dcrat | 772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4.exe
Size

1.3MB
MD5

a6e18c339e4e80992e1e2d97a39a1ef0
SHA1

c1aafe24b3024a1f359a47a078f319e714c16095
SHA256

772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4
SHA512

7ba73fb1ad92b16ebf04d0de376556b4113d4e23e4da75a8207f30ef08a602a7393111f7027230642d52d9d6719c639081fc206cfe23d7fb6c0ca3041bb61748
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2656	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193c4-9.dat	dcrat
behavioral1/memory/2660-13-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2792-69-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/1296-208-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/2660-327-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/1240-387-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/2700-447-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/1604-625-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/1248-745-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1720	powershell.exe
2544	powershell.exe
2600	powershell.exe
2732	powershell.exe
2736	powershell.exe
2676	powershell.exe
2860	powershell.exe
3044	powershell.exe
2652	powershell.exe
2680	powershell.exe
2696	powershell.exe
2072	powershell.exe
1812	powershell.exe
2564	powershell.exe
2056	powershell.exe
2628	powershell.exe
2712	powershell.exe
2740	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2660	DllCommonsvc.exe
2792	csrss.exe
1296	csrss.exe
680	csrss.exe
2660	csrss.exe
1240	csrss.exe
2700	csrss.exe
532	csrss.exe
984	csrss.exe
1604	csrss.exe
3020	csrss.exe
1248	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	cmd.exe
2220	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
38	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe
1556	schtasks.exe
3056	schtasks.exe
2304	schtasks.exe
536	schtasks.exe
2292	schtasks.exe
2016	schtasks.exe
264	schtasks.exe
1944	schtasks.exe
1104	schtasks.exe
2332	schtasks.exe
968	schtasks.exe
2356	schtasks.exe
1420	schtasks.exe
1600	schtasks.exe
1796	schtasks.exe
2840	schtasks.exe
1580	schtasks.exe
2708	schtasks.exe
1220	schtasks.exe
1772	schtasks.exe
776	schtasks.exe
1984	schtasks.exe
1028	schtasks.exe
1648	schtasks.exe
2088	schtasks.exe
328	schtasks.exe
2168	schtasks.exe
3016	schtasks.exe
984	schtasks.exe
1496	schtasks.exe
712	schtasks.exe
2388	schtasks.exe
2272	schtasks.exe
1560	schtasks.exe
2928	schtasks.exe
444	schtasks.exe
2636	schtasks.exe
1500	schtasks.exe
1368	schtasks.exe
2604	schtasks.exe
2132	schtasks.exe
1620	schtasks.exe
1240	schtasks.exe
1672	schtasks.exe
1504	schtasks.exe
2644	schtasks.exe
2344	schtasks.exe
2508	schtasks.exe
1472	schtasks.exe
1624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2676	powershell.exe
2652	powershell.exe
3044	powershell.exe
2680	powershell.exe
2860	powershell.exe
2740	powershell.exe
2712	powershell.exe
2564	powershell.exe
1720	powershell.exe
2072	powershell.exe
2732	powershell.exe
2628	powershell.exe
2736	powershell.exe
2600	powershell.exe
2056	powershell.exe
2792	csrss.exe
1812	powershell.exe
2696	powershell.exe
2544	powershell.exe
1296	csrss.exe
680	csrss.exe
2660	csrss.exe
1240	csrss.exe
2700	csrss.exe
532	csrss.exe
984	csrss.exe
1604	csrss.exe
3020	csrss.exe
1248	csrss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	DllCommonsvc.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2792	csrss.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1296	csrss.exe
Token: SeDebugPrivilege	680	csrss.exe
Token: SeDebugPrivilege	2660	csrss.exe
Token: SeDebugPrivilege	1240	csrss.exe
Token: SeDebugPrivilege	2700	csrss.exe
Token: SeDebugPrivilege	532	csrss.exe
Token: SeDebugPrivilege	984	csrss.exe
Token: SeDebugPrivilege	1604	csrss.exe
Token: SeDebugPrivilege	3020	csrss.exe
Token: SeDebugPrivilege	1248	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2056	2628	JaffaCakes118_772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4.exe	30
PID 2628 wrote to memory of 2056	2628	JaffaCakes118_772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4.exe	30
PID 2628 wrote to memory of 2056	2628	JaffaCakes118_772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4.exe	30
