dcrat | 31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75

Analysis

max time kernel
141s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 06:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
Size

1.3MB
MD5

ad134c9d0e2b1cbf8287bbfaba5c476f
SHA1

6a4710a002517b0a048059f7172c575c22292991
SHA256

31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75
SHA512

e4033d9e0d2b1ae8ac083f806e0d6156c384c40d8c1eaedf58b9b838a763a1421476bdd3795381b68a77c728ba2b36b010130b710542752baf71db032f5b2a84
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2804	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d3f-9.dat	dcrat
behavioral1/memory/2204-13-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/2796-58-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/1860-208-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2948-268-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat
behavioral1/memory/2040-387-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2764-447-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2260-508-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2412-568-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2812-628-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1064-689-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1908	powershell.exe
1244	powershell.exe
1700	powershell.exe
2416	powershell.exe
1972	powershell.exe
1916	powershell.exe
1864	powershell.exe
2404	powershell.exe
2800	powershell.exe
2904	powershell.exe
2408	powershell.exe
2156	powershell.exe
1800	powershell.exe
2356	powershell.exe
2460	powershell.exe
2716	powershell.exe
2124	powershell.exe
2536	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2204	DllCommonsvc.exe
2796	csrss.exe
1860	csrss.exe
2948	csrss.exe
2668	csrss.exe
2040	csrss.exe
2764	csrss.exe
2260	csrss.exe
2412	csrss.exe
2812	csrss.exe
1064	csrss.exe
2916	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	cmd.exe
2240	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logs\HomeGroup\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Globalization\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Logs\HomeGroup\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	schtasks.exe
1752	schtasks.exe
1816	schtasks.exe
2988	schtasks.exe
2980	schtasks.exe
960	schtasks.exe
1808	schtasks.exe
2108	schtasks.exe
780	schtasks.exe
1776	schtasks.exe
2476	schtasks.exe
1468	schtasks.exe
2368	schtasks.exe
2920	schtasks.exe
1604	schtasks.exe
2976	schtasks.exe
1852	schtasks.exe
2596	schtasks.exe
2364	schtasks.exe
2616	schtasks.exe
2644	schtasks.exe
2004	schtasks.exe
2856	schtasks.exe
1052	schtasks.exe
2224	schtasks.exe
2020	schtasks.exe
284	schtasks.exe
2244	schtasks.exe
1556	schtasks.exe
3028	schtasks.exe
884	schtasks.exe
2252	schtasks.exe
2184	schtasks.exe
332	schtasks.exe
2916	schtasks.exe
1680	schtasks.exe
1416	schtasks.exe
3008	schtasks.exe
1692	schtasks.exe
2776	schtasks.exe
2700	schtasks.exe
320	schtasks.exe
1748	schtasks.exe
2468	schtasks.exe
912	schtasks.exe
2232	schtasks.exe
1300	schtasks.exe
2952	schtasks.exe
604	schtasks.exe
668	schtasks.exe
448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
1908	powershell.exe
2156	powershell.exe
1864	powershell.exe
2460	powershell.exe
1700	powershell.exe
1916	powershell.exe
1972	powershell.exe
2356	powershell.exe
2124	powershell.exe
2716	powershell.exe
2800	powershell.exe
1800	powershell.exe
1244	powershell.exe
2408	powershell.exe
2904	powershell.exe
2404	powershell.exe
2416	powershell.exe
2536	powershell.exe
2796	csrss.exe
1860	csrss.exe
2948	csrss.exe
2668	csrss.exe
2040	csrss.exe
2764	csrss.exe
2260	csrss.exe
2412	csrss.exe
2812	csrss.exe
1064	csrss.exe
2916	csrss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	DllCommonsvc.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2796	csrss.exe
Token: SeDebugPrivilege	1860	csrss.exe
Token: SeDebugPrivilege	2948	csrss.exe
Token: SeDebugPrivilege	2668	csrss.exe
Token: SeDebugPrivilege	2040	csrss.exe
Token: SeDebugPrivilege	2764	csrss.exe
Token: SeDebugPrivilege	2260	csrss.exe
Token: SeDebugPrivilege	2412	csrss.exe
Token: SeDebugPrivilege	2812	csrss.exe
Token: SeDebugPrivilege	1064	csrss.exe
Token: SeDebugPrivilege	2916	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2416	1972	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe	30
PID 1972 wrote to memory of 2416	1972	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe	30
PID 1972 wrote to memory of 2416	1972	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe	30
