dcrat | 299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096.exe
Size

1.3MB
MD5

784636c23350d79545d60c9e7d03ac84
SHA1

34e7d83c691f67d9261938a2ad0aaa80c578fe6f
SHA256

299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096
SHA512

22a10d3681b547bd4401d78562bd12ea479b536024bf0b4ed8574a17b6604362a0f1327034aa1d18b5f5a2beea37d45d5c20bac8694aacb4785a3923b448bdbe
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2804	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-9.dat	dcrat
behavioral1/memory/2480-13-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/1356-150-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/2996-209-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1388-270-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/1728-331-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/2772-391-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/1804-451-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/272-631-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1576-691-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2928	powershell.exe
2680	powershell.exe
2500	powershell.exe
2656	powershell.exe
2952	powershell.exe
2496	powershell.exe
2908	powershell.exe
2912	powershell.exe
1388	powershell.exe
1972	powershell.exe
2424	powershell.exe
2164	powershell.exe
2924	powershell.exe
2724	powershell.exe
2980	powershell.exe
2584	powershell.exe
2528	powershell.exe
1320	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2480	DllCommonsvc.exe
1356	Idle.exe
2996	Idle.exe
1388	Idle.exe
1728	Idle.exe
2772	Idle.exe
1804	Idle.exe
1788	Idle.exe
2904	Idle.exe
272	Idle.exe
1576	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	cmd.exe
2016	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\lsm.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PLA\System\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\System\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1708	schtasks.exe
748	schtasks.exe
1268	schtasks.exe
1356	schtasks.exe
2740	schtasks.exe
1264	schtasks.exe
1932	schtasks.exe
2880	schtasks.exe
2184	schtasks.exe
264	schtasks.exe
2228	schtasks.exe
2648	schtasks.exe
1256	schtasks.exe
1540	schtasks.exe
1608	schtasks.exe
3052	schtasks.exe
896	schtasks.exe
2544	schtasks.exe
1248	schtasks.exe
2768	schtasks.exe
2704	schtasks.exe
2748	schtasks.exe
1340	schtasks.exe
2476	schtasks.exe
1624	schtasks.exe
2700	schtasks.exe
1148	schtasks.exe
1752	schtasks.exe
2140	schtasks.exe
1660	schtasks.exe
1996	schtasks.exe
2548	schtasks.exe
2996	schtasks.exe
2324	schtasks.exe
276	schtasks.exe
2968	schtasks.exe
1868	schtasks.exe
1036	schtasks.exe
1008	schtasks.exe
2360	schtasks.exe
1556	schtasks.exe
1740	schtasks.exe
2412	schtasks.exe
1604	schtasks.exe
3040	schtasks.exe
3012	schtasks.exe
1528	schtasks.exe
2316	schtasks.exe
1796	schtasks.exe
556	schtasks.exe
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2480	DllCommonsvc.exe
2528	powershell.exe
2584	powershell.exe
2908	powershell.exe
2424	powershell.exe
2980	powershell.exe
1320	powershell.exe
2724	powershell.exe
2164	powershell.exe
2912	powershell.exe
2656	powershell.exe
1388	powershell.exe
2952	powershell.exe
2924	powershell.exe
2680	powershell.exe
2500	powershell.exe
2928	powershell.exe
1972	powershell.exe
2496	powershell.exe
1356	Idle.exe
2996	Idle.exe
1388	Idle.exe
1728	Idle.exe
2772	Idle.exe
1804	Idle.exe
1788	Idle.exe
2904	Idle.exe
272	Idle.exe
1576	Idle.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	DllCommonsvc.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1356	Idle.exe
Token: SeDebugPrivilege	2996	Idle.exe
Token: SeDebugPrivilege	1388	Idle.exe
Token: SeDebugPrivilege	1728	Idle.exe
Token: SeDebugPrivilege	2772	Idle.exe
Token: SeDebugPrivilege	1804	Idle.exe
Token: SeDebugPrivilege	1788	Idle.exe
Token: SeDebugPrivilege	2904	Idle.exe
Token: SeDebugPrivilege	272	Idle.exe
Token: SeDebugPrivilege	1576	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2620	2564	JaffaCakes118_299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096.exe	30
