dcrat | 23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027.exe
Size

1.3MB
MD5

c07c303af9ea67d206bf5e6864b37b5c
SHA1

db4482ea1829f50e0398af30672fb129d29f376a
SHA256

23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027
SHA512

7054c07b583aed2d35db9437afc292ca10af9a2276b5a1aa8691379c23b9017e638dfb001598559b30d92417e71c15fbc46f018c9148557996b9b575c74839b7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2224	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2224	schtasks.exe	33

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d1c-12.dat	dcrat
behavioral1/memory/2904-13-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2796-157-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/memory/1948-216-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2676-571-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1568-631-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2972	powershell.exe
2812	powershell.exe
2876	powershell.exe
2588	powershell.exe
1152	powershell.exe
1656	powershell.exe
2956	powershell.exe
2024	powershell.exe
2948	powershell.exe
2844	powershell.exe
2852	powershell.exe
2748	powershell.exe
2708	powershell.exe
1732	powershell.exe
2824	powershell.exe
2860	powershell.exe
2752	powershell.exe
3032	powershell.exe
2312	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2904	DllCommonsvc.exe
2796	System.exe
1948	System.exe
2324	System.exe
1060	System.exe
1632	System.exe
952	System.exe
2596	System.exe
2676	System.exe
1568	System.exe

