dcrat | 565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159.exe
Size

1.3MB
MD5

a11f25d98183ef06cecab6a3b1357b3d
SHA1

ed196ad94a2c9584b5ae428f008eadd1cf63f2f6
SHA256

565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159
SHA512

a4a6a3c2495cf830f2929794a2e631c5037b744982468c5edf8f3caf4f65763dbb7c3098d3380a3353e88a55ea0ead02e4daae2ca98c58fc296a8c932fc07a4e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	632	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016890-12.dat	dcrat
behavioral1/memory/2944-13-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/1720-135-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2468-194-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2724-254-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/2224-373-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/3048-433-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/2352-671-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2772	powershell.exe
2804	powershell.exe
2424	powershell.exe
2380	powershell.exe
2800	powershell.exe
2720	powershell.exe
1448	powershell.exe
2756	powershell.exe
2708	powershell.exe
2716	powershell.exe
2588	powershell.exe
2552	powershell.exe
2752	powershell.exe
2760	powershell.exe
2836	powershell.exe
1572	powershell.exe
2668	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2944	DllCommonsvc.exe
1720	cmd.exe
2468	cmd.exe
2724	cmd.exe
1288	cmd.exe
2224	cmd.exe
3048	cmd.exe
3052	cmd.exe
2880	cmd.exe
2080	cmd.exe
2352	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	cmd.exe
2688	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Resources\System.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2356	schtasks.exe
876	schtasks.exe
1964	schtasks.exe
2464	schtasks.exe
3060	schtasks.exe
2848	schtasks.exe
2052	schtasks.exe
1640	schtasks.exe
872	schtasks.exe
1104	schtasks.exe
2264	schtasks.exe
2064	schtasks.exe
2084	schtasks.exe
1596	schtasks.exe
2232	schtasks.exe
1580	schtasks.exe
2272	schtasks.exe
908	schtasks.exe
2204	schtasks.exe
2500	schtasks.exe
3040	schtasks.exe
1704	schtasks.exe
2620	schtasks.exe
1700	schtasks.exe
1724	schtasks.exe
2212	schtasks.exe
1316	schtasks.exe
1720	schtasks.exe
3052	schtasks.exe
1600	schtasks.exe
2248	schtasks.exe
2980	schtasks.exe
1452	schtasks.exe
2952	schtasks.exe
3032	schtasks.exe
544	schtasks.exe
1084	schtasks.exe
2732	schtasks.exe
2300	schtasks.exe
2900	schtasks.exe
2148	schtasks.exe
264	schtasks.exe
936	schtasks.exe
1920	schtasks.exe
2100	schtasks.exe
3016	schtasks.exe
1764	schtasks.exe
2416	schtasks.exe
1368	schtasks.exe
1752	schtasks.exe
1000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2944	DllCommonsvc.exe
2944	DllCommonsvc.exe
2944	DllCommonsvc.exe
2944	DllCommonsvc.exe
2944	DllCommonsvc.exe
2424	powershell.exe
2752	powershell.exe
2804	powershell.exe
2772	powershell.exe
1572	powershell.exe
2756	powershell.exe
2836	powershell.exe
2720	powershell.exe
2700	powershell.exe
2552	powershell.exe
2668	powershell.exe
2800	powershell.exe
2716	powershell.exe
2760	powershell.exe
2380	powershell.exe
2708	powershell.exe
1448	powershell.exe
2588	powershell.exe
1720	cmd.exe
2468	cmd.exe
2724	cmd.exe
1288	cmd.exe
2224	cmd.exe
3048	cmd.exe
3052	cmd.exe
2880	cmd.exe
2080	cmd.exe
2352	cmd.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	DllCommonsvc.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1720	cmd.exe
Token: SeDebugPrivilege	2468	cmd.exe
Token: SeDebugPrivilege	2724	cmd.exe
Token: SeDebugPrivilege	1288	cmd.exe
Token: SeDebugPrivilege	2224	cmd.exe
Token: SeDebugPrivilege	3048	cmd.exe
Token: SeDebugPrivilege	3052	cmd.exe
Token: SeDebugPrivilege	2880	cmd.exe
Token: SeDebugPrivilege	2080	cmd.exe
Token: SeDebugPrivilege	2352	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2776	2424	JaffaCakes118_565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159.exe	30
PID 2424 wrote to memory of 2776	2424	JaffaCakes118_565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159.exe	30
