dcrat | fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe
Size

1.3MB
MD5

0b679af47908d80512e1687f8cb4196a
SHA1

40b51ee7924f1aa6938c2d4baad032c44763d738
SHA256

fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181
SHA512

9cb612e2644203cbbedac3388b8880cc39e9e9e0770780ec3b48703f57d64f7ffb101379541fa63964f84c922f344736c0cad6a39fcf90da563b9fc18c82760a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2472	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2472	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018766-9.dat	dcrat
behavioral1/memory/3004-13-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2528-148-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2964-267-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/1388-327-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2088-387-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2824-447-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2100-507-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/876-567-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/616-628-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2116-688-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/1592-748-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1572	powershell.exe
1688	powershell.exe
2680	powershell.exe
2148	powershell.exe
2692	powershell.exe
880	powershell.exe
1920	powershell.exe
2312	powershell.exe
2508	powershell.exe
2172	powershell.exe
2448	powershell.exe
1828	powershell.exe
3028	powershell.exe
2504	powershell.exe
2372	powershell.exe
2072	powershell.exe
2076	powershell.exe
2744	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
3004	DllCommonsvc.exe
2528	smss.exe
2316	smss.exe
2964	smss.exe
1388	smss.exe
2088	smss.exe
2824	smss.exe
2100	smss.exe
876	smss.exe
616	smss.exe
2116	smss.exe
1592	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	cmd.exe
2492	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\ja-JP\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\authman\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\CSC\v2.0.6\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe
2236	schtasks.exe
2932	schtasks.exe
580	schtasks.exe
1268	schtasks.exe
1280	schtasks.exe
3032	schtasks.exe
2716	schtasks.exe
2208	schtasks.exe
2364	schtasks.exe
2456	schtasks.exe
2672	schtasks.exe
320	schtasks.exe
2544	schtasks.exe
1760	schtasks.exe
2688	schtasks.exe
2660	schtasks.exe
1192	schtasks.exe
1976	schtasks.exe
988	schtasks.exe
2812	schtasks.exe
1340	schtasks.exe
2840	schtasks.exe
2968	schtasks.exe
1608	schtasks.exe
2336	schtasks.exe
2596	schtasks.exe
1080	schtasks.exe
1056	schtasks.exe
1768	schtasks.exe
2528	schtasks.exe
1968	schtasks.exe
484	schtasks.exe
2228	schtasks.exe
2668	schtasks.exe
1480	schtasks.exe
2696	schtasks.exe
2996	schtasks.exe
1532	schtasks.exe
744	schtasks.exe
2044	schtasks.exe
1248	schtasks.exe
3000	schtasks.exe
2824	schtasks.exe
556	schtasks.exe
860	schtasks.exe
292	schtasks.exe
1676	schtasks.exe
1628	schtasks.exe
2324	schtasks.exe
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3004	DllCommonsvc.exe
3004	DllCommonsvc.exe
3004	DllCommonsvc.exe
3004	DllCommonsvc.exe
3004	DllCommonsvc.exe
1572	powershell.exe
1920	powershell.exe
2072	powershell.exe
2680	powershell.exe
3028	powershell.exe
2312	powershell.exe
2504	powershell.exe
2692	powershell.exe
880	powershell.exe
2172	powershell.exe
2508	powershell.exe
1828	powershell.exe
1688	powershell.exe
2148	powershell.exe
2076	powershell.exe
2372	powershell.exe
2744	powershell.exe
2448	powershell.exe
2528	smss.exe
2316	smss.exe
2964	smss.exe
1388	smss.exe
2088	smss.exe
2824	smss.exe
2100	smss.exe
876	smss.exe
616	smss.exe
2116	smss.exe
1592	smss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	DllCommonsvc.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2528	smss.exe
Token: SeDebugPrivilege	2316	smss.exe
Token: SeDebugPrivilege	2964	smss.exe
Token: SeDebugPrivilege	1388	smss.exe
Token: SeDebugPrivilege	2088	smss.exe
Token: SeDebugPrivilege	2824	smss.exe
Token: SeDebugPrivilege	2100	smss.exe