PID 1972 wrote to memory of 2416	1972	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe	30
PID 2416 wrote to memory of 2240	2416	WScript.exe	31
PID 2416 wrote to memory of 2240	2416	WScript.exe	31
PID 2416 wrote to memory of 2240	2416	WScript.exe	31
PID 2416 wrote to memory of 2240	2416	WScript.exe	31
PID 2240 wrote to memory of 2204	2240	cmd.exe	33
PID 2240 wrote to memory of 2204	2240	cmd.exe	33
PID 2240 wrote to memory of 2204	2240	cmd.exe	33
PID 2240 wrote to memory of 2204	2240	cmd.exe	33
PID 2204 wrote to memory of 1908	2204	DllCommonsvc.exe	86
PID 2204 wrote to memory of 1908	2204	DllCommonsvc.exe	86
PID 2204 wrote to memory of 1908	2204	DllCommonsvc.exe	86
PID 2204 wrote to memory of 1864	2204	DllCommonsvc.exe	87
PID 2204 wrote to memory of 1864	2204	DllCommonsvc.exe	87
PID 2204 wrote to memory of 1864	2204	DllCommonsvc.exe	87
PID 2204 wrote to memory of 1244	2204	DllCommonsvc.exe	88
PID 2204 wrote to memory of 1244	2204	DllCommonsvc.exe	88
PID 2204 wrote to memory of 1244	2204	DllCommonsvc.exe	88
PID 2204 wrote to memory of 2156	2204	DllCommonsvc.exe	89
PID 2204 wrote to memory of 2156	2204	DllCommonsvc.exe	89
PID 2204 wrote to memory of 2156	2204	DllCommonsvc.exe	89
PID 2204 wrote to memory of 2404	2204	DllCommonsvc.exe	90
PID 2204 wrote to memory of 2404	2204	DllCommonsvc.exe	90
PID 2204 wrote to memory of 2404	2204	DllCommonsvc.exe	90
PID 2204 wrote to memory of 1700	2204	DllCommonsvc.exe	91
PID 2204 wrote to memory of 1700	2204	DllCommonsvc.exe	91
PID 2204 wrote to memory of 1700	2204	DllCommonsvc.exe	91
PID 2204 wrote to memory of 2536	2204	DllCommonsvc.exe	92
PID 2204 wrote to memory of 2536	2204	DllCommonsvc.exe	92
PID 2204 wrote to memory of 2536	2204	DllCommonsvc.exe	92
PID 2204 wrote to memory of 2124	2204	DllCommonsvc.exe	93
PID 2204 wrote to memory of 2124	2204	DllCommonsvc.exe	93
PID 2204 wrote to memory of 2124	2204	DllCommonsvc.exe	93
PID 2204 wrote to memory of 1972	2204	DllCommonsvc.exe	94
PID 2204 wrote to memory of 1972	2204	DllCommonsvc.exe	94
PID 2204 wrote to memory of 1972	2204	DllCommonsvc.exe	94
PID 2204 wrote to memory of 1800	2204	DllCommonsvc.exe	95
PID 2204 wrote to memory of 1800	2204	DllCommonsvc.exe	95
PID 2204 wrote to memory of 1800	2204	DllCommonsvc.exe	95
PID 2204 wrote to memory of 2800	2204	DllCommonsvc.exe	96
PID 2204 wrote to memory of 2800	2204	DllCommonsvc.exe	96
PID 2204 wrote to memory of 2800	2204	DllCommonsvc.exe	96
PID 2204 wrote to memory of 2904	2204	DllCommonsvc.exe	97
PID 2204 wrote to memory of 2904	2204	DllCommonsvc.exe	97
PID 2204 wrote to memory of 2904	2204	DllCommonsvc.exe	97
PID 2204 wrote to memory of 2408	2204	DllCommonsvc.exe	98
PID 2204 wrote to memory of 2408	2204	DllCommonsvc.exe	98
PID 2204 wrote to memory of 2408	2204	DllCommonsvc.exe	98
PID 2204 wrote to memory of 1916	2204	DllCommonsvc.exe	99
PID 2204 wrote to memory of 1916	2204	DllCommonsvc.exe	99
PID 2204 wrote to memory of 1916	2204	DllCommonsvc.exe	99
PID 2204 wrote to memory of 2416	2204	DllCommonsvc.exe	100
PID 2204 wrote to memory of 2416	2204	DllCommonsvc.exe	100
PID 2204 wrote to memory of 2416	2204	DllCommonsvc.exe	100
PID 2204 wrote to memory of 2356	2204	DllCommonsvc.exe	101
PID 2204 wrote to memory of 2356	2204	DllCommonsvc.exe	101
PID 2204 wrote to memory of 2356	2204	DllCommonsvc.exe	101
PID 2204 wrote to memory of 2716	2204	DllCommonsvc.exe	102
PID 2204 wrote to memory of 2716	2204	DllCommonsvc.exe	102
PID 2204 wrote to memory of 2716	2204	DllCommonsvc.exe	102
PID 2204 wrote to memory of 2460	2204	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
        6⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2548
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        8⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1556
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        10⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1644
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"
        12⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3048
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
        14⤵
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1556
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        16⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1744
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        18⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2132
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        20⤵
        
