dcrat | c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef.exe
Size

1.3MB
MD5

8620e966c9d7d91198c131918dac6d78
SHA1

e9ee4c7006a2118c142e9e545f10b89a3997e26d
SHA256

c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef
SHA512

2511eedd4b1cd80a6c2a9184a80de9ef73b19aa8f04762c9d6ecd97484cebc01319efc326f0655b2559cb96e6d9609fa9fe9544fbf799e167fcd1bec845133f6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2560	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018b68-12.dat	dcrat
behavioral1/memory/2580-13-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1764-58-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1536-209-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1724-269-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/1164-508-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1900-568-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/2848-687-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/1864-748-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/3068-808-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1936	powershell.exe
2616	powershell.exe
2652	powershell.exe
2640	powershell.exe
3040	powershell.exe
2544	powershell.exe
2184	powershell.exe
2308	powershell.exe
2592	powershell.exe
2604	powershell.exe
2060	powershell.exe
2628	powershell.exe
2540	powershell.exe
2876	powershell.exe
812	powershell.exe
1164	powershell.exe
2656	powershell.exe
1760	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2580	DllCommonsvc.exe
1764	conhost.exe
1536	conhost.exe
1724	conhost.exe
1676	conhost.exe
2244	conhost.exe
2084	conhost.exe
1164	conhost.exe
1900	conhost.exe
2052	conhost.exe
2848	conhost.exe
1864	conhost.exe
3068	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2572	cmd.exe
2572	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
32	raw.githubusercontent.com
38	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2196	schtasks.exe
356	schtasks.exe
2632	schtasks.exe
2344	schtasks.exe
2568	schtasks.exe
2988	schtasks.exe
1892	schtasks.exe
2872	schtasks.exe
1428	schtasks.exe
2380	schtasks.exe
1136	schtasks.exe
1524	schtasks.exe
2264	schtasks.exe
1668	schtasks.exe
2032	schtasks.exe
1888	schtasks.exe
2624	schtasks.exe
1552	schtasks.exe
2356	schtasks.exe
1820	schtasks.exe
2052	schtasks.exe
1564	schtasks.exe
2804	schtasks.exe
2812	schtasks.exe
1072	schtasks.exe
2096	schtasks.exe
2848	schtasks.exe
880	schtasks.exe
1356	schtasks.exe
2476	schtasks.exe
2956	schtasks.exe
1720	schtasks.exe
1944	schtasks.exe
1276	schtasks.exe
1220	schtasks.exe
2080	schtasks.exe
1516	schtasks.exe
2108	schtasks.exe
2000	schtasks.exe
920	schtasks.exe
1660	schtasks.exe
1212	schtasks.exe
320	schtasks.exe
1884	schtasks.exe
1036	schtasks.exe
2040	schtasks.exe
2936	schtasks.exe
2012	schtasks.exe
1808	schtasks.exe
1160	schtasks.exe
2904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2184	powershell.exe
2628	powershell.exe
2540	powershell.exe
2308	powershell.exe
1936	powershell.exe
2640	powershell.exe
2604	powershell.exe
2876	powershell.exe
2060	powershell.exe
2652	powershell.exe
2544	powershell.exe
812	powershell.exe
2656	powershell.exe
1760	powershell.exe
2616	powershell.exe
1164	powershell.exe
2592	powershell.exe
3040	powershell.exe
1764	conhost.exe
1536	conhost.exe
1724	conhost.exe
1676	conhost.exe
2244	conhost.exe
2084	conhost.exe
1164	conhost.exe
1900	conhost.exe
2052	conhost.exe
2848	conhost.exe
1864	conhost.exe
3068	conhost.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	DllCommonsvc.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1764	conhost.exe
Token: SeDebugPrivilege	1536	conhost.exe
Token: SeDebugPrivilege	1724	conhost.exe
Token: SeDebugPrivilege	1676	conhost.exe
Token: SeDebugPrivilege	2244	conhost.exe
Token: SeDebugPrivilege	2084	conhost.exe
Token: SeDebugPrivilege	1164	conhost.exe
Token: SeDebugPrivilege	1900	conhost.exe
Token: SeDebugPrivilege	2052	conhost.exe
Token: SeDebugPrivilege	2848	conhost.exe
Token: SeDebugPrivilege	1864	conhost.exe
Token: SeDebugPrivilege	3068	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 812	1164	JaffaCakes118_c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef.exe	29
PID 1164 wrote to memory of 812	1164	JaffaCakes118_c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef.exe	29
PID 1164 wrote to memory of 812	1164	JaffaCakes118_c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef.exe	29