PID 2564 wrote to memory of 2620	2564	JaffaCakes118_299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096.exe	30
PID 2564 wrote to memory of 2620	2564	JaffaCakes118_299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096.exe	30
PID 2564 wrote to memory of 2620	2564	JaffaCakes118_299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096.exe	30
PID 2620 wrote to memory of 2016	2620	WScript.exe	31
PID 2620 wrote to memory of 2016	2620	WScript.exe	31
PID 2620 wrote to memory of 2016	2620	WScript.exe	31
PID 2620 wrote to memory of 2016	2620	WScript.exe	31
PID 2016 wrote to memory of 2480	2016	cmd.exe	33
PID 2016 wrote to memory of 2480	2016	cmd.exe	33
PID 2016 wrote to memory of 2480	2016	cmd.exe	33
PID 2016 wrote to memory of 2480	2016	cmd.exe	33
PID 2480 wrote to memory of 2584	2480	DllCommonsvc.exe	86
PID 2480 wrote to memory of 2584	2480	DllCommonsvc.exe	86
PID 2480 wrote to memory of 2584	2480	DllCommonsvc.exe	86
PID 2480 wrote to memory of 2528	2480	DllCommonsvc.exe	87
PID 2480 wrote to memory of 2528	2480	DllCommonsvc.exe	87
PID 2480 wrote to memory of 2528	2480	DllCommonsvc.exe	87
PID 2480 wrote to memory of 1320	2480	DllCommonsvc.exe	88
PID 2480 wrote to memory of 1320	2480	DllCommonsvc.exe	88
PID 2480 wrote to memory of 1320	2480	DllCommonsvc.exe	88
PID 2480 wrote to memory of 2500	2480	DllCommonsvc.exe	90
PID 2480 wrote to memory of 2500	2480	DllCommonsvc.exe	90
PID 2480 wrote to memory of 2500	2480	DllCommonsvc.exe	90
PID 2480 wrote to memory of 1972	2480	DllCommonsvc.exe	91
PID 2480 wrote to memory of 1972	2480	DllCommonsvc.exe	91
PID 2480 wrote to memory of 1972	2480	DllCommonsvc.exe	91
PID 2480 wrote to memory of 2424	2480	DllCommonsvc.exe	93
PID 2480 wrote to memory of 2424	2480	DllCommonsvc.exe	93
PID 2480 wrote to memory of 2424	2480	DllCommonsvc.exe	93
PID 2480 wrote to memory of 2164	2480	DllCommonsvc.exe	94
PID 2480 wrote to memory of 2164	2480	DllCommonsvc.exe	94
PID 2480 wrote to memory of 2164	2480	DllCommonsvc.exe	94
PID 2480 wrote to memory of 2496	2480	DllCommonsvc.exe	95
PID 2480 wrote to memory of 2496	2480	DllCommonsvc.exe	95
PID 2480 wrote to memory of 2496	2480	DllCommonsvc.exe	95
PID 2480 wrote to memory of 2908	2480	DllCommonsvc.exe	96
PID 2480 wrote to memory of 2908	2480	DllCommonsvc.exe	96
PID 2480 wrote to memory of 2908	2480	DllCommonsvc.exe	96
PID 2480 wrote to memory of 2912	2480	DllCommonsvc.exe	97
PID 2480 wrote to memory of 2912	2480	DllCommonsvc.exe	97
PID 2480 wrote to memory of 2912	2480	DllCommonsvc.exe	97
PID 2480 wrote to memory of 2924	2480	DllCommonsvc.exe	98
PID 2480 wrote to memory of 2924	2480	DllCommonsvc.exe	98
PID 2480 wrote to memory of 2924	2480	DllCommonsvc.exe	98
PID 2480 wrote to memory of 2928	2480	DllCommonsvc.exe	99
PID 2480 wrote to memory of 2928	2480	DllCommonsvc.exe	99
PID 2480 wrote to memory of 2928	2480	DllCommonsvc.exe	99
PID 2480 wrote to memory of 2980	2480	DllCommonsvc.exe	100
PID 2480 wrote to memory of 2980	2480	DllCommonsvc.exe	100
PID 2480 wrote to memory of 2980	2480	DllCommonsvc.exe	100
PID 2480 wrote to memory of 2952	2480	DllCommonsvc.exe	101
PID 2480 wrote to memory of 2952	2480	DllCommonsvc.exe	101
PID 2480 wrote to memory of 2952	2480	DllCommonsvc.exe	101
PID 2480 wrote to memory of 2680	2480	DllCommonsvc.exe	104
PID 2480 wrote to memory of 2680	2480	DllCommonsvc.exe	104
PID 2480 wrote to memory of 2680	2480	DllCommonsvc.exe	104
PID 2480 wrote to memory of 2656	2480	DllCommonsvc.exe	105
PID 2480 wrote to memory of 2656	2480	DllCommonsvc.exe	105
PID 2480 wrote to memory of 2656	2480	DllCommonsvc.exe	105
PID 2480 wrote to memory of 2724	2480	DllCommonsvc.exe	107
PID 2480 wrote to memory of 2724	2480	DllCommonsvc.exe	107
PID 2480 wrote to memory of 2724	2480	DllCommonsvc.exe	107
PID 2480 wrote to memory of 1388	2480	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_299b6034faaafe88cccdee2c92a51c7aefb795fe00fee209984266f7110d0096.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uIgpLPBTwX.bat"
        5⤵
        