PID 2628 wrote to memory of 2056	2628	JaffaCakes118_772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4.exe	30
PID 2056 wrote to memory of 2220	2056	WScript.exe	31
PID 2056 wrote to memory of 2220	2056	WScript.exe	31
PID 2056 wrote to memory of 2220	2056	WScript.exe	31
PID 2056 wrote to memory of 2220	2056	WScript.exe	31
PID 2220 wrote to memory of 2660	2220	cmd.exe	33
PID 2220 wrote to memory of 2660	2220	cmd.exe	33
PID 2220 wrote to memory of 2660	2220	cmd.exe	33
PID 2220 wrote to memory of 2660	2220	cmd.exe	33
PID 2660 wrote to memory of 2676	2660	DllCommonsvc.exe	86
PID 2660 wrote to memory of 2676	2660	DllCommonsvc.exe	86
PID 2660 wrote to memory of 2676	2660	DllCommonsvc.exe	86
PID 2660 wrote to memory of 2680	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 2680	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 2680	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 2652	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 2652	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 2652	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 2628	2660	DllCommonsvc.exe	90
PID 2660 wrote to memory of 2628	2660	DllCommonsvc.exe	90
PID 2660 wrote to memory of 2628	2660	DllCommonsvc.exe	90
PID 2660 wrote to memory of 3044	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 3044	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 3044	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 2736	2660	DllCommonsvc.exe	93
PID 2660 wrote to memory of 2736	2660	DllCommonsvc.exe	93
PID 2660 wrote to memory of 2736	2660	DllCommonsvc.exe	93
PID 2660 wrote to memory of 2740	2660	DllCommonsvc.exe	95
PID 2660 wrote to memory of 2740	2660	DllCommonsvc.exe	95
PID 2660 wrote to memory of 2740	2660	DllCommonsvc.exe	95
PID 2660 wrote to memory of 2056	2660	DllCommonsvc.exe	96
PID 2660 wrote to memory of 2056	2660	DllCommonsvc.exe	96
PID 2660 wrote to memory of 2056	2660	DllCommonsvc.exe	96
PID 2660 wrote to memory of 2696	2660	DllCommonsvc.exe	97
PID 2660 wrote to memory of 2696	2660	DllCommonsvc.exe	97
PID 2660 wrote to memory of 2696	2660	DllCommonsvc.exe	97
PID 2660 wrote to memory of 2732	2660	DllCommonsvc.exe	98
PID 2660 wrote to memory of 2732	2660	DllCommonsvc.exe	98
PID 2660 wrote to memory of 2732	2660	DllCommonsvc.exe	98
PID 2660 wrote to memory of 2860	2660	DllCommonsvc.exe	99
PID 2660 wrote to memory of 2860	2660	DllCommonsvc.exe	99
PID 2660 wrote to memory of 2860	2660	DllCommonsvc.exe	99
PID 2660 wrote to memory of 1720	2660	DllCommonsvc.exe	100
PID 2660 wrote to memory of 1720	2660	DllCommonsvc.exe	100
PID 2660 wrote to memory of 1720	2660	DllCommonsvc.exe	100
PID 2660 wrote to memory of 2544	2660	DllCommonsvc.exe	101
PID 2660 wrote to memory of 2544	2660	DllCommonsvc.exe	101
PID 2660 wrote to memory of 2544	2660	DllCommonsvc.exe	101
PID 2660 wrote to memory of 2564	2660	DllCommonsvc.exe	102
PID 2660 wrote to memory of 2564	2660	DllCommonsvc.exe	102
PID 2660 wrote to memory of 2564	2660	DllCommonsvc.exe	102
PID 2660 wrote to memory of 2600	2660	DllCommonsvc.exe	103
PID 2660 wrote to memory of 2600	2660	DllCommonsvc.exe	103
PID 2660 wrote to memory of 2600	2660	DllCommonsvc.exe	103
PID 2660 wrote to memory of 2712	2660	DllCommonsvc.exe	104
PID 2660 wrote to memory of 2712	2660	DllCommonsvc.exe	104
PID 2660 wrote to memory of 2712	2660	DllCommonsvc.exe	104
PID 2660 wrote to memory of 1812	2660	DllCommonsvc.exe	105
PID 2660 wrote to memory of 1812	2660	DllCommonsvc.exe	105
PID 2660 wrote to memory of 1812	2660	DllCommonsvc.exe	105
PID 2660 wrote to memory of 2072	2660	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_772d417ca3c6693a570f66f46fb38e74d0cc68aba6a8625efe283e791b6824b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        6⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1240
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat"
        8⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2648
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"
        10⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1712
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
        12⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2296
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        14⤵
        