PID 1164 wrote to memory of 812	1164	JaffaCakes118_c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef.exe	29
PID 812 wrote to memory of 2572	812	WScript.exe	30
PID 812 wrote to memory of 2572	812	WScript.exe	30
PID 812 wrote to memory of 2572	812	WScript.exe	30
PID 812 wrote to memory of 2572	812	WScript.exe	30
PID 2572 wrote to memory of 2580	2572	cmd.exe	32
PID 2572 wrote to memory of 2580	2572	cmd.exe	32
PID 2572 wrote to memory of 2580	2572	cmd.exe	32
PID 2572 wrote to memory of 2580	2572	cmd.exe	32
PID 2580 wrote to memory of 2628	2580	DllCommonsvc.exe	85
PID 2580 wrote to memory of 2628	2580	DllCommonsvc.exe	85
PID 2580 wrote to memory of 2628	2580	DllCommonsvc.exe	85
PID 2580 wrote to memory of 2184	2580	DllCommonsvc.exe	86
PID 2580 wrote to memory of 2184	2580	DllCommonsvc.exe	86
PID 2580 wrote to memory of 2184	2580	DllCommonsvc.exe	86
PID 2580 wrote to memory of 2308	2580	DllCommonsvc.exe	87
PID 2580 wrote to memory of 2308	2580	DllCommonsvc.exe	87
PID 2580 wrote to memory of 2308	2580	DllCommonsvc.exe	87
PID 2580 wrote to memory of 1936	2580	DllCommonsvc.exe	88
PID 2580 wrote to memory of 1936	2580	DllCommonsvc.exe	88
PID 2580 wrote to memory of 1936	2580	DllCommonsvc.exe	88
PID 2580 wrote to memory of 2540	2580	DllCommonsvc.exe	89
PID 2580 wrote to memory of 2540	2580	DllCommonsvc.exe	89
PID 2580 wrote to memory of 2540	2580	DllCommonsvc.exe	89
PID 2580 wrote to memory of 1164	2580	DllCommonsvc.exe	90
PID 2580 wrote to memory of 1164	2580	DllCommonsvc.exe	90
PID 2580 wrote to memory of 1164	2580	DllCommonsvc.exe	90
PID 2580 wrote to memory of 2656	2580	DllCommonsvc.exe	91
PID 2580 wrote to memory of 2656	2580	DllCommonsvc.exe	91
PID 2580 wrote to memory of 2656	2580	DllCommonsvc.exe	91
PID 2580 wrote to memory of 2592	2580	DllCommonsvc.exe	92
PID 2580 wrote to memory of 2592	2580	DllCommonsvc.exe	92
PID 2580 wrote to memory of 2592	2580	DllCommonsvc.exe	92
PID 2580 wrote to memory of 2876	2580	DllCommonsvc.exe	93
PID 2580 wrote to memory of 2876	2580	DllCommonsvc.exe	93
PID 2580 wrote to memory of 2876	2580	DllCommonsvc.exe	93
PID 2580 wrote to memory of 2604	2580	DllCommonsvc.exe	94
PID 2580 wrote to memory of 2604	2580	DllCommonsvc.exe	94
PID 2580 wrote to memory of 2604	2580	DllCommonsvc.exe	94
PID 2580 wrote to memory of 1760	2580	DllCommonsvc.exe	95
PID 2580 wrote to memory of 1760	2580	DllCommonsvc.exe	95
PID 2580 wrote to memory of 1760	2580	DllCommonsvc.exe	95
PID 2580 wrote to memory of 2652	2580	DllCommonsvc.exe	96
PID 2580 wrote to memory of 2652	2580	DllCommonsvc.exe	96
PID 2580 wrote to memory of 2652	2580	DllCommonsvc.exe	96
PID 2580 wrote to memory of 812	2580	DllCommonsvc.exe	97
PID 2580 wrote to memory of 812	2580	DllCommonsvc.exe	97
PID 2580 wrote to memory of 812	2580	DllCommonsvc.exe	97
PID 2580 wrote to memory of 2640	2580	DllCommonsvc.exe	98
PID 2580 wrote to memory of 2640	2580	DllCommonsvc.exe	98
PID 2580 wrote to memory of 2640	2580	DllCommonsvc.exe	98
PID 2580 wrote to memory of 3040	2580	DllCommonsvc.exe	99
PID 2580 wrote to memory of 3040	2580	DllCommonsvc.exe	99
PID 2580 wrote to memory of 3040	2580	DllCommonsvc.exe	99
PID 2580 wrote to memory of 2060	2580	DllCommonsvc.exe	100
PID 2580 wrote to memory of 2060	2580	DllCommonsvc.exe	100
PID 2580 wrote to memory of 2060	2580	DllCommonsvc.exe	100
PID 2580 wrote to memory of 2544	2580	DllCommonsvc.exe	101
PID 2580 wrote to memory of 2544	2580	DllCommonsvc.exe	101
PID 2580 wrote to memory of 2544	2580	DllCommonsvc.exe	101
PID 2580 wrote to memory of 2616	2580	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1f9bfb2680d384b5c95445c527580cff01e2f5e16150027430d9d57224823ef.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        6⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2036
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
        8⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1292
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"
        10⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1652
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
        12⤵
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2736
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        14⤵
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2936
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"
        16⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:564
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
        18⤵
        