        PID:1856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2892
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"
        22⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2976
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        24⤵
        
        PID:528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1248
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\HomeGroup\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\HomeGroup\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3fd20e6d59c35174854bbff8d5549e3

SHA1
5817a38da809c49e492e8227259ca45d71d7a0a8

SHA256
910797a7fc3abc2c102f86135bf42d345a5511de1b4d34aeb9ada89ce1b02274

SHA512
8cad8b27214fd70a0adb3baa8e59f4cdece1353af85044868552459ff79c63ec73c71ac466205d470e76835c03f447c1b69f49a5ee991c357503dcf56f75aa6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32f7f55f1ca31e1777a50f256556c092

SHA1
a19aab908721b2e5ed851c8be01a3b77c555377d

SHA256
baa9c062abec5e8b24aaf9dccc76505e8c7b9fbb804cac320ee69aaf50c82d57

SHA512
88c825a88f33aea05d0460a727b3fe36d7325107564502444604b3858e19dea0bfb3a93a033d9f5ab334312e2030ca168fa706717b82357bff01be953253a491

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec00687c167c55dcf5bba3c9f21f366f

SHA1
d38946e4c0a1dc2caa6bcd423ff7d77f2e3c01cd

SHA256
c199211be19c621c0ca5009ee0de66b5ccdebe1d2689704c80fb3f8cf5bf630c

SHA512
0661c61791f01d45273ec49ec99de50aad4ae57922ac3a96a7e5bd69c9733ec59c031fd276952fa8966a33ee94ae08bcb935697a48dce65569be8798580d3297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5da1c942e9aa18d2b0d36b331e85ef55

SHA1
48751c6f18683864159774ed2a467d333b59bea5

SHA256
2e14418a16ff489347c10f28d6b221aadffc4728e40d7255f6fad8dc781827cb

SHA512
45add9e356de628461cf6baf517fa8ac325ef32e19704b85cdd1b46042c53b748626acc0daad8a25493990448212ae63024247c95769754c7447356854c68e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a68982cb08028ecf3cc30b1febfad4a