        PID:2752
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1672
      - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
        7⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2864
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
        9⤵
        
        PID:1268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1804
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        11⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2752
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        13⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2708
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
        15⤵
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2076
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        17⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2040
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        19⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:796
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
        21⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2984
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
        23⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:436
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\System\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc120dc071007d6e21788b13a25858c8

SHA1
bea9aeb91bd4a9cb419fa2a6b1d1ad7f20e63b6b

SHA256
fcf5f1ac9ba639f8e83be72cb00788cd3cedb2968235a2e914f7696d2c2425ad

SHA512
34eeaf4163d7c23f10339fcc2a3d3732b9daa72bae4bee47b89b316440db13b7beac45645b4748c3b63cc7c4546abf1db684d5dd51b3670be794cbf73da33ef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa26cf6647fa48589cf58a698361671e

SHA1
b91eb25476aa46c45dd769f6c5b47b3981410917

SHA256
8064a252519310fd96c38a52e6e13944a07a947463c3c0ce0e9240a640f3debc

SHA512
e82da717c9b06af87255c68ac3ef09de7a445d6b9ca4ddd3150b8cd099f2dde28893d610265479ae2691b07975999d2c9f2d122d2709721d3ba0562dd3c26f37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6765ef8602d766e8fe44fde2e85327f

SHA1
a5bb76dfc2cb6a4699c2a032fbb5018640d8464d

SHA256
70e764ad51cf35ccf40df7cd29314f9ff0cded22afc95d9b01e2f961d2a020b1

SHA512
b2cfb7d1d9978d8fcc84b28365aa35110c24c53f78b90038ca8a5468aa2decfc2a5fc15dd9925d9e422984dc21ba7abbaa9f00d92999560a836d2d3ba3a5548a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
441ff0f2b53f05bb97bcb7c9e851a258

SHA1
9814651f6f3f495e0565b0db94f9e1e549d14520

SHA256
740037ef00b4f594af9efab502d8523da35e223be367b0bc55487a7e165bc28f

SHA512
d3d0aaf138a77804b73ff81f4339fb3ac63591d47034de7f9c71c91664ad19bd0ca0a05cc5c7baf6ce52f0fffe3706d9cbcfc7bdc574aeebbbd7dcd19a43553c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
606d7e445b49b4c7cf68ba62733468ec