        PID:1032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1920
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
        20⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2892
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
        22⤵
        
        PID:1072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1168
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        24⤵
        
        PID:2480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:880
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        26⤵
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1992
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0209b15765700851d2e1a38c37928a2

SHA1
a6f3b104324b822a0e9f59dbe52f5b53af334bfb

SHA256
ee3cb1182220b0a708630509ffe3ca316bd7af8f75f7f6a4ddb6161fae7edfa0

SHA512
7ede9493c34d629bee7f80a5c772b4adcdb09e842037db67a978633d354853384e7da32b746fdd98c5671e2f12e1e4654fec633afb83cb475630c51a824d43db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d29b5057d633147e8a651d244ac7971

SHA1
44590c4d4dc053aead4a0fc9ced4002df11381aa

SHA256
7a97e9ef35df2602d7de6751fe356f7ae29eec100588e279af2a4b1e9a125157

SHA512
1034fd883a6921a2ac06bddef0835717b821c445e3bf3056fab722ba4ffe3322e731f13901ea1dde7e20e4e737a48280c639c9486f2856b1612f75ffef2d14d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f5df07f76890b41ac67fc160b41cb51

SHA1
fe08352c1ad1b3751d7adead3f601bab63df1759

SHA256
6928a8f01c5196094e77f81235b439dbc7be58db6cffa0aa72c14498df77c531

SHA512
1de45c9c0216bcc545ba6806de48b4d4258166b48faaf8e9fa4b0f699e45f290c27ea06113778415baa874fd2eaaaf12709bfd6ba40b5e0c920d9492df20e420

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed2652e706aaa1d9035fbb7d3ec0c67c

SHA1
56fa453c72071b032d5a04d97c69e3bc2b089c92

SHA256
c6caa2106506a01ad3787bf8fa37708ed1b11d30481b6adf922704a7f991e086

SHA512
4df19690f5bda92ca0726c71814f50a9cebbb24539b119369880abfb8c7abaf74ef4454b29d48220fc80c5576b9e51f4c0204af602dc0c7e50461b6cd53b54ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b1d19970d2cdff0fcd11335c6458dae

SHA1
21ef87234e11f696eaaad0ad3d7031b4a0065374

SHA256
a36d54579059b42876a591e53e03e6a9e65d41a81439e849691b99f9e3603199

SHA512
6df40e7f30a29a2fea438b997892e5468d2bc1b0129e2e408216b045db0dd8187274ba431d33b839a22f4b750c1c150e70f874aad1517e9a5557a819a3532b9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92ff732aa2199ede2a154cb0fe537bcd

SHA1
2c864a88bea0a12bb989c69455b35eb98f990dc9

SHA256
62aa68628d65420251e9a2d1cc05a9f07aaf98fb574e5b9f351ab53144a4fb09

SHA512
ecf3f10e9cc5589b52711c44c5a5529aa65e09cd71273a3fd092fe8a4eb197474e5dfa7892462ce2f5acb0fd192299fc69b75232073275668dbe80eed84bd50c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
177aa554d0d19725cc2fc8d5abe4f36b