PID 2424 wrote to memory of 2776	2424	JaffaCakes118_565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159.exe	30
PID 2424 wrote to memory of 2776	2424	JaffaCakes118_565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159.exe	30
PID 2776 wrote to memory of 2688	2776	WScript.exe	31
PID 2776 wrote to memory of 2688	2776	WScript.exe	31
PID 2776 wrote to memory of 2688	2776	WScript.exe	31
PID 2776 wrote to memory of 2688	2776	WScript.exe	31
PID 2688 wrote to memory of 2944	2688	cmd.exe	33
PID 2688 wrote to memory of 2944	2688	cmd.exe	33
PID 2688 wrote to memory of 2944	2688	cmd.exe	33
PID 2688 wrote to memory of 2944	2688	cmd.exe	33
PID 2944 wrote to memory of 2700	2944	DllCommonsvc.exe	86
PID 2944 wrote to memory of 2700	2944	DllCommonsvc.exe	86
PID 2944 wrote to memory of 2700	2944	DllCommonsvc.exe	86
PID 2944 wrote to memory of 2752	2944	DllCommonsvc.exe	87
PID 2944 wrote to memory of 2752	2944	DllCommonsvc.exe	87
PID 2944 wrote to memory of 2752	2944	DllCommonsvc.exe	87
PID 2944 wrote to memory of 1448	2944	DllCommonsvc.exe	88
PID 2944 wrote to memory of 1448	2944	DllCommonsvc.exe	88
PID 2944 wrote to memory of 1448	2944	DllCommonsvc.exe	88
PID 2944 wrote to memory of 2804	2944	DllCommonsvc.exe	89
PID 2944 wrote to memory of 2804	2944	DllCommonsvc.exe	89
PID 2944 wrote to memory of 2804	2944	DllCommonsvc.exe	89
PID 2944 wrote to memory of 2760	2944	DllCommonsvc.exe	90
PID 2944 wrote to memory of 2760	2944	DllCommonsvc.exe	90
PID 2944 wrote to memory of 2760	2944	DllCommonsvc.exe	90
PID 2944 wrote to memory of 2424	2944	DllCommonsvc.exe	91
PID 2944 wrote to memory of 2424	2944	DllCommonsvc.exe	91
PID 2944 wrote to memory of 2424	2944	DllCommonsvc.exe	91
PID 2944 wrote to memory of 2380	2944	DllCommonsvc.exe	92
PID 2944 wrote to memory of 2380	2944	DllCommonsvc.exe	92
PID 2944 wrote to memory of 2380	2944	DllCommonsvc.exe	92
PID 2944 wrote to memory of 2772	2944	DllCommonsvc.exe	93
PID 2944 wrote to memory of 2772	2944	DllCommonsvc.exe	93
PID 2944 wrote to memory of 2772	2944	DllCommonsvc.exe	93
PID 2944 wrote to memory of 2800	2944	DllCommonsvc.exe	94
PID 2944 wrote to memory of 2800	2944	DllCommonsvc.exe	94
PID 2944 wrote to memory of 2800	2944	DllCommonsvc.exe	94
PID 2944 wrote to memory of 2756	2944	DllCommonsvc.exe	95
PID 2944 wrote to memory of 2756	2944	DllCommonsvc.exe	95
PID 2944 wrote to memory of 2756	2944	DllCommonsvc.exe	95
PID 2944 wrote to memory of 2708	2944	DllCommonsvc.exe	96
PID 2944 wrote to memory of 2708	2944	DllCommonsvc.exe	96
PID 2944 wrote to memory of 2708	2944	DllCommonsvc.exe	96
PID 2944 wrote to memory of 2836	2944	DllCommonsvc.exe	97
PID 2944 wrote to memory of 2836	2944	DllCommonsvc.exe	97
PID 2944 wrote to memory of 2836	2944	DllCommonsvc.exe	97
PID 2944 wrote to memory of 1572	2944	DllCommonsvc.exe	98
PID 2944 wrote to memory of 1572	2944	DllCommonsvc.exe	98
PID 2944 wrote to memory of 1572	2944	DllCommonsvc.exe	98
PID 2944 wrote to memory of 2716	2944	DllCommonsvc.exe	99
PID 2944 wrote to memory of 2716	2944	DllCommonsvc.exe	99
PID 2944 wrote to memory of 2716	2944	DllCommonsvc.exe	99
PID 2944 wrote to memory of 2588	2944	DllCommonsvc.exe	100
PID 2944 wrote to memory of 2588	2944	DllCommonsvc.exe	100
PID 2944 wrote to memory of 2588	2944	DllCommonsvc.exe	100
PID 2944 wrote to memory of 2720	2944	DllCommonsvc.exe	101
PID 2944 wrote to memory of 2720	2944	DllCommonsvc.exe	101
PID 2944 wrote to memory of 2720	2944	DllCommonsvc.exe	101
PID 2944 wrote to memory of 2668	2944	DllCommonsvc.exe	102
PID 2944 wrote to memory of 2668	2944	DllCommonsvc.exe	102
PID 2944 wrote to memory of 2668	2944	DllCommonsvc.exe	102
PID 2944 wrote to memory of 2552	2944	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_565da4e80e59bcaf347cde98195a8c2eee285c65cd174610721adb22f8c00159.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VEsBUN9q35.bat"
        5⤵
        