SHA1
d163fdd5ee957e9819397fdde2c6d7521d497ea5

SHA256
6e74cb30381997bbd2c15f5d4b81ff519060c8178f2fd2a7c3d07ac01ef9746d

SHA512
d859137c4a615ebed3ade8a0d343cb2f436de7201e182217b4323bc903580d18fd1026839ca698d4c0693c50af95e12b161685470ebc6ae1a15e698fd078f97e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
389e01c80c35b7856857f0d248476337

SHA1
70a7dd2df100bd465b5923155bef7c52ae662c4c

SHA256
02c2fa72cb2a8c8020708f2994c291fdfa672e89c9eb7f226cdaf7c27df12a8c

SHA512
fb0585770ae4a6182e0d76ab61e8882e8623697f6f6c81a00c9b0f1f658baee85fa4a9bc9e334f6e100c971d792ec20bc30ad135040e43616f948d149af07236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
769dff9a7adbda574d6332386194f0ad

SHA1
ed94146a35869c41412d5a3c327522d1d6a6dc9a

SHA256
6d296bfcb9341628fab3efa1e212fffa3d94ce270d30eec019a71d525fdd854f

SHA512
8bde86217740288fa7dd8c5a22f2fca87623f3969f8a9c27fb73bc22b708597b66dcaea7edfbfce755bf5fab5fc5b80a526de8cbefada968ba348fa1e5432a56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8578a7ed078f7cf4293e413691f0dd6

SHA1
05bcfc49a1cebba8c1eb7af9a6150c30829fc29d

SHA256
ab7fa73f2c822c39006a6c6b33da0a4c344e2e493ff75f500a9ec8f40471529b

SHA512
a776019b6cda6b300171f86e04980868b66a59b4629d05896087433adb8b2cb0983cdfbaeb9c7a727acb0b863e4917028597c9717f4b768e3cbcf7159f889fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
222B

MD5
4c460aa83bbfb4a4a8029acd94b7b6e6

SHA1
ff12ae24c6995483e6348a396e299c3c7fe6a184

SHA256
6c9d87a7e91702ef867a11344888019eb22d5decbbe632bdb38d85ee0dd917c0

SHA512
aff331d7804eb89106db1ae9df69c9f59c18dd3d0590525e2129b215167f898e70aa65517219aebb5f111e5861b678f1319c197c7961329bcbc3b9412f17534a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab34B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
222B

MD5
385696f062c651fc2a68dd26d4728972

SHA1
77673bc9fe89d57754a6bd1b5f6de25a258bd614

SHA256
8e772de1c39a4bf653f8845e0a3cc0bf0faad29cc79caee52d0fd051ffa36fd5

SHA512
32710bc27829c67bb70e0a8ecc91e4abf82ae6b40f4b75908bde77507da14fbd8b1f678aa1d67c304d8d3e0f66930dafe1422acf13d212cbb7bc38d3837eba2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

Filesize
222B

MD5
5e1ba7cc5b88f85a14d297b8d638190a

SHA1
6bcc7af5cb3100b6ef52ddf95e893e57cc65d791

SHA256
fe987cb38b05b66f57e747df9725d760fd433266c9c6ebff0e883fa3ca56dea2

SHA512
f383237351d06b304b03b898b4f03648d0527f4137bfdf9e1dd400e744ce534564852d7e041d031a2e61d354eb7fea6e0727f1c43c4059041279ea3ea514d6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3623.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

Filesize
222B

MD5
dd6f2cebac47b210bd7312003a7d182f

SHA1
a218b931990e032122546c6d37845d143624623c

SHA256
35062235e143c2e9f77001d4b526790193a92e3ec7b1914e3f69589929e77302

SHA512
0b9d3c1906de73752387036e5837b80e789e9c47f5242445d33bb6b7c22948dced9dee577d3e75c48a765a5dafae14071cedd2605ee07ca4b6000cc8700915e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
222B