SHA1
652a8842d2542b3cbf035832f260d45ae1cc852d

SHA256
657a79d1b8ff0135d0ed8dac83c6352630511672ecc70ab09d8524f65d34571c

SHA512
2195774416631ea060aee0534e986435f6e32357f0584532f1ef4d2dbffa1c9dcf86311ad47b0ff2303f258cd0489145ee0c0144774373e5c9fa69a466cb1d61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30b87561736a1e27a4033f3b7e79ab38

SHA1
2d9ae89f1f023252e2211e794c2460bc8cd0f536

SHA256
31d4fc5ec7837dad2bf6c82ca84bde3ea8933ded85cf87e14d2d98bb9da50e91

SHA512
6434f467ca4a1efcb3a9348935ef31363d46a36feac0319a1166fc074bef5966bbc0b6f6d5a39dcc8f9071b8ef7f1c8a7329e489fb0c7b9e11d3877644753dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6873515a0cb56ab83326bd3776ca9fc

SHA1
786c2428d38c4b28cd96b6813162eeb11f18187f

SHA256
4b1aa71a77fdc7815bbf99f9b9b5f327d7f1eaa99d5695be15f0291b04dc0d67

SHA512
86af0f1f6d55eefc5ec162b90ee0de121f742c00493a2da349d316da940d3a40ebd1ca3da1713629372474125276069cf8c1dcd0d1a7ab2e65650f30d97ab0b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a168a19dee51dd1f7c064bf809547e07

SHA1
4ea6444f19029eb0bfbe5b48e8230779c222cdb3

SHA256
a9de5490d7fd9a3aa8f055dc624f142529778aa28dc38356f160b661ba863a42

SHA512
d7cfe949c30007540f3f838b43b84c7af69b475c5d9dd587bfbc9c7578cf1b3ddcba7a0ac4f3024098260b9b8a1c82f2b1f0c290e1e5519fc6e290ae15db8a23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d838f4f88cfaed1689495307a255b535

SHA1
e9ac71b8069b71bfbbc5e61ca4396c609cd04263

SHA256
95bfb7dfa033497b30632e59b102c376f1df4f086afc02ac2d993ece8cf62e24

SHA512
712b79c20e6d27a5918331b843f3d86b7eb048028cea34faee3bb85f5a07176caaee14995145bd26575269994a5fddd52151e728cc851faa637ccc0474423b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

Filesize
237B

MD5
a890db575590e145199efb955709d8ca

SHA1
48d933574f59f7e0176d01b9a12a546b3fd8909b

SHA256
79b69fc80a8a7b4f343956d8e598750e300e9563cddb44c29e70db5338d3f00f

SHA512
e3bc123aeb8946fe90ef271e01831c8cc90cd258373b6a90c726e0ea11f2ec8f7d9026b1f738fb41d340b2d7b65835ee030b5bc57145449eafaf2abdacb527e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC5F0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
237B

MD5
d688b07a16a3d166a8827cc38f329684

SHA1
b6bc5d1a2820b00d3912d66a69cf6a8267979b7b

SHA256
b75e805ced19318ddfa237b6ec2e74109c4a1e8c2dbaddad6c99a06052f83c87

SHA512
31c136fb94d75cd7b7d85c6729ef2044813e2662fab74934befc8cc969c3fc0fb3b7a7f25d822b95062363195719feb3a2ae688b1a0fe92c3d4e7d4938bb7527

Download Submit
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

Filesize
237B

MD5
43add6e156714d2cf771e7f088eab4f1

SHA1
af9adcd73232d93c733a1545319d1fe24a1700c8

SHA256
cd52ac93f655c0cf56600c97588b6679deeb6656c1f41ee41ba3fa65995c522c

SHA512
b09c5fc3ddde3bac8984d38fd7ec303fef3aec4a223d37a9e58e31d5a16f9efb63b2d529baabe5497345dd32315ebf4fc594158e234521da79b92f6665d286e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
237B