        PID:2868
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1896
      - C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
        7⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2900
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        9⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1980
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        11⤵
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1748
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        13⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2192
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        15⤵
        
        PID:764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2704
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"
        17⤵
        
        PID:2708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2000
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        19⤵
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2164
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"
        21⤵
        
        PID:820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2748
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
        23⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1368
        
        C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
        25⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25a14b2634e712b46dfd1f9444a1c11c

SHA1
83a7951c85f0842f0a43c63d4bd02aadc20bebf4

SHA256
f03e1203997e9e8ed384ca4cee2425057e3a84e180672adc886568a06ad537d6

SHA512
30d648ce40e9d13b6598ba9a46d1c7a57b557ad85862943af1d4bef392d49cdd5af9e997cc6363df2564138ca53fcd6b3f63b220bb3c28a0d3a1e9e01ffb306a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96006e1b4c782ef1ee349c7fa70bc625

SHA1
94b0382e75a22b114c11a985e246d3290ee5caa2

SHA256
58089c188577c6838c45029112fad0b420c551b410b751274538d62e7f2e34e8

SHA512
6763227b0ab51c3c58dfa02a6097fcbceade68825e216a00d0a7af2f0c46691dde8b3e8bedfe6a0e7a9e9cf977f9205b496dd12ecbe40e1d99350f5f03ffd543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20fcd85f5ef7325701a007669136b4a2

SHA1
1ab221f2268550c9f42d5627961761dc39e0abd7

SHA256
faa78b1916d85990baa8939d2bdba6aeb0abd4878fcb455243441aa8d12b0d34

SHA512
87ea2b9860a9853e2db2d23d00bfe05f15a533aa0e38526d39637eac764f7b11dd011362a83758ce7f13e6a3eb411b57def13af903644093ef079289b67bcf25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f40821ff225c10d6fae8f42043bb4857

SHA1
276213a8c183457ec358283cc76555dbc579522e

SHA256
413d095af7658de295e0f11124a0d447ab6f29d8b5384f5458d095b15af03939

SHA512
baef1d51754519d7e03f173a5ebd1e594d005a06776122443787a2ac6df13341fe5c3fc24dd2dee5a00b392c39e00c7ff6b217d4b13e883a7b54f4bd8dab3d20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa1b806c73ca121a43d063aa912242b1

SHA1
aec6ef0b58931c7463340c50727933c9e3f2747f

SHA256
fd251b8c58e16ba5dd75b2ba21820209eb1ab998a79dfb015c2e87349ec3c6fa

SHA512
07452208fb26688539a6e70d40c1928ce812e221b0aea743c4033f1d7bbb7ea4fa60c7756d0fbca54dd9681243f8de224796757d7b0bd66e2fe64c8dd957c480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb9bc98ab95dd4c356bd5bfb93545ff2