MD5
f4697261194409fb1192d207b95a7929

SHA1
205af5d0a7a373dda365afc9566ba65e2143c028

SHA256
e69306c0b75b8babc016df5f65426525dfb422775161a8ea1fc3e9ee4ee2d5b0

SHA512
8204bea5a0164b3caa3809a2ba9ee650a2e85fd1ccc86dbe7f56a13950c38ddfc100428d38003a562b5221f8dcd9111b287f17d73d656281a30042e176cd9b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

Filesize
222B

MD5
11d22140a77630b117474a5148e6e32c

SHA1
9c71633fbbfae3e3a1e93f5eff78c2b719c88558

SHA256
9891e66a0463950e4ba83566edb65edd5b0d1a48a4ccfcab991ab845b745ffab

SHA512
02c184d388c1ad6ec7dcecfb4700e2769036db10f5a12866ffa3820514761e300dff2712826e4e46f2d3802adc74400df5f4cdb68ccbd2bd6db858371ab6326d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
222B

MD5
cabbd77c57e2c4442a4b55bfeeb4e9c6

SHA1
c2d73c868686cd7e4eae928bf3ad5ad081e00bc3

SHA256
67be784a46a7c3f40751bb6630f307b06c55284d327f009fec4fc3ac4a4daa0e

SHA512
e14851d1685f7d431192ee7fcdfe2c4778a5b4b76bd30e90ce49ef7503bc0c31288d5df211d11899f0108f233fcb7814125582399574d799b807a196195b1ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

Filesize
222B

MD5
e9ff5be413669b2cd03436b399219ebd

SHA1
1d9522f1a286f08c722545cdfbaddda5a6b82441

SHA256
c605925cbc35d4d24bde3737a178f04eb7b8b2ebea1684a63e13df190bfb21f5

SHA512
73a070eb2c3d3b85df16c5f15c85fb0cd67ad138d7b2a5702c94191dca4002419fe221d160e6842f10dcd88a6e28f6b41d3e219ecc6bdc055a112409bccc6695

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

Filesize
222B

MD5
2061047c1c00bde2f675ec50fc8e18d8

SHA1
ec029059f65a566c03b0c922972f777172fdf762

SHA256
b179a8a9e9ab97b7b27c49b29cd8a4a0489f84926b0e4c6bb9f3880eaafab858

SHA512
d49887e433f11d1c97bb5bc3855302f1d5f84cd0a1179158ff0bce20114f4a8f0ef09cd9de1fcda210c6a536a0e76a908192f65c2ca487f163067683c0ee38b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIgpLPBTwX.bat

Filesize
222B

MD5
0f07d52698ae74bde66c126bc883488f

SHA1
94e440c6fe1421af97e40cf92ecf8969c2b00e42

SHA256
6f00cd0b94153987908f434aa2f233642e8a3e471a512cbb8b1d8a89ad3b12cf

SHA512
bbf6ffcbbab593e69cd789c57dc9d8351ca703a2f8852c20922bc3d72969328652f730f9a9624cc8d988beb926a2f6604adde0aa9da4541b40dcb1461fd3cc50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e5bb39114ca4d9e85f675338899047d

SHA1
8c53c55a8f6b64894d7af3fa1866ca90cff083a8

SHA256
2308dd4ae0b7dedd3438adabd922d4a9bb0bde94f4068a0599d26e7f2170244c

SHA512
bc543adab19627ad4eb2b72c5cedddf29ebadee13bee7e572d95d8570e89ea379376f1f4ea3e1cb6f0bfd2f0cbebc69deeb122b6d0d761885d0922aea8ad7d8d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/272-631-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1356-150-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/1388-270-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/1388-271-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1576-692-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1576-691-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/1728-331-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/1804-451-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/1804-452-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2480-13-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/2480-16-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2480-17-0x000000001AC30000-0x000000001AC3C000-memory.dmp

Filesize
48KB

Download
memory/2480-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2480-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2528-72-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/2528-69-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/2772-391-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-571-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2996-210-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2996-209-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download