MD5
e9ddc732f1031945a70c7b5e78f74fe0

SHA1
195e45216a797079b559674d7dfbefd3c6156d19

SHA256
fcd09ad3b7bb04825b1679741508481bcc267389dc48c3a2d20ba06c3c589b82

SHA512
18dac55d54103bc18b9076043fa5de072a0ceaa40e74a3d94aa641023a2d765338b0f1dc90b2506d3f57c4674fe4fd183ba1cce84c5d03eca7e837ea3cbb6ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
237B

MD5
77e92f73561bd81c4f8d238c6997a9e5

SHA1
1c2011d80df14f6d82a54d2b5cdda1a03102eb34

SHA256
41139d0fde08937ef2c2e71dbc7ae3fc12c9b915962225b2861c77518d370e8a

SHA512
979808a3bbddadb412e1a4f26d5275f59c62ef6db7363cc1f7db8f434c431bc5ed0f52586c706d82929f570656eacad145eae51f386040130e71b6a41f71b6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
237B

MD5
c3a499b4ea24138d682bcce1037e9cc9

SHA1
6fd8b8530322f4c15699cc3089c3493f76f18ea2

SHA256
b94bf4fe435954ba40bdd7a7fe8ddab4d69930c88a608263ffefe666c2478345

SHA512
74793a7780e155e21d97d6eedf4db523ec51bdf837a00eab5299e6cb9dd5f29969f43e3643044cab9e1f13044627ac42ecdb2e6be3669912426200b3e3535c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat

Filesize
237B

MD5
fd8aa88986a03304d4918d8aac7cf8bd

SHA1
c6f2ad5baf089060271f09bacbbfcaf7f565dd1e

SHA256
c8b5bfb702514ee8e4aced0e8877bb38277be743b958503f3085313fa10aa16e

SHA512
90b35a8c331f845b8e879745e55560a5ff822c0f235f5e594cccd64f4a563d5033c5d407d47339a07f13a251f1e6dc15d652d6c83397e5b4f45a1e1e6e97f728

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC660.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat

Filesize
237B

MD5
0844bd9a6e150c1bce6a94bf0dc02cad

SHA1
c2593167f4bd46d626e79b24ccbcc0d940fc68cc

SHA256
f896b0b7579bdd2cb7a6231d0df6dda282aaeecdb74c7645622718b72b4e955b

SHA512
6406657aaa039ac8294cae83de077adabc8e0d66a70c50f1f2519166582d898e11c604ced683c4f7ff3be1480f4c1ae13c208b645afe1e54080284c501913832

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
237B

MD5
063008327c5c43258716381d5445e2bf

SHA1
326f77beed0ac2a1ded6b3144778b06a851734d8

SHA256
6c1272661e62c7698dc943ab542aa5ef20afa573e7bd9b2590b57fc0b55764eb

SHA512
bbe74f6752c75d52a4161209ef4817c81c55f65c9e4fb5fbc714eb34bff5ec417ca9b146c4ecfdce88a840db8eddc14af6886ff98e47b1e249170905e878a8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
237B

MD5
c6becd32887552591b2a5170aa84325e

SHA1
6d88035a156feeffd6f4463083ae07c406e37b7e

SHA256
83edd0ac8469ec188cf66a7a953cce198c9ecff9e80cff9b6b303481a4466935

SHA512
112f69cf057d348eff6496becb17851e41ec4a50cc610efc84387a11748bac188253759a71693f5b78467797a120be850ba8ac14de3ec770486cad04af4b228d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
486acf5a9fd30a8631c30885e193eaeb

SHA1
91f7bd16f066bdccf31adbf26811477a0332f780

SHA256
fa1481690b522a03589bd2581b84a983f137b143ff7767b9b16f4e3180397558

SHA512
6ced1628b6059a64833ff79ae163b56220092ea05c2ebd033f5394aedab973e3d51378f5df4f30b746aa290d3d02f55f65fba8a20061bc26655ea441f51c845a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1064-689-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/1860-208-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/1908-100-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2040-387-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2156-78-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2204-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2204-13-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/2204-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2204-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2204-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2260-508-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2412-568-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2764-447-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2764-448-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2796-58-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/2812-628-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2812-629-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2916-749-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2948-268-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download