SHA1
a5c3c7bf73d977789390d252eab8feb591c2ff2b

SHA256
8e21fae855df9f4132989a40a28ae6735359c0fb75e5cd84afdb509197e948fb

SHA512
949403666c515d4b0cba7f49096090b8d2eafec24ed426a49b7595cb65a2ff395ae0d3a628b9fcc8f944b88336622c27cdf2c7b935b7438b1b50343b7117bdde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55727d36bd31df82244bf29f3a2544b7

SHA1
4ffd7aa101523d00ffbd9b81c526affd196265c2

SHA256
a0222955bde9ab45a34b6b852c38bd537198b3f4ce38c26ece7358cdc2798dfb

SHA512
fa6a84c231df6930d95e4d4b32f8452f568a2b232dc469b6b7aab08ee6483c7bf640bd85e0eb9748a16d2820eb3b35bd21c6297e999b15a14046fc32d98b875b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90fe67ed087390daa37db9c05de38c90

SHA1
691f9d0c200772887e17349872314dd9e040b4b9

SHA256
6b4d7785507b1798c0aa3df289e4a94c14a21aec598e934627c17b5a3a4d668a

SHA512
9d3828ecd568fa9b6202e90df7b6e6316b147815c1a64ee9909f6b36539ea04fd6b7e682a5731afeb7444e3b179febfc64a8239437d61fca58159d0089465ef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6d8a716fbf072dc692c506d4200bf02

SHA1
298103eb6b065f754caa213c40b9fff7f3a24d3e

SHA256
c6f0cdc0d9c97692b13474a56c1829735159df1511aef8960066b1661fa7c43b

SHA512
63fb850aeed52b969ab7de42612d8c2559da63b7c7ce870bc31ff5ea3f81623e51f1c4b3e0e417e2838b938e4d7aac1040c6322cafb48730443a3995b2875b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
219B

MD5
3d6a3dd526874536098fa9c964a1615e

SHA1
d51f5350bb13de9e464ca9fd99641781e79be965

SHA256
ffaa693366de38c015209b2be7c85e165c40b2a4908494be09ee13ec3108f48a

SHA512
165d704f103765c226c0c4ff4c86ca4fb966dadc9897d6f95c00e7ecacab93932f70d4ff05d33d540413ddd3aea832745c2d678ecf3dd98067071ef46423b5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
219B

MD5
f097862a490d1994e768ec68b8ee4769

SHA1
cd7512a63d4001d6f09a337e2329580fa20e2aaf

SHA256
b5dd60e49ee6787946dedfc9625eb178262d72c56354b8ce70a6bd8b662aa399

SHA512
215c002583b9c4fee1e881acc37c7cf070b13f0ed1a27b945d5d158b6cb19d1ad181f3a25a1ba5853a067e7af03856a65bba9500b7fbbe5ce091f15ca4f44ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DBE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
219B

MD5
cd31266933509d59a62e89fcbc186e59

SHA1
972558938e8ca840460a69d41beee34edb68c1b9

SHA256
ada4f88db034272a6666835c05b0ec7aeb99a81cc0b07a204a4c0a097116b575

SHA512
e1cd8e150c54466a1867ce7424057ab6db96163015642c0d9a494c1b883e9256527808c136d38be64464150b36ba89c311bc46d15ae15a12481eedf53c0cb882

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat

Filesize
219B

MD5
97c87ed75e85a0e118e6b6cb63ad7d10

SHA1
60b340870130515aeac83e48dc8da0defbc41fff

SHA256
9e15ee54847b5ed8ed869efaa7f334c396025cb9045203599bf4ee8353e77922

SHA512
77e36e3d1579a242a5af471b481b237ce2b86120c6402b2a6cb55ec22acad9f5d5866c4c2402bc7fddd67e8f060950bc87c9bf08d6da7832fdc2eb965fdfa63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
219B