Loads dropped DLL 2 IoCs

pid	Process
1372	cmd.exe
1372	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\fr-FR\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\addins\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\inf\usbhub\040C\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\inf\usbhub\040C\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Fonts\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Fonts\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\services.exe	DllCommonsvc.exe
File created	C:\Windows\addins\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
1096	schtasks.exe
2776	schtasks.exe
1620	schtasks.exe
2320	schtasks.exe
2688	schtasks.exe
1168	schtasks.exe
844	schtasks.exe
276	schtasks.exe
568	schtasks.exe
1928	schtasks.exe
1988	schtasks.exe
2584	schtasks.exe
2260	schtasks.exe
1932	schtasks.exe
964	schtasks.exe
1528	schtasks.exe
932	schtasks.exe
2352	schtasks.exe
2104	schtasks.exe
2568	schtasks.exe
320	schtasks.exe
1996	schtasks.exe
2140	schtasks.exe
1596	schtasks.exe
3016	schtasks.exe
2484	schtasks.exe
1672	schtasks.exe
636	schtasks.exe
2244	schtasks.exe
2564	schtasks.exe
2732	schtasks.exe
1272	schtasks.exe
1060	schtasks.exe
2232	schtasks.exe
1028	schtasks.exe
2512	schtasks.exe
816	schtasks.exe
1624	schtasks.exe
2236	schtasks.exe
3012	schtasks.exe
1252	schtasks.exe
1616	schtasks.exe
1264	schtasks.exe
2992	schtasks.exe
2208	schtasks.exe
2420	schtasks.exe
2864	schtasks.exe
908	schtasks.exe
3036	schtasks.exe
984	schtasks.exe
1568	schtasks.exe
2756	schtasks.exe
1064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2876	powershell.exe
2024	powershell.exe
2752	powershell.exe
1152	powershell.exe
1732	powershell.exe
2708	powershell.exe
2824	powershell.exe
2948	powershell.exe
3032	powershell.exe
2972	powershell.exe
2956	powershell.exe
2588	powershell.exe
2844	powershell.exe
2748	powershell.exe
2852	powershell.exe
2860	powershell.exe
1656	powershell.exe
2312	powershell.exe
2812	powershell.exe
2796	System.exe
1948	System.exe
2324	System.exe
1060	System.exe
1632	System.exe
952	System.exe
2596	System.exe
2676	System.exe
1568	System.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2796	System.exe
Token: SeDebugPrivilege	1948	System.exe
Token: SeDebugPrivilege	2324	System.exe
Token: SeDebugPrivilege	1060	System.exe
Token: SeDebugPrivilege	1632	System.exe
Token: SeDebugPrivilege	952	System.exe
Token: SeDebugPrivilege	2596	System.exe
Token: SeDebugPrivilege	2676	System.exe
Token: SeDebugPrivilege	1568	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 2116	288	JaffaCakes118_23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027.exe	29
PID 288 wrote to memory of 2116	288	JaffaCakes118_23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027.exe	29
PID 288 wrote to memory of 2116	288	JaffaCakes118_23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027.exe	29
PID 288 wrote to memory of 2116	288	JaffaCakes118_23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027.exe	29
PID 2116 wrote to memory of 1372	2116	WScript.exe	30
PID 2116 wrote to memory of 1372	2116	WScript.exe	30
PID 2116 wrote to memory of 1372	2116	WScript.exe	30
PID 2116 wrote to memory of 1372	2116	WScript.exe	30
PID 1372 wrote to memory of 2904	1372	cmd.exe	32
PID 1372 wrote to memory of 2904	1372	cmd.exe	32
PID 1372 wrote to memory of 2904	1372	cmd.exe	32
PID 1372 wrote to memory of 2904	1372	cmd.exe	32
PID 2904 wrote to memory of 2948	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 2948	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 2948	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 2844	2904	DllCommonsvc.exe	89
PID 2904 wrote to memory of 2844	2904	DllCommonsvc.exe	89
PID 2904 wrote to memory of 2844	2904	DllCommonsvc.exe	89
PID 2904 wrote to memory of 2824	2904	DllCommonsvc.exe	90
PID 2904 wrote to memory of 2824	2904	DllCommonsvc.exe	90
PID 2904 wrote to memory of 2824	2904	DllCommonsvc.exe	90
PID 2904 wrote to memory of 2876	2904	DllCommonsvc.exe	91
PID 2904 wrote to memory of 2876	2904	DllCommonsvc.exe	91
PID 2904 wrote to memory of 2876	2904	DllCommonsvc.exe	91
PID 2904 wrote to memory of 2972	2904	DllCommonsvc.exe	92
PID 2904 wrote to memory of 2972	2904	DllCommonsvc.exe	92
PID 2904 wrote to memory of 2972	2904	DllCommonsvc.exe	92
PID 2904 wrote to memory of 2852	2904	DllCommonsvc.exe	93
PID 2904 wrote to memory of 2852	2904	DllCommonsvc.exe	93
PID 2904 wrote to memory of 2852	2904	DllCommonsvc.exe	93
PID 2904 wrote to memory of 2860	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 2860	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 2860	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 2748	2904	DllCommonsvc.exe	95
PID 2904 wrote to memory of 2748	2904	DllCommonsvc.exe	95
PID 2904 wrote to memory of 2748	2904	DllCommonsvc.exe	95
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 2956	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 2956	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 2956	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	98
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	98
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	98
PID 2904 wrote to memory of 2812	2904	DllCommonsvc.exe	99
PID 2904 wrote to memory of 2812	2904	DllCommonsvc.exe	99
PID 2904 wrote to memory of 2812	2904	DllCommonsvc.exe	99
PID 2904 wrote to memory of 2024	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 2024	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 2024	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 1656	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 1656	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 1656	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 1152	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 1152	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 1152	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 3032	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 3032	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 3032	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 2588	2904	DllCommonsvc.exe	109
PID 2904 wrote to memory of 2588	2904	DllCommonsvc.exe	109
PID 2904 wrote to memory of 2588	2904	DllCommonsvc.exe	109
PID 2904 wrote to memory of 2312	2904	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23ec9846f187130fb99ea143bb8b3289ec1f02e86d66560152ec7cecc7fb5027.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\usbhub\040C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sRLs0OAk8f.bat"
        5⤵
        
        PID:2536
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1976
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        7⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3024
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        9⤵
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2852
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        11⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
        13⤵
        
        PID:1160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
        15⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"
        17⤵
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"
        19⤵
        
        PID:1144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        21⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\usbhub\040C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\inf\usbhub\040C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\usbhub\040C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c590d80f6c7bdc552fb6c47024cbaabc

SHA1
b1185d54b4da46a4b7182c5a916e26c72404f4aa

SHA256
012d127576ac5dfae00c86d4aaed785b78a8435f8e7fe53e393d953c1ed272b9

SHA512
df16d4b6167d247c8c5d08b3d2ea2dbd63c5d35d105afa065f1686b4dcddd45d2c8093a112e0d1c53faa0d5ce33be48e841e925873a3c14bc00d912f3bfd615c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45f80652b09ee7b21a3d9de4d609a146