        PID:1492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1916
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        16⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2696
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
        18⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2952
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        20⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2808
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        22⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3028
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
        24⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:404
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        26⤵
        
        PID:660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\L2Schemas\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
190369402fb8231f8bc01d4419bcf857

SHA1
8bbb957f3fa1c0c270518cfab412973c29b3e9af

SHA256
b932222731bf07e1f0a049d3ddae7886b551cbb69a0cc209ca2847e59a47877b

SHA512
c33e19682dca0ccf4610f3a2439f34028fcb861fd74c1302c9e81cbf73a8ee31c9e1bd60637a72847705571ced4c0355bf2fed572b78d8548a0aa04512671c49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
447873323a37de6264f28c3d02dcdabf

SHA1
384516711126121e1b9e56884b0505e17075fb59

SHA256
57a0b02fe0a9409fa50f1821c633d39a752b709e97edaab843a847db2d933f95

SHA512
0d161489624cbeb6a7f68135607d1f682dbefd00102b2a3237bc220327817c02ccff0f5b2d192d9df27fbb0c2f6deede2f60bdd8c0db4604aa7a4657f6c98fcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1214662ca5c86a5174dda113fd92cf77

SHA1
df48ba8aa4a6495dac8b133ed4028b39eb62ef37

SHA256
f3cce5086146653142a04da41b7b7dcd0574529ded3b9ab16b17c36db2dcfe9c

SHA512
82bd292123934551952113a8b7dcfa4f8012fdc19816775d501a533ba16edafc39841bd3e3b302c81b318c9a386784a5ed8f169496ae9451c23824fe4e3db01a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adfbf7fe47d47a93076cf8fdcf00dab4

SHA1
0d677bc23f44798f2c108789ee1b283bf1f3eeed

SHA256
bc4bbd30e605343c52998d82d26d9b2681997f7ffbc90b0fc774826c33a12490

SHA512
02b8fa31fd26e2445e764db598e09e665067841c13b0857e40fd03a1c3de6214a976c5c3d0f52926f04f6b802fcb0a2d9a5f68588d77e9350eb4ecf9da7fd5b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2feb3fb15b6e55e39394c1801bd116d9

SHA1
6c12e5f6df71290a86c11e157c9fee387b5cbfcb

SHA256
bfaad0e4299bb4fe7567d5b98b4a0abd3adb8858ba88c57a701533f8a5c125f8

SHA512
ec35a8385baf75d045812acaafe48860edf3d5f231efc8aa75458f4d99ee939d5a74de2fc314d46dcbd06a2508dc2ad35393b84628dbd3a3b3ad8c95dab123fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26336b5c3f7b98bfa6a7a3b753934b48

SHA1
85e274a6ae08cc19eff155d5b21431e7e34a255e

SHA256
872829059825bf5c77dbd4a709f36f7eea8e87b190b8881398bb4737cc84eb12

SHA512
8f2f871b880294408d12d6d534fde8898641a00cf6ee3de4ad4bf6ea701e90a2c8f9d15ebedbcd49bd666e25b1af75d9b221c44f0de0cbaf4f8cf575f89cf0b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d87b2975024227eed92a1e5c9a7e67d6

