dcrat | c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1.exe
Size

1.3MB
MD5

e8caf99bb9c5e3408450e42abc225e00
SHA1

1329d8ac516f6796e463f1fce130c4c27c847030
SHA256

c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1
SHA512

a4bae07f9bdeb63d809ef6aa27026eca8f682dabf2047a98c5bb1f99e63df2c2a7fa1fc902453c70db7f5d7c1630c6177e26fac2187a8d35af906a983c42aa08
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1560	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1560	schtasks.exe	35

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015fa6-10.dat	dcrat
behavioral1/memory/2596-13-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2364-147-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/2856-207-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/2980-268-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/1728-328-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2224-389-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/3020-449-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2396-509-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/916-569-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/1760-630-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/2956-690-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe
2784	powershell.exe
2780	powershell.exe
1772	powershell.exe
2720	powershell.exe
2072	powershell.exe
2764	powershell.exe
1344	powershell.exe
2684	powershell.exe
1764	powershell.exe
2672	powershell.exe
1292	powershell.exe
2692	powershell.exe
2592	powershell.exe
2708	powershell.exe
2120	powershell.exe
2676	powershell.exe
1684	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2596	DllCommonsvc.exe
2364	WmiPrvSE.exe
2856	WmiPrvSE.exe
2980	WmiPrvSE.exe
1728	WmiPrvSE.exe
2224	WmiPrvSE.exe
3020	WmiPrvSE.exe
2396	WmiPrvSE.exe
916	WmiPrvSE.exe
1760	WmiPrvSE.exe
2956	WmiPrvSE.exe
1744	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	cmd.exe
2728	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\ebf1f9fa8afd6d	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\servicing\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\services.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1780	schtasks.exe
2528	schtasks.exe
2348	schtasks.exe
2408	schtasks.exe
1760	schtasks.exe
2060	schtasks.exe
1048	schtasks.exe
1388	schtasks.exe
2112	schtasks.exe
2752	schtasks.exe
2832	schtasks.exe
1224	schtasks.exe
1572	schtasks.exe
2944	schtasks.exe
1032	schtasks.exe
880	schtasks.exe
2908	schtasks.exe
2144	schtasks.exe
2380	schtasks.exe
1744	schtasks.exe
1548	schtasks.exe
820	schtasks.exe
2200	schtasks.exe
2964	schtasks.exe
2724	schtasks.exe
2088	schtasks.exe
2448	schtasks.exe
632	schtasks.exe
3024	schtasks.exe
2936	schtasks.exe
2516	schtasks.exe
2100	schtasks.exe
1148	schtasks.exe
1652	schtasks.exe
2920	schtasks.exe
1500	schtasks.exe
1804	schtasks.exe
2536	schtasks.exe
804	schtasks.exe
1208	schtasks.exe
1156	schtasks.exe
1436	schtasks.exe
560	schtasks.exe
2464	schtasks.exe
316	schtasks.exe
3044	schtasks.exe
2452	schtasks.exe
2012	schtasks.exe
2440	schtasks.exe
2372	schtasks.exe
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2596	DllCommonsvc.exe
2780	powershell.exe
2764	powershell.exe
1684	powershell.exe
2676	powershell.exe
1344	powershell.exe
2784	powershell.exe
1764	powershell.exe
2720	powershell.exe
2672	powershell.exe
2692	powershell.exe
1292	powershell.exe
2812	powershell.exe
2684	powershell.exe
1772	powershell.exe
2708	powershell.exe
2072	powershell.exe
2120	powershell.exe
2592	powershell.exe
2364	WmiPrvSE.exe
2856	WmiPrvSE.exe
2980	WmiPrvSE.exe
1728	WmiPrvSE.exe
2224	WmiPrvSE.exe
3020	WmiPrvSE.exe
2396	WmiPrvSE.exe
916	WmiPrvSE.exe
1760	WmiPrvSE.exe
2956	WmiPrvSE.exe
1744	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	DllCommonsvc.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2364	WmiPrvSE.exe
Token: SeDebugPrivilege	2856	WmiPrvSE.exe
Token: SeDebugPrivilege	2980	WmiPrvSE.exe
Token: SeDebugPrivilege	1728	WmiPrvSE.exe
Token: SeDebugPrivilege	2224	WmiPrvSE.exe
Token: SeDebugPrivilege	3020	WmiPrvSE.exe
Token: SeDebugPrivilege	2396	WmiPrvSE.exe
Token: SeDebugPrivilege	916	WmiPrvSE.exe
Token: SeDebugPrivilege	1760	WmiPrvSE.exe