SHA1
e0810cfe6f2c022452a34dd05e7ac0daeb9ed7ff

SHA256
92a25c67aab2a5f055e02621a92e6c392e08eb23992b1c069ddec66495267c17

SHA512
6a37ea613fc68e4f1c6b709fe32ec88224ffcdd8b708c1ad930df379052f4c13cf40148163576e3fa15698e43125daa045781890e345b77e347334c873dfcae2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b3f2a3aef513946b2417f959ba4971b

SHA1
1a12d4cb7bf03c1cc3cd261ef82208d13aec981f

SHA256
fca925f558b76976a2053e79a4bd191484b20f051b097f797a3797ebf0af3046

SHA512
7e984d831b49479c35b1af1e9e5d766a560e38c200ad70d3fcc83d109770fb142802db3900df842aea3c321a98f87d151260bdbd9946848b075de8715427ce5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0f25e11cc73aead251d9b79b11af800

SHA1
33d39c326b1d031e6dc55bf375e0bb8681947860

SHA256
9b937900d6f3ec338ffc7032ec88ddefb24d1bc96f62b0fe6308b81876e99ad6

SHA512
3561afa960dc4f0f9c0efd7446bdd296246fb86c095bf9ee10c4068af9881935ffbeabb958bc7ac76a3abc214ad0c3faa8438df2f2520bc0a95703e86f30ef57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2efbe0815b9f35468da22c2715e9967d

SHA1
3494360bfe3500f87b02853340baeabe567fb3ba

SHA256
93d5da1de291d5ed494f30d1fbae15d33f53c942a50c662bb4fe5ec52b79c604

SHA512
f3d7ad1bfc22b4b0836787d62e05703ca781e66f32de13fc80824fd36680055193f5fa2c3a78faff40e98bbf845de1d3cfa5e18bbd483ee0f3bd3fff3e2d49c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f46cad5a9e8aa147102901ac25edc2b

SHA1
e213a88a64393f204b9141342e80e586463e078d

SHA256
e15acf4499b127daaccd16437422cc887c92053ad9b684c0c4f0dae42d19aa52

SHA512
ffaec71fa20395de904e8f4e09e49732203e591dbf68dc37c8d176ef85f50b3f5e4eb4d9d7e3b969d85a19a454dd50e4947cda3de8ba78507faec95ba7fb96bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4de59b4cbf6de3a91f57480d95d60e3d

SHA1
bdc3fde95fb77c5f37c20fd36fc3933f4a6955bb

SHA256
b918b59b72e55a36b96402c04a3e850d029204e57766fd6aaa538fce66160995

SHA512
ce02e1ff7dddf2568b28ab22287750c6d1a29b077fcb828bd3f3c88e2ac0a037884f7f8eb44449b8e2c632f028b154f13a2b5114fc654ff358a317683af3f926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02a0b47dd35e1d1dc8aaf6181b811f8b

SHA1
1cd17edcc9243ba012b30e5f762623e993e04bc2

SHA256
b1e31fe210fe846428c0d71c60141e32522763edddeb89bb682b90b379f92353

SHA512
9e29e2cd01d34f3539dd48cec24a0123ef2e87ef2c40a643e20c2bf40d77698d23e0d0f1739a39041ea18e41e873ca1122bcd775e50097b326ba698d939abe8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

Filesize
256B

MD5
ca79f2593d94a3e218ad8d90a7ddc6e4

SHA1
b6edf6de00281a674b0f5d8d06bcef66a471aba2

SHA256
cf0b2e961ad1f1417d3251386a6b7b8df09ce5da4191505a9d7f3cb92dc1ac7b

SHA512
70921282410a0a2908a36519d1baf8ace71e5450a96826c383737e8271e7c1394e892ceb41c83d165f7e8392340bdcb95e68beffe6ca0e90e8e5d6716da79886

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
256B

MD5
549bf246e8765eff37b9006553b3fd68

SHA1
b5c4cc37093949658c7d990f23ab8d05bfd532b5

SHA256
66ef0876b7b5f4f656ab6ed8546ede3df3ce9b42a5086b07edce48a02a103a67

SHA512
be564a976f3b9696fe3613f0ccf491480c3d89100f1eef05980608fb62c2d78d0f3fbc3deb76c0c512bd8f379f988e2f4e170f5bf82c45fa61ce5f6b5c3b228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9629.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