Token: SeDebugPrivilege	876	smss.exe
Token: SeDebugPrivilege	616	smss.exe
Token: SeDebugPrivilege	2116	smss.exe
Token: SeDebugPrivilege	1592	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2392	2072	JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe	30
PID 2072 wrote to memory of 2392	2072	JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe	30
PID 2072 wrote to memory of 2392	2072	JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe	30
PID 2072 wrote to memory of 2392	2072	JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe	30
PID 2392 wrote to memory of 2492	2392	WScript.exe	31
PID 2392 wrote to memory of 2492	2392	WScript.exe	31
PID 2392 wrote to memory of 2492	2392	WScript.exe	31
PID 2392 wrote to memory of 2492	2392	WScript.exe	31
PID 2492 wrote to memory of 3004	2492	cmd.exe	33
PID 2492 wrote to memory of 3004	2492	cmd.exe	33
PID 2492 wrote to memory of 3004	2492	cmd.exe	33
PID 2492 wrote to memory of 3004	2492	cmd.exe	33
PID 3004 wrote to memory of 1572	3004	DllCommonsvc.exe	86
PID 3004 wrote to memory of 1572	3004	DllCommonsvc.exe	86
PID 3004 wrote to memory of 1572	3004	DllCommonsvc.exe	86
PID 3004 wrote to memory of 2508	3004	DllCommonsvc.exe	87
PID 3004 wrote to memory of 2508	3004	DllCommonsvc.exe	87
PID 3004 wrote to memory of 2508	3004	DllCommonsvc.exe	87
PID 3004 wrote to memory of 1688	3004	DllCommonsvc.exe	88
PID 3004 wrote to memory of 1688	3004	DllCommonsvc.exe	88
PID 3004 wrote to memory of 1688	3004	DllCommonsvc.exe	88
PID 3004 wrote to memory of 880	3004	DllCommonsvc.exe	89
PID 3004 wrote to memory of 880	3004	DllCommonsvc.exe	89
PID 3004 wrote to memory of 880	3004	DllCommonsvc.exe	89
PID 3004 wrote to memory of 2504	3004	DllCommonsvc.exe	90
PID 3004 wrote to memory of 2504	3004	DllCommonsvc.exe	90
PID 3004 wrote to memory of 2504	3004	DllCommonsvc.exe	90
PID 3004 wrote to memory of 1920	3004	DllCommonsvc.exe	91
PID 3004 wrote to memory of 1920	3004	DllCommonsvc.exe	91
PID 3004 wrote to memory of 1920	3004	DllCommonsvc.exe	91
PID 3004 wrote to memory of 2372	3004	DllCommonsvc.exe	92
PID 3004 wrote to memory of 2372	3004	DllCommonsvc.exe	92
PID 3004 wrote to memory of 2372	3004	DllCommonsvc.exe	92
PID 3004 wrote to memory of 2072	3004	DllCommonsvc.exe	93
PID 3004 wrote to memory of 2072	3004	DllCommonsvc.exe	93
PID 3004 wrote to memory of 2072	3004	DllCommonsvc.exe	93
PID 3004 wrote to memory of 2076	3004	DllCommonsvc.exe	94
PID 3004 wrote to memory of 2076	3004	DllCommonsvc.exe	94
PID 3004 wrote to memory of 2076	3004	DllCommonsvc.exe	94
PID 3004 wrote to memory of 2172	3004	DllCommonsvc.exe	95
PID 3004 wrote to memory of 2172	3004	DllCommonsvc.exe	95
PID 3004 wrote to memory of 2172	3004	DllCommonsvc.exe	95
PID 3004 wrote to memory of 2448	3004	DllCommonsvc.exe	96
PID 3004 wrote to memory of 2448	3004	DllCommonsvc.exe	96
PID 3004 wrote to memory of 2448	3004	DllCommonsvc.exe	96
PID 3004 wrote to memory of 2312	3004	DllCommonsvc.exe	97
PID 3004 wrote to memory of 2312	3004	DllCommonsvc.exe	97
PID 3004 wrote to memory of 2312	3004	DllCommonsvc.exe	97
PID 3004 wrote to memory of 1828	3004	DllCommonsvc.exe	98
PID 3004 wrote to memory of 1828	3004	DllCommonsvc.exe	98
PID 3004 wrote to memory of 1828	3004	DllCommonsvc.exe	98
PID 3004 wrote to memory of 2680	3004	DllCommonsvc.exe	99
PID 3004 wrote to memory of 2680	3004	DllCommonsvc.exe	99
PID 3004 wrote to memory of 2680	3004	DllCommonsvc.exe	99
PID 3004 wrote to memory of 2148	3004	DllCommonsvc.exe	100
PID 3004 wrote to memory of 2148	3004	DllCommonsvc.exe	100
PID 3004 wrote to memory of 2148	3004	DllCommonsvc.exe	100
PID 3004 wrote to memory of 2692	3004	DllCommonsvc.exe	101
PID 3004 wrote to memory of 2692	3004	DllCommonsvc.exe	101
PID 3004 wrote to memory of 2692	3004	DllCommonsvc.exe	101
PID 3004 wrote to memory of 2744	3004	DllCommonsvc.exe	102
PID 3004 wrote to memory of 2744	3004	DllCommonsvc.exe	102
PID 3004 wrote to memory of 2744	3004	DllCommonsvc.exe	102
PID 3004 wrote to memory of 3028	3004	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msyYT6rUYC.bat"
        5⤵
        
