

SHA256
685c8f081f61bc3fe30a1c8576f042b79e46dec8b9a2df174e02322dd8ba0326

SHA512
511954dd213201eebfdf5f48651e174d9d7d6e9d85e4cfe26b3ee67c0fe8b661a2f54eee58d3a6c37bdc7f12ab8f43074b62391af06914bea247264598e1daf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat

Filesize
225B

MD5
f6914d005bb51d7ac8d0a0716180a488

SHA1
3960cc0c81221c983b5ab546d6c3d826105dff19

SHA256
98e469708dcc6836bba5769b2e770520482ff1303d603d26634021fb9892954c

SHA512
bd6766bf9c58498c1a37a8f48e123a38fb96bf231b9723c824cfe8a74d0cbdbdd78c3c7902f501ade3d1289b732dc55e32776a0574c63991b5d52e50014ac777

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

Filesize
225B

MD5
7165d3eaeb9479c2310c2c67a364d2bf

SHA1
5f8bdb9c3f4179beb36c406cb8de794eac5552a4

SHA256
2da731877ac904e6a3068ed497cb2af6aa6776fa28968bb8c91270479a19c76b

SHA512
d07271e01912cc4a5f4716d3e9999072c6978ef930c2090e2c3934e1fc3a9ddce4b0b3a206548346b2ff855aa50352225b975942793e5af4fc9d727ce22c76d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC63E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DjfEt6epAa.bat

Filesize
225B

MD5
852e3c9a80f7d9fd15a0320c982885a5

SHA1
f2cc2744c943597be686c4511e39fe610ee4e820

SHA256
9e1845d80142d9371d111f264dd51b7fd87ebc6229c998234bfe937dedf23df1

SHA512
0fdc9322f85ca4086782f425341a53f2a268b803631a5b8b3bb52acbdc9f132f400c1a004f9f48107ae19d220af1e343558a8f3c3a150413c6eda864a44e2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat

Filesize
225B

MD5
81bfccc896036375eb1ade0addfff9fd

SHA1
dca8981837eebfbfb44d419b507c2b372ea8cf44

SHA256
a875bac01b47d674a99899771f45f72bc90b6711b83cad603e175d25a9714304

SHA512
eb80b1699e6939f93f9919f8d25e8a10d41bfc0dd1a927092fe949bc4206ae8b8158ad503adda549664cac1ce94166074acbbb3b89dd6196c0f4610a6dd93048

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat

Filesize
225B

MD5
c498590488b92a96c6fee6c3eea2c2a3

SHA1
f25b89c1d697a215eeb7471b4c84990bc0e3d398

SHA256
57f2426b2f068dc54a31f8b015c59f9e8c42416d1841e3bf133bb60dc35552a4

SHA512
2a2109c770bd9034e91672e3e89597591b7c72f13645822cf84b91a0dcf3c4355a773b5f85bcada560512eb848418b101924d7cd12d75fcb4d7905f5bf1f9320

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat

Filesize
225B

MD5
699004e85e0c57165d30768d47c13173

SHA1
5335e9b5c0c0f4e859927b73eb029945a043df09

SHA256
4601f5da57534df68b3f7fac8b590266560ee75abdafafd9166b9893510f9967

SHA512
b30c6f8f52bd53c56706b6570a094f58b2193a782f3bc7fe549a6015a2d6a0d8e90461e291987989646309e9b9896bb610cf3e1c2d3b429350b56884f2226ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC650.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
225B

MD5
889d0afa51e95eea4c725d2d2e1379f7

SHA1
06635f5d206dcd0eac8fa6bd5674ad1f6dd83e3a

SHA256
c8ef6b982f2c593c8cddaa31621fa4a398a0dbf8d7e30a75b125adfdfc40d6f9

SHA512
ce2273e84a6af6bb83ea852171993f81a1a79c888ee25de2d6f0a995a37d94fb9013bd1f08c7660ccdbdb1e3348b5ade182e01081ae66db7a74b05572f4d6e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

Filesize
225B

MD5
cf27345af509766660d92d57d172c309

SHA1
efb31605005d50107ce1bc911acf1b353909dd69

SHA256
c8075709a4b43560e05389df09ab9d4c02a79efc5bcd808451912fd64fb262c6

SHA512
4347452103bf9d8f76b9772e095c6315f60c14ff4ab33f5b19f34a0e3d89f3521da84db3627f4b329118e2eadf8a386b656c7ec0330d1f2579e9288a23e9848f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
225B

MD5
6c70821cffa0d618bbfd18f675b30ec3

SHA1
f673d72c8ac65891bc50b7e38dae887a86eccb6c

SHA256
927e81099821a3a24b554d64f269cbd6728a9ea238e5205c4ad46c9f248049e0

SHA512
478bf693d6c696d58852a4c04aa314622dc2a21a04ca9eeef4f0714f20cd76dcb2eed4f15e12e5aec64725f26f2e2176b91e87c0fe013b94728fa9c9c9eca4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat

Filesize
225B

MD5
ccb7f20daffeb02318536fb507dd4f89

SHA1
9d5a1b0270f4e786467399e9e2cca1b4508c8dad

SHA256
c83c3a85a3ba5cdc92f4379cb7d487256429adb0a386debff86b541e0ee3f895

SHA512
b62fc4be25ae6b229002eee5182ea2079dbdf360d7cee6cba4ffae4b6183c98a9e1a53238e498262c4a6348d879ca145c919bf392b809fcdd49cc0f5cce28fad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6c719585272fce2de4e695b941dd04b

SHA1
3113e6069998e61e2007a26c7efe64bb64b45976

SHA256
f5e79172768bec883c0881bb1b7d746dede2c7dd0ba63c3e5d02c262b0079d9a

SHA512
b47b89f4cdc20fbfc8a614a978177d409660c31f1bfaa53cffadad0babc22051a36aafea6787a0293fd75c72d2db68fc4fe785dba2f0261c7ce24ef1aef7eb64

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/620-278-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/1648-84-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1648-85-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1716-574-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2160-160-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/2388-53-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2416-145-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2416-147-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2496-17-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2496-15-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2496-16-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2496-14-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2496-13-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2536-634-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2536-635-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2884-41-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2912-695-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2984-46-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download