Token: SeDebugPrivilege	2956	WmiPrvSE.exe
Token: SeDebugPrivilege	1744	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2868	2676	JaffaCakes118_c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1.exe	31
PID 2676 wrote to memory of 2868	2676	JaffaCakes118_c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1.exe	31
PID 2676 wrote to memory of 2868	2676	JaffaCakes118_c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1.exe	31
PID 2676 wrote to memory of 2868	2676	JaffaCakes118_c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1.exe	31
PID 2868 wrote to memory of 2728	2868	WScript.exe	32
PID 2868 wrote to memory of 2728	2868	WScript.exe	32
PID 2868 wrote to memory of 2728	2868	WScript.exe	32
PID 2868 wrote to memory of 2728	2868	WScript.exe	32
PID 2728 wrote to memory of 2596	2728	cmd.exe	34
PID 2728 wrote to memory of 2596	2728	cmd.exe	34
PID 2728 wrote to memory of 2596	2728	cmd.exe	34
PID 2728 wrote to memory of 2596	2728	cmd.exe	34
PID 2596 wrote to memory of 2708	2596	DllCommonsvc.exe	87
PID 2596 wrote to memory of 2708	2596	DllCommonsvc.exe	87
PID 2596 wrote to memory of 2708	2596	DllCommonsvc.exe	87
PID 2596 wrote to memory of 1764	2596	DllCommonsvc.exe	88
PID 2596 wrote to memory of 1764	2596	DllCommonsvc.exe	88
PID 2596 wrote to memory of 1764	2596	DllCommonsvc.exe	88
PID 2596 wrote to memory of 2784	2596	DllCommonsvc.exe	89
PID 2596 wrote to memory of 2784	2596	DllCommonsvc.exe	89
PID 2596 wrote to memory of 2784	2596	DllCommonsvc.exe	89
PID 2596 wrote to memory of 2780	2596	DllCommonsvc.exe	90
PID 2596 wrote to memory of 2780	2596	DllCommonsvc.exe	90
PID 2596 wrote to memory of 2780	2596	DllCommonsvc.exe	90
PID 2596 wrote to memory of 2120	2596	DllCommonsvc.exe	91
PID 2596 wrote to memory of 2120	2596	DllCommonsvc.exe	91
PID 2596 wrote to memory of 2120	2596	DllCommonsvc.exe	91
PID 2596 wrote to memory of 2764	2596	DllCommonsvc.exe	92
PID 2596 wrote to memory of 2764	2596	DllCommonsvc.exe	92
PID 2596 wrote to memory of 2764	2596	DllCommonsvc.exe	92
PID 2596 wrote to memory of 2676	2596	DllCommonsvc.exe	93
PID 2596 wrote to memory of 2676	2596	DllCommonsvc.exe	93
PID 2596 wrote to memory of 2676	2596	DllCommonsvc.exe	93
PID 2596 wrote to memory of 2672	2596	DllCommonsvc.exe	94
PID 2596 wrote to memory of 2672	2596	DllCommonsvc.exe	94
PID 2596 wrote to memory of 2672	2596	DllCommonsvc.exe	94
PID 2596 wrote to memory of 1344	2596	DllCommonsvc.exe	95
PID 2596 wrote to memory of 1344	2596	DllCommonsvc.exe	95
PID 2596 wrote to memory of 1344	2596	DllCommonsvc.exe	95
PID 2596 wrote to memory of 1292	2596	DllCommonsvc.exe	96
PID 2596 wrote to memory of 1292	2596	DllCommonsvc.exe	96
PID 2596 wrote to memory of 1292	2596	DllCommonsvc.exe	96
PID 2596 wrote to memory of 1772	2596	DllCommonsvc.exe	97
PID 2596 wrote to memory of 1772	2596	DllCommonsvc.exe	97
PID 2596 wrote to memory of 1772	2596	DllCommonsvc.exe	97
PID 2596 wrote to memory of 1684	2596	DllCommonsvc.exe	98
PID 2596 wrote to memory of 1684	2596	DllCommonsvc.exe	98
PID 2596 wrote to memory of 1684	2596	DllCommonsvc.exe	98
PID 2596 wrote to memory of 2684	2596	DllCommonsvc.exe	99
PID 2596 wrote to memory of 2684	2596	DllCommonsvc.exe	99
PID 2596 wrote to memory of 2684	2596	DllCommonsvc.exe	99
PID 2596 wrote to memory of 2720	2596	DllCommonsvc.exe	100
PID 2596 wrote to memory of 2720	2596	DllCommonsvc.exe	100
PID 2596 wrote to memory of 2720	2596	DllCommonsvc.exe	100
PID 2596 wrote to memory of 2072	2596	DllCommonsvc.exe	101
PID 2596 wrote to memory of 2072	2596	DllCommonsvc.exe	101
PID 2596 wrote to memory of 2072	2596	DllCommonsvc.exe	101
PID 2596 wrote to memory of 2692	2596	DllCommonsvc.exe	102
PID 2596 wrote to memory of 2692	2596	DllCommonsvc.exe	102
PID 2596 wrote to memory of 2692	2596	DllCommonsvc.exe	102
PID 2596 wrote to memory of 2812	2596	DllCommonsvc.exe	103
PID 2596 wrote to memory of 2812	2596	DllCommonsvc.exe	103
PID 2596 wrote to memory of 2812	2596	DllCommonsvc.exe	103
PID 2596 wrote to memory of 2592	2596	DllCommonsvc.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9dc7e5c385290ad40fe1f8e3ce08dc83863223b8b72059a68a025bfa709ace1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OC9FrS1CKi.bat"
        5⤵
        