        PID:2184
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1388
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"
        7⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1376
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
        9⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1828
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        11⤵
        
        PID:792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:536
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        13⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:876
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        15⤵
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:772
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
        17⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1072
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        19⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3012
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
        21⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2596
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
        23⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1676
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
        25⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2624
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\mui\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Help\mui\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\mui\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce14d76cbf34cc8db75113b31cedb47b

SHA1
c75c7bf4f485f60e3fa30bf4e180d38702c32c33

SHA256
ef116971c02a32c4def2aa7c360f19cba57801f8525d1e2ce6ed597f52474549

SHA512
439aaf5ecb124c151940b01d398747074edd57a8427524b070f299a107ae372bef21de0bc129dda01d127ff0fe459450eabf6e94cd44b60391daa27b91ee896a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2629f60e06cd7a98b3d5b6e209586b0

SHA1
5dd41d1f70ad1607f5b791061ae41adb6c411a8c

SHA256
63ffa7e1ea10ca868ef350c2b0cd3e065679c70adba48324be08b0fcc30c5e91

SHA512
93e0db96a7dc32b109000ff79cfb399a9e161ff70ed001694b1c1fd6a3ce3c688db64aff5ee295a1f40f6c3c5ef0ae3f8543888add6e1ea883839f165c7143ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54ffd5c760f8da722c597d34b6182ef5

SHA1
d616c4f487316a114b27ae6febc97eaaef6586da

SHA256
5d3e2b83017952d9a3956c46850302add2510eeea0a617ec9ab99a635b0c8215

SHA512
e27343d0f8d8f3fff000f3cd057ac27de53ea8de6699ff755edb6d6a202dc2ffc950323960cc897e24f3df9c1ca708c03ccdd742b58a3d54194a219da8bc4b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
102faec522fee68737b4482391ebdced

SHA1
47421f527e047c31aa79056c0b66da00176a8cd3

SHA256
9c966835c08fbfa38bfb38e66f0553a5c6ccd6747606fd56e010e26443c13b3c

SHA512
7bcc576388d9a6e34ede59d2299778c4d07be5873d9951d7de458140cb5e78ebd61ea011538acad326d56083774656a65bc6d909102d2565685486e502dc09d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59ad60dedff8a452e675440c4f096c17

SHA1
f33af924de86aa489b8af7ef7fc8c31cfc20e694

SHA256
84401eb5261c9fe9c1d4902ac1d6265de3cb3fb584f645e52e9bbef637c471a5

SHA512
34998173d6626f3818a2d8f64b9daba18d63a1e97080f7c521583cd067a7da1346cdadcc2717cf9008d8099b6c272a1b143193a66e54b97c33ebba91c5c8b9ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7942bb2e7242a1d8c1ba1de966bbf58e

SHA1
77df9b6c037e1fd19ff0847ead930570667b6c63

SHA256
d7889f948f957e2ec579273fa693e4778d8204e99bafdda4234fbeec9d21e38b

SHA512
d9006448e42a7c0c6d6b2076ba494b4785964a92e1b0ccfe3d4a66ac6da863f197590cc893639c04c821cfd77b826881c6bf420b063bbde0f8f551c82e6fda80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08f4ca73ea46d6435a90649a6a589508

SHA1
a6c61fdfff2e8aed2e7a21cd3334d8875bd71c9b

SHA256
b261cf4714ae3f4edfe3305ee245fb841af3a29b2596b2d170fb790a22e87187

SHA512
897b5776ece7836fe66fe96ba45e1a5870399bb4a11b2596240671074ddd911a86b8614462e1f1d0fd235490b7a7638ae9eda2b32466c471e105b1413cfdf6fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97c0d76e475191028edd0b758b12dc83