Filesize
256B

MD5
ab55a93104900dd7eacf482dc1c4f87a

SHA1
416c510df7e9b2b5606291241171062e232f9351

SHA256
03c8f87e3d543c17cb24fec2591f590b8a5d9c8e14dd1003a716323723859765

SHA512
d0f79f2ac124d9d899ec16d129a34d50441683d71a1c64f8d7993f027349bb4aac01ffab78041049834d7b3511c6ce50c75cacade6bfc923cb63e5ee3c524406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat

Filesize
256B

MD5
d602889c72b66805cbf4ae159f122c19

SHA1
5e3a6755cce203a4d0fd4ec4a8380b8dcbd4678c

SHA256
749abb1a64aea4acae1d2c082620b51895b639b7fa77c02c61cdff5302abfad5

SHA512
1bfa2b6f1e127471de51f435673ba8655d9659acf0017afe21f61bde9c894de9c9727a0d91db8c135737885f98bc1e5e0c86ff82cb617918abb0620d3060459d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9716.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
256B

MD5
f699a766437e561acbb6d745cc3b0018

SHA1
b360e33732fcc96f63e53b6ff865594fc7bd2238

SHA256
9df4b24b5a1775e09bffee0c3eca8cb094247ed2ff9b8515d19d4f050ac2e084

SHA512
0424d306cb909f179137924f539f7b86f4920caaddf55a866bfded940b800bd0931886f377ded6f4ec8ee60b497034fc0a125a2d177b7c2c1fe2a8c767797e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat

Filesize
256B

MD5
06f1b974c4d2a8a6896287d5e1118b5f

SHA1
da33e39a716aeac38d6cf3914205374e10c68e8d

SHA256
152363230181a28bf35de30f76a00f449f2852192c9faff5cc191c06eef1dd27

SHA512
fa4a8f62c528ec01106757c5b2f27d74c3350bac62a63d6fae8e92bc5afbf2544eddbc6e77e957bc5cf88eb2d308509c9c2780371e219a5278f7f9fafe70b8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sRLs0OAk8f.bat

Filesize
256B

MD5
17624f8e436a2ecbdfd8a8e6b0ed3d6c

SHA1
fff85197b5c8286ec634daf7578198c75f70cadd

SHA256
2653aedad218e5a199dc35e3a8616d121fceb5a65a52c5d430df66dea697d47f

SHA512
13943562e11ad8289a4d3dff16800551ba31108993cc7fd1f3a7d17d49a821a027ae2eb6644e3acdf1a2b44814bd4c6fb3ad900ffca17312ab1d1fe008cd9da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
256B

MD5
bf441d548e72c392e33af0af6f205630

SHA1
659e5d7022ea2143d470c38d37c8a5de7cfcdab9

SHA256
23c6f5aefac5faed36dd430439b6be7f8ca86b79f8ab2476592db7c406d00901

SHA512
c376eb2a32273eb1c07a1a730cf4e4c2cb26951686eb1d2382c83aaafe23cac7786b73109bc0bf3454b5eb6fcb0eb700fadbad07c6d9c0446583c62cf34f8c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
256B

MD5
bbba3a43773f54a682a2376e992b260a

SHA1
df0cd603d1aaa2dc9f4f7aea65e57625e7f15a0d

SHA256
c34938491d3bf09cbf77ee79786b1f61a2f8fd6ce6881d72592f21d3b93f663b

SHA512
5267e7f28ed8854f7733f24f9e41b08410f30d469db5a6a5f6e5d3e520dde2604922121760f7ad2375384e3250bd9697836cfc9ff4fa1dd4f54ae45f8eeb877b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
17c48c56f539f269f43d47d7b0fca7a3

SHA1
39276d9dc2d246a3be09865bcc468e3e3ff27592

SHA256
8dd344f55fc37b55561947df7468ded4ca150f19d857b215def825c091163f72

SHA512
efaab79c5c8c70663fbfb2d7d6d289e8a8dd63fdb51d25551b065d59950b5ed873253dcfad35a98b9a48eb3f20feffe404145334068a773f7fe91ae3efa29437

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1568-631-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/1948-216-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-571-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2796-157-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/2876-63-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2876-64-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/2904-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2904-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2904-13-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-16-0x000000001AC60000-0x000000001AC6C000-memory.dmp

Filesize
48KB

Download
memory/2904-17-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download