        PID:1340
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:444
      - C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
        7⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:760
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
        9⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2332
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        11⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:680
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        13⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1832
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        15⤵
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        17⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2292
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"
        19⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1728
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"
        21⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1444
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"
        23⤵
        
        PID:468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1356
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        25⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2932
        
        C:\Program Files (x86)\Common Files\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e744b9a5d1d39d9600bf854ec85e725

SHA1
adc5eb690099a797fb27849d398231b2b1d6b574

SHA256
448eb1dfe4a32a40aea41a834605443f869893f982d342ce4e92fc06a1be089f

SHA512
1256ec50942d78f7bd086a42bd98675a233768312e81531eb22f70ce2e49e38262eba40c6bf50e813d4c425079ede9d3dca0f10eebef871715a1e3699c37949b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a10a2e0293c68e4169954975794800c7

SHA1
ee22929f53534b4e0033c7c0807e3c70c9d59173

SHA256
c4e8c2c8db6375b2a4fb69ec3d74998962f8993110e6b2929ed4b97f06edab7d

SHA512
34d9bb57a32b755be93ec61bc4bd2bb3852dea40100faaa4828da8188a93ddff10feeb7526bc2ace3cb607e1341b5b440f4053e8f88b2d1e9ca6ffa2aaed2b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3793e57569b4f1f7e2da57d8d2be613

SHA1
e0371c24accf9af56dd7aa0e1aade4fecb4cb057

SHA256
661deb4b01efab3f5607e96bd22320e6bb38fc36132aa89a23d11fa26a3017d0

SHA512
18a0e4692ceadf1a93dbc5265483c4c2245edab933191cee5855f237637f2c8222db094f83ff29b562f40dad8e170a55d4167100abb3eab7e032b8e26539e7be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd60366d2c515e009199f2bde82ad001

SHA1
a4e03d8c55c04125a22d00fb2576f0998edbd960

SHA256
99b347519a14ccd31ef82eddabb3de8996aacd257107d235c5dd13e599b7ccab

SHA512
a2e82544931c019bda1d2c9a70624e51c7a51e505bb8b5b606e6bb415c561d4c4264a3a3dbae42ed36114908432920a53a828adbcc916e950a3c923046c05109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1254e4e6db433eafaa9b41beb20297c5

SHA1
3f83493759f258e501ae005556d9738e5781f58c

SHA256
0ed74c77c13ac01aa48bb4283c9520b380a0346157123a2e4b2aa1001b91a749

SHA512
1fda8daa4d65406c8adfc822c7bd96e65c31f430a21549c1cb3b40fad3e0460c053176067edb56a9b9dc5ccd8f9721e0b1b8b7569d29c12b1ae10663cbd26f10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82c3fb8e9a946cb65b770aaa5ecfc7bd