SHA1
18badfc62c18533dfd34ef6e7454fa816d4bce58

SHA256
e3f3b79c450223f2be553c1c7eb38e560dd50bdcf8d2f81beff3f658707bd4fd

SHA512
3657bc9a1f7153010363de5cf1fe8fc3de698ebc5cd101a6ec35e9b59841a17cdc0d3bcf5ada82115c6cb8c1f5de2459442ba12933e02898c46e1aa5fee750f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d168a634888af11a8c045d5831d1042

SHA1
d4a773d496bde936c5680fc5a5eb380e2c0dc1c9

SHA256
1a69851f3033610492bbbfa559304fc1069c09eba7c0c0dda5614ee10fb20d4c

SHA512
817d8b85250709e5983d5eac7399d5ba004a743755eefbd86064b048e2f3068046350bbe7c72c9d684b7451ca805a310f09ef4c679e23829800e1f57be5dcd88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca11e1369987746e54f4340982d25be8

SHA1
c22330109dc868a96df2830fb98fce6a443b9666

SHA256
057271c48bfdd49db035ddea98b7876f3e9497367ab2e09ad5c75e5a507402e6

SHA512
7bb6747e61a5acb37322df87934c2ae68a391a30ec0ef184027f9fab8f85b4f4c3750b8502a3062d2f6abf7eca6b639790de60fb757228d2ba11442e6a408166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce4e96b4b51bf159b264de65b385ea72

SHA1
bb434878d48fad5beea5606820a9bfd82f47ebe8

SHA256
33323c0da8a811957cc5adbcf6df3d37303edd53d9f8624b03f814a160cbef71

SHA512
9bcf505f9cc6c2f4bd8ff6977694df4727b903ab2a3dfff76f41f3eb15f4ea3a5308bb64777ba0506c01e138e0f0f09e35eeab914cef7f86df67c08ab193f10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
192B

MD5
9026c8330770950a2d5382af86d730ff

SHA1
729ddf380aeff7e543e16a5001a21872bdf1d305

SHA256
8028e7c3e32933d84d856ba9185490d3ca52e1d3e10b3d9d22617a64a4411fcf

SHA512
ad231455b5d7e57dd62ce2059bd69106dbc6060bc2510755587b46d1c4d977c7f11d12c9c1ec144aef7d0416c4ae8e672645d82c85bff0b2b82139352afafdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat

Filesize
192B

MD5
3409bda96ddc4cab4fc3301fa28914c8

SHA1
5469c809439e3a56b38911cada9bae135a170356

SHA256
a2c9096c01051e8c16a4e427b136d2de8203596c8cd967be1fd55abd527719c9

SHA512
7b5c6d53cf3236b71769d0eb174c634ddd97ff01ee235f9164dc649a6544500c2f749f321d5a2261cbc32fa3f797aedeaa7adcc1200ac7ef647bdbc6624e71de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab43C6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
192B

MD5
5be8203ab4df8907a3098d30f22052a1

SHA1
311675d4dcd7adf005bc656b6e5af8a61a603a98

SHA256
a5a99116b6ab2acb22f0e7bce71fbb0e0966d6802f0e10ba6a8cd459a271b73d

SHA512
642afd9506f6cffbe8c05d9e97fa0cc9ab5116aeb580b0bf8586be4f6435aa4770c92d9c2ebf083392ecbf4cad9b3763d118c726d616a3f349598b722afd914a

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

Filesize
192B

MD5
438a1ed73eafc2c8c43ab67a46251c6c

SHA1
af2cee854c69b6365b624e29f5d0b140da38dad0

SHA256
a3d1e36654da01638adecd807f9896f057f9994034432c352d12db69de64748f

SHA512
afc028712b42e34bceaa4b866c31d149b080c3b0388ae26f89debc25651f12d0d15e2fa477803383e1411fa2405b346952f903d33c351c0b605b1cbc972178c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
192B