MD5
1f2015961f280ac47fe9afe74024dfad

SHA1
ae3d6f707bc239bdf4ad7afef37dadd1230abbd0

SHA256
b1403d336010aadc565e93c5eba2ce3203aa4306598b6f01a046c96463758335

SHA512
069751a793a411f7ce397676fea1cc2ee0ab834b031f1e2b63e9d77dddfef0a78360bfe882976541255dee91d95ef2aa2cacc616978687aed10edd8a835840ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat

Filesize
219B

MD5
33260d123297baec21018292c8ecd034

SHA1
e4980e15895a77d73b91323866416992d242f1b3

SHA256
e705df96a6daa88815ac006d5b6a415eb964d01679403bf224403d323d87caf7

SHA512
d304e2387d6bd9e76c6511a41d1fad189e24c1010e2745b0c426a1939021d08bff4b458d6b545e66d4ea8a13f5666d6abbfdfa16b1f22b3e3d6a3e0ab2e4d5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

Filesize
219B

MD5
fe882ca44d8f3db5c1966224b1ec2e4d

SHA1
2b8b6c67cfc2a7a0f4506041b600ee1d1fa7dc1c

SHA256
619b8f1bc3f57c760ba4ba97d73a2e1b50907b8701cfcfe15f57628f8c871de7

SHA512
14f0b673e0023836c95ab7e082028d72b22389d78c2924e95ad1480566667776e96b67278618e617a6f9f50fcffbce45fc6a53dd45955737fe45b4537c828f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3DD0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEsBUN9q35.bat

Filesize
219B

MD5
0bdaae2a3d8d84ab93fc2d0feb528940

SHA1
6b64d34009cf0b36b089ab742176aedec854472c

SHA256
d7eb79875e0533d7d8433ce115701f9770180290978e76906ef642833c1c4c6c

SHA512
96c44509f87a3d1fb77bb8213daad2a12fee85a5ff66f6e374608bd7d191738051fbd523afa03d5ad7b67be64ecd761f421ea7c456425b3b87307ed6da91a471

Download Submit
C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat

Filesize
219B

MD5
ffe689ecbe008d83f5a4601921fb3967

SHA1
dc2b0192d7b1ac4f3dcebb6f4afc9685f5b30b4d

SHA256
541594d371c57c78e7c4f576bdd43ace37b0f207e25575ee47147fb40d3c0931

SHA512
fba693e088b4b1d2689c43327f7350e509d51bb2ed1461360bd7ef39cb22b1c9a6657d4260d66a4e09bc09b4ecf1e98e34ac9245481f4f211e8bebdb33932aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
219B

MD5
d6be74a80ad95b60b2ef68cfc455ad05

SHA1
9a6295bc19f1bb7248a7a4451dd37544be9fa1ca

SHA256
f1a45dc7ebc940683f243872bbf72e0c4c302521888ac8d63eeb9ce8a8f95a94

SHA512
b37a288f1025757bf76894a2a967406a3b34bd22ce58c1ab5e6562182c29c138e6b3b26ce655d99034840e3361309ca90919f71ba8b6d223d701789e32b2bca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

Filesize
219B

MD5
1dfacb3bad198b08c2401e7eec36fdc1

SHA1
4aaa7f69629635b7e93c7f5dfcc933797aa42d40

SHA256
85d7cacdb36a7322f4fe0defe283e6d667cafc3e0635aaab7336a64075e572ae

SHA512
af99356ad1b383c11dd195fa70b6cd001e75497d67a8c0f2f38461715310f5c71c80ba69a39acfef4ca1807cfcabc65c63125943948f24f456cb7bf1ae2203c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9216f2fe62ab27da43fdc1c6917f5a9

SHA1
5e585a5246973794cb13677cfd0877a3cefedd60

SHA256
7cacb1e147f5ea05f63eea206f6aee4b26aefa0fc6f3ddc6f2e9f8bba5b80099

SHA512
c4dba96fb5a38967136bcf146487393b8b710703b5d1a04eabbd002afa7f032f654fcae3f7155d974fe9b3988c3d3bb1d08fc624f9755306d845f0f5ea1f4ba5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1720-135-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2224-373-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2352-671-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2352-672-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2424-62-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2424-60-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2468-194-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2724-254-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2944-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2944-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2944-13-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/2944-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2944-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/3048-433-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/3048-434-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download