SHA1
dcb7b5641d659d1e10339df1cb847f9085506032

SHA256
4fd61b655f543e6e304d309e94120cf2fdb2084393433c2049d8419bb8bedc7a

SHA512
bde2d84751ea58c1f56c176f83a7472ac21f13b4d74cd1ccc78c9df1bd2a47e9973758f9eb43e4bb2c15173ff0b4f6996f3296fd12189b85516ff8c6c466ffbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2113f10ed056110a19dc60e4ad536580

SHA1
07f81a62d364ab152fb152d4eb9cf12c6391655d

SHA256
3866c9bd4b40b8092bb126e6947b42915c14aa5146ab359be37098caa45026f6

SHA512
ac2b8bc82c9912d2a5b50f7c0c265c17c7d318afea36c5a809e66629a1f2fc167bdc1f0bbc095c3f60e2fbd7f65173395643cf92081206188f7328b73a8f347e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26192e96e8df3c6cda64e3f9887f693f

SHA1
bcc8dae7c59ed87327ad84cf122a3711018c5dbe

SHA256
00208cbd8b5e0d4998900c4c171c2e18c528c78bcb2b2d9f2bf84841275751a0

SHA512
7feabaa50baad34b3cbfaae62937af13201afbd17d4de5033cafdd9f94b5d724350d0fc5ebee60225389e8ea9a6aa88fd5d114816cb70257bee1dd74c81353c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f5b36bd889c65a9a9deeabb8af18eee

SHA1
dae07d25dff3d4041948e5768b39522702459371

SHA256
189f6d37bc1c54626b46cf417ca6c7d8b50ac41c129289b3faf261a29cb49bae

SHA512
a9ed96c15af4c8b3b953c8d4fb63603b02b74d8c85d0e3047c8be1ef99362ee8fded809f95ae5263b769ad111db968038c3754d91945497dfefc69df8f9960d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

Filesize
225B

MD5
d610f3ed72d9e61f2c008a60e1f8d9d4

SHA1
37817befc52cf4173ec3f415332a0f916f7249bf

SHA256
ce99f176f19119e49b1f48c8ad65901ff7b4eb78382b6fa948ff7ed863803ec5

SHA512
221b2ffe76859e4feefebd631275bad7624faea11cecae5a7d2482db30f0bf937a71e4bd88e236847fc2ae689636710271c6cb4fcde3ea87fb3d922b383fe316

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A00.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
225B

MD5
4236911bd30aa8bfb1d8ecbcc3c019b5

SHA1
9b3b290eed1e421cf14a15bb75eb2a417310dc18

SHA256
6dbd0842276f09f9974922c2d0cc9cf26a35f0355c7ac7594f05950fe3f44770

SHA512
305723078dd4f8f6c14d4b9cdb7d4fd0ac615da74a89a73cdca26e75b68bb1f081c6a41b8bdb56c2f5dc8f65cad9bc8c2987360c09b4df34cff8199f28e1733c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A22.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
225B

MD5
0476b6999e1d690e8b9104f9ab8d7ca1

SHA1
f00439297370618391a2fceeffc61a9678124e00

SHA256
415494161e6c0b96eb9e8730f23168ac6da000bf417052746602fd3fd70a7956

SHA512
972e9e8ae5cd7f015e2b7294c1d7080529996e06edb85b9035f61a06a7fb9942f8bd341d74a20e2a381ee1bc4775bea19005c078df10d14961a53b6c00015503

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
225B

MD5
15cc9b3d0bf48945d8b180ba618699f9

SHA1
4da4ab5499b5f09bdda67f30961b80bcd3896691

SHA256
480e3e6efc80d882366faa76b7c38708f46067eef2e4ecf980ad2e7a7df3db82

SHA512
1d120c9a2e6dde5fea4a554da3cf04bb21543d2e3086e1687fab5d3c7476e6105d656f51fc762dcf74fefe9d60ccfa126016ecbea34635a4944bb2bc77de5f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat

Filesize
225B

MD5
010feab215fd9b7c5f1a9465bdc6c989

SHA1
95c6cb3bb56eb29647f10e6dfee15dc0461a33c5

SHA256
f4538989a36d7148ecbf91f19ccda03d032ec7dc41bfc44d656edee8ff3be7af

SHA512
02eccbdea3f55bc8ab1e7d91d69777e6455f8b36c71d8aa25cbd4813eb6b02c800114aeaf46b72402c4c4a2839c233adad30220ae5730a526c4ab5657570e83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

Filesize
225B

MD5
6969916424610dbf7fc71f35e8f6c7ce

SHA1
466f7e73161de31bb59ca8898a46b4919978b776

SHA256
60f55fb5e3a3150df16d707f4fcce0c8500d0bc03ff29ceb04d2fba3a83bf887

SHA512
41a78246b35713f3c1d37f18bd9fa4ff8da74243218a78fb80d63bac2934ac0c2f483ac10159b551b9b05cf8ac9b988a1118a65c15a375e85f6372647d41101f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

Filesize
225B

MD5
724102a2727cbc2df0e7639f2209ad26

SHA1
18cf8977a3fe6a8a015a08327f911223a2f71a4d

SHA256
afe951b902bbbcbccf5d551937084bb1fa75b420726755b144818b7919b58fed

SHA512
8238398672ea9ccf5caf6b646d9f563ea42ad03e7ed5dcbf69867cfb976e785ffccd1d622f0106dc9175fdbcf2c52bf8092d55f8589ba44bf056fe46c4214d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
225B

MD5
63d69baf4458919b2f2d1e591375c36b

SHA1
e782613c559c50018710a89ad2011f457718cecc

SHA256
aababaf537f0f2a2758bdf5ac7e7c6188cbbf5b512797ed146ffd381971e7e5a

SHA512
b0d8182dd1b897bbd4bcd4d3fde6ef157f3dfe14b62b4f9266374722145e0be75740912be254e77df246471dfa21ad896e79c98c8ab55ae7822e082e8317cd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

Filesize
225B

MD5
25e22e2fd4dc1ebd3528992af723b99f

SHA1
1dd2196b1b9596fd68468f4edf521a165e005c4e

SHA256
8e6c5696542140a4b4381451fe9f7df7e59a1d2ec98980713e1dd858976a7a75

SHA512
87db4966e21dc448fb0653c333cad24e1426caf34b295b9d175b014873b36a520c0047a79ba3c4170925e28ad75bea9765d9044356dbbfdf987df1873062d829

Download Submit
C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat

Filesize
225B

MD5
070a32f6cf572bf155674e6e1d490635

SHA1
add037f2e1fe7cf0e82e52b98e02d65425dfb0e8

SHA256
ecfca96bc2265da2606708a7a9d4fae95beb423374d2e8b66e23da75d31d68f1

SHA512
869bdda25a8af8ad1af946408d9d2a9a1e7823561a4acf3fd8d18353f2b1076401fdab95886ecb804e4d718c4d2cd1a102ab1eae0c16e1860b8a767f6d6ef4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
225B

MD5
111ef7f305a9fc54aa0e644538e7b62f

SHA1
64e79c35a1fd385d907939f0f3446f2c18c32610

SHA256
35fa4caf6a61a9577c2b82b225e8a4ee3c7d46d1046770bacd7bb866731f9cd7

SHA512
7717119e4724f1909a1dbfbd11b1f7932c9b2e36674719a5f24c08057779d6ea5104e93668e5077b7b15c1e8915037ad34715ecd7a24d3a49bbbcca82958d9e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
31a5a1b50989b523bca8687342db373f

SHA1
b06197aadbc478effc9dacf56e492aaaf0e80470

SHA256
10a970e84b7dd9b88b45ad96649cddd6690b3e52eb51e32f4e21e31a56944ab2

SHA512
9af894dbc6bb38fd0eb84d912829b4df6a3f4e98c9c8bef72e41149e384b01a12544b51956cec2c22dbf28ae42b8c259ccbeddf8800771ece0287be307d0ce7a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1164-508-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/1536-209-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1676-329-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1724-269-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/1764-150-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1764-58-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/1864-748-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1900-568-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2184-68-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2184-70-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2244-389-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2580-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2580-16-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2580-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2580-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2580-13-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2848-687-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/2848-688-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/3068-808-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download