SHA1
b25bec4cc255fc9fa2bf833ff66617d476ce8ca8

SHA256
bdec622a433d1af23e4036e94a2fe280727d01f4f8015cc561b0a754c1deea89

SHA512
b686431ca3e9d711f8f02e417af07c23975a5ad07b43fa1a66ed44a320bebebfd1c034fe6d62fb98191794c004eeac600cd54c6631878b7d3bfd84498574dfbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a146b3adb4c72eaa5910c6d031749d3e

SHA1
5775571c814a7aa5227fab4fc7ce167bde9d4d36

SHA256
6563b0769a3cca6ec56f9c5a573e748577e70c77123ac8b2587e1786096352c3

SHA512
54390c695d1f07a7dd5930fee2a1ab403dfd648b227bb4e3b23542f981ff03529330a139b14e0690cb31a0c1135ae4056f7302cb58284a95cc0dd2d6ab7bd8a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71d0b9bc11515a08e06058b77fdaf7cd

SHA1
c537c51f7661785b3f62fb383122c98a7b267282

SHA256
30f32ba4edf865fbb2c45f1f0558fdd43c27c3dad6a83cbae30636c898df4f8c

SHA512
e2c28a6ab7acd7600256349ae5acc01e8d6072fe1e854543e983d921509c5b099ea7923d3419c28f25709902bd27137699d0c3e2f69d04dc8888cb2e0c398c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
997b9c25dc1914ddc7b36785cf6f4938

SHA1
7d1d95c2907481dd9d8c832d8d2f71ec901b3191

SHA256
3a0189ea9a8451467624a4fad4f1b3dae4885fa1ae996c6f2c8d327bd2710156

SHA512
2ab0d32d8b9f6934838f9a33aa8a0406aa6e853b8971fd88e824c287b9d3a3f799fea6fe7ec0b73ebf6d65bfb3968346f77e950dc130917fa668a42a29693a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
213B

MD5
6c3b39045959a0b69a16dfb501bc3650

SHA1
8e9a5e04f9df4c8e0086f93d627d48f143c93492

SHA256
f5fdc460070953a41f0cc848dee3b19dec19d0c220f5fc63c35bf90ce7b15548

SHA512
b859a707828e3d274afce9d346bd62e76f7ddb37d4e6c77f25963f4bd901c825d8430fee14266ec160360aec8457ed97ea482c9a5a3f00d288a8a70838baa5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab34A9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
213B

MD5
24018f208525f918e40d47a53bdbf80a

SHA1
158981c260b94f309574de32039425f2f66665e4

SHA256
42055059a96ece4b68a31cfa99a18cd184cffa1c35e91e7f52e5d3c94dda7fe8

SHA512
6e09d1750a47038c988776d5a10a479df5a236db0961728ef75d6ef65b0f34837b98fde22ce0ab50f345b9952604264729295adeee10f440d8aef1f4a5ad2d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat

Filesize
213B

MD5
12d352a6cd0458795c5b790767643beb

SHA1
6cb1c87c70c419733881c29c1dcc943081707f40

SHA256
cef447e7ef5b26b8300d8b29149a25435e548db8856c0b0ced36d6195af916a3

SHA512
942075c7c1a29d5fd4e38e02ec495c5a9939e7ce5867eadfc3ecdec1393b6f951fe9343b8016d86abb91f29bb1e29cf32e104f78f6b7d1412594694423f56e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
213B

MD5
ba4dd8b76a5fa6122031d99d494b869d

SHA1
4de30096b6483d67ca9a22c7caed8c51857a9d6f

SHA256
eca775a03da223fcf2b5e7ea37ec3c14434beda1c75f6f39eacd6f4b5100dd69

SHA512
48dbf458e710dd4fb785afd10123664535f877e1a432c626ab6ba84c36d5e0b32aa3667bf66a557704480f1b5c98522c4e3eb576e4c18548746791dad2085a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OC9FrS1CKi.bat