MD5
713906d14ace0febb42a60d810d7e050

SHA1
d3d4c56f7a562ee39e6eb1ca22465a8ea0c54b92

SHA256
8fd7997c420f778c1d8c9914c31b079ea89d57e80ac9e582e8d523a0ef532f39

SHA512
308ed159d3aa048e69554f6b384b24b78b75dcd7c8da69e4b391760c4a7603df001ab9cd4394fd2347f17fac362036693688739180e78b7acfb286b67f8ef9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43D9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat

Filesize
192B

MD5
a03156becf4b25a27c72c016f741233b

SHA1
eb115b7bd2191b9ac52e0404a5c3ee56cc3ab66e

SHA256
579a83d60a18f39e5a1671765563bcf4353c554708999fb5b225a24d1f595a0e

SHA512
ed08e4a5ce4eacc5d5f822d2a667b827a32c4587a4975806d5647ad1d199402857a40d6a67349a04a693ac5fa18fa8b6dc709ceb0c385e5b6ea5c46370e3c69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
192B

MD5
6a3d63deef523998613f73d80cdb0ff7

SHA1
e095c13540da46425486ba2d7a5060e5cb108771

SHA256
b54a615bd2ebd267247e8ac89045c564378b45e609c1685353313102fd0738f9

SHA512
250b787eeeeaf3a27fb8bc51c0b5f0fb726485f98ede9fcace84b266e9a8b2e079224308f42382a17598ecbe42053f11d79b75b73d15904df48b5941d015ddc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
192B

MD5
c1d78a5e2cb17793d025beed59088dc1

SHA1
19ae81a3941e70e37a2d852f94916333f14c76d3

SHA256
c98853dac2463b2509c5ef8999128178a14b934689a6d47b0ae94b1c654e3ce3

SHA512
2f9edaefad60cb9123cf8b5b7dd22695fae1459136eb7dd978080fb0479834eaa8b4956e9495d8e40388bb97825ddf8309d151b070e59c64f5adf4eff060c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
192B

MD5
456abcea47d532eab5ff7d314f05b3b8

SHA1
aba09752c1c235a2251961e8c2ba1d28195c9a8d

SHA256
344dc4213a4400a3b57ec4fa5ee87f6e30744bfbe1201e46b5375e1dcf1a9318

SHA512
07abb7b22c663d0b0f47d9736942bf24323c18767c2cf855a48abc29996ac8cb7b35f381f71a2bc50f765ee8a18658ed78163fa39569a6001cb9f7d72a1c6917

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

Filesize
192B

MD5
38a83def6d094325ecaa06d5b22c70c1

SHA1
9ebefbad8e2e5ccf008b89270c68545051d7225c

SHA256
4a5c524e73e6779e806930a1ce54a171b7e2d331845b2bf7501ea59991c6565b

SHA512
5c5092980bb54fe772606007f69ae20c0c1df1c566b3103379b0016a8a4e2a20383e2d14957189d400ab5840382f43e6c4c88acc509952b5e5a3a0671adce1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
192B

MD5
51e54fa1f681456602b8062af04edf3c

SHA1
1d2d684a74093b8c4beb6e5fb63a64e4db0111f0

SHA256
f65c81ef442aafe331273635d605e81493ccc31b50fe488c558e0d3c27eda5f3

SHA512
1522c4da3dbe33436d0505d497f81ca336d749cb49580a3957a99c6749e3cfdb900eed6595d5bcf0c1c3261729e55e814f41b4cf898607c04a02f234e6426c3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JN4XDWY9VF4RC73VGMZX.temp

Filesize
7KB

MD5
f4200c28e8eb5550c155e95f4c919bdf

SHA1
392ecdd15f23473f5e3208e7444911d15e1be6d0

SHA256
fa29414d477e8fa64b2e8363ba011dc83acea23c5c6378901b4cb5e360542153

SHA512
ff03032775972bbb91c3b7804b102941f083db1be2c86536724a47cf19e9028a7dcfa4a9b71fd2576be08609dfc952247a93d025a7c6912febbb735acc80e9f1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1240-387-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/1248-745-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/1296-208-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/1604-626-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1604-625-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2660-327-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2660-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2660-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2660-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2660-13-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2676-66-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2676-68-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2700-447-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2792-101-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2792-69-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download