SHA1
32e4293acf1a97d9afba6d9cce6b6116885eec4d

SHA256
b378bc3e59fe4a761935e8935cbb2a571f20ef3a6995a2d23782c6a8c8c4b2d4

SHA512
31e96c2ccd70d9644260f8d14eaaf52776a8dbc1892be24db8c8d41b7de83c171c956d960498039a9ed08514d04f59af82e6ffa01ce01821fbb6ff7e85f9b995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2bf045c97ed1dd1f517b1c32a0399f3

SHA1
f99974b9b17e5c60dc8ed48fd3870aaf8d276671

SHA256
f731c6e3c5f8ac9e6a1db7e9d2bedd7d83975018b05895e760e6d55b026344ea

SHA512
a5b5f2c21607783facba715874521ca00b90f70dbf09a3caf9ea7fbe09d71868a2087ba40ea53107fe52ba8514da4495eef1a868f7951fb75312bcaad60f168e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
222B

MD5
391e8ee29a6aec957ed239ae29ff492b

SHA1
29dda9925e236043efee005ce5f71c275dde7d6a

SHA256
1919036a3556104e450877a2680b6a4194b5501f4a33cdfb02c25861b535f289

SHA512
f6e9a20d04a7d643678bec86a65a5469ae815f3a90c07760834499b5d7a76e8e62176b44a84f345884ccb02280292fad91844263e3e3df94f54bb3e542ea5f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

Filesize
222B

MD5
78d340acf3f8181a8a2d30ae83a624e3

SHA1
402976e1be2b4921a131940e0099219a44e401d5

SHA256
49abc28790caec6949dbc55beae963472191fc64d6fd6c724943d29f4d62005c

SHA512
4e1f0d213bfbc285eabceb8dbb3372201b0087ff13721d708e77f44df34735a218fbddfede8758bd634de3d6ba5fc718dc92f7c30ce355d870dbb3f57329ac12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat

Filesize
222B

MD5
b6c3d7750952abb5055f1f77095a59eb

SHA1
a152984948ad19f8f4ec43a848d76a015a4e6354

SHA256
4a7c18bda89889eea67c4c618c3e527458b49e699dacd9bdf6885d2e191eb072

SHA512
e7153c613981817d6ee32131f3b74905e3dedddfcee6ec2cb63b777b59a2e21c310f5cca84c1e767f5a3bc5e4761b3c6a3d28a0f2f8ab217bf72c81ea94f5e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

Filesize
222B

MD5
5e964a501a0fd3bc0b9cd86d3f30b590

SHA1
fc3890b19b6a1d3fae47007662f92898d2a3fb73

SHA256
94b7914f1239bd0b2f2ac1dd2aaf02ff613776ba7f9911c3095c862951b99b4c

SHA512
76bcef08d0abe28976e6e6e63aba2d2f4d587a702f29653d43301a0772979e02dfcb73c9650c0d2672a3075cd20376aed4074d1288045ea21eeaf6885a36f93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCBF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
222B

MD5
9b39310f7a61314b6d12b329e2c93b53

SHA1
8ec58a0ee01ff63e4372e2bd48d8761cbecdfac2

SHA256
a27185eb5895668305a0fc889b0be53a41258614ec17c576341fd9644465aa45

SHA512
2fb7334d9e01ad5d185efc40af782735d10c6197d0a798adab64ce6c80922f6e47e08ef181095cb1b2fd3e2ca6933989c3e98de0b75a6c21ffbebd7af8925f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
222B

MD5
76c2c51d54b61c747ed4f128d1af1ab8

SHA1
1b3652334eecc309a511522194a7c1d0f842d390

SHA256
893f70cf1b08f2f522953b6723c025f40ccff457fda86d869eb3da01ff7a177e

SHA512
6fa92fdd9e5a3846b8937292e1186a929c43c73b089a2edee2df97b5638db91b8b6b4b97986ef9141eeb02106f59d7013b6bd15f1359f4681b9880a50c391814

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat

Filesize
222B

MD5
caf0d9d2a18f9bcbe772d21f67bc73bd

SHA1
22d7c014b2d9cae834255c1bc824cb3bb3019d61

SHA256
6748087e2650bbb9f514d25ec9883092a4686bca84909398ab894bb920ae0b16

SHA512
b2ee72041db2393c00432a9ff1ad37e096375f035543549e6a7128fd7d76bb298cbb82dc8dc100fc501ae98fc589c68b079344666c3bd0ff188b6676acc5bccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

Filesize
222B

MD5
4cee5ad382e1dd6bf8c45ba395de3237

SHA1
4d060f1e85059b59491edf79ad55eb7de496d524

SHA256
51990b36861485cd12de98220dcb4178bf3d