Filesize
213B

MD5
a5aa2f8f0a629f7a606868df0c3fe4b3

SHA1
e6e956031f5bf7d437ffbd99de56e19f9f3dca0d

SHA256
06a74f363151491671a2a3007657cc04bf5f184b3bc385f9cb5f1df9b2dc5741

SHA512
2b2226fd9a7ce0ef43a6e15ce14dc93eba4723a836e23022672e99045981cdb2dc1a8c66e15f89d456a4b3e7522548ce6f15ef68e7d6cc871ec8283b4548cbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat

Filesize
213B

MD5
3db02310d2882711280cc76eca37f456

SHA1
f556f2cfc37b39622c5ce3c8084368f65714189b

SHA256
7fc3a5daea3cbeebeca510c00be4a249b2ad175a64638119adc38aa1388ce526

SHA512
1dcaa48cde1624bac400deba47d679117590a255c44bc2dc87a00e9db8ccd70185a5e73bda8fb4359784f4ccef94f525d85f3416abf0b7d4d26fc9a3f612ef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar34DB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

Filesize
213B

MD5
a1136b572d6344e8dac0a7eb2ed8a461

SHA1
3205542f71da92e1c53fc1822e0a09153072dd23

SHA256
de3942c32cbebae46bbbb26643bcc1efedfd71b514e435de5accf2380297275c

SHA512
cfb6d150803a76a7a5ade9688bb6db5c1f30b643827dbd11e8c647df6ac35edac80ddaf1594c29cb782078ce3000bf211e386508f66d36dba8079538c2dbb07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
213B

MD5
59d1a1902e72dabe1fb0831037068fce

SHA1
77b41c86eec3ca286a7b85cab06ae037376d91e4

SHA256
8588a10a6a9d789dab94a90f4dfe9ca23e382a67fa9371d7688abf147bc094ab

SHA512
a572ea8a1d7f9d6f04d5923962245b98f876a454242114c5259f8e09f4593e17285fe7f8a0558801de31692209a74159de683659b26a9e627846c849e7af66cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat

Filesize
213B

MD5
124f76d09ca3ae312eaaef16ef71c00f

SHA1
ac06b10bd79956d800eaf88357bd9d817001e0db

SHA256
de2369b7bd12a3c87d730777453a2ec601792bbfdbca4fc507c686a3176704ac

SHA512
391e43285d9d0653e3a22efe92e241540edc8af56108434db1786789c6a2b4bbb9c1afca00151115849563ac2ed7e085b8d468f1c2efd101a20f0f70dcfb8cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
213B

MD5
4a7c6883bb81f761fad0ea8cfd2c0f38

SHA1
a1a03811c266f30863157ddf93f69639dc03d086

SHA256
cbad0aaca3d54edbd5fc375ed4883688c0183bf8a0a23cfdfed4404ad740fd3a

SHA512
9a1853f909c385101ac5fa7f325c1192feaa34d2d31a51f9d256f05d0423fc61e8eb903f53609a97d1dc3720e74cb5048d33a0e26f4088725646b95a26daa79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat

Filesize
213B

MD5
b41c046c150fd870963ed2fb398d5a02

SHA1
0c73db50ee808d014414701f88d32b6bdda45a49

SHA256
15693d98ae00491f4aa3ba55289097d5a67ad0852a00ad504117895765c44216

SHA512
f392519a8c951af873a763246793f621476a530a65d49174fe43efbb3b46f3d2e8b0cc4513cfef9223570a586cf5ae0094e5690cbe2dfa40b4d4c3794cdaced7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8671d5d772b8ef71ba03905ae052d29d

SHA1
d3ce6b512f3ac9ec2c903d4891008229da17f22a

SHA256
f1e22672b974712dc1a9879aeba342435c147447e93d6943cfc8f423fb57d210

SHA512
431526c827df21dc9f1d0a332c4ff3c5707e5dfaed08dab44403ee6efa42d0c16c3e3195468b9b2e22c3661522d5c9bcdf626f9e058f7f810af1613f8a71d765

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/916-570-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/916-569-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/1728-328-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/1728-329-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1760-630-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2224-389-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/2364-148-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2364-147-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2396-509-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/2596-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2596-15-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2596-13-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2596-16-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2596-17-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2780-74-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2780-68-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2856-208-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2856-207-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2956-690-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2980-268-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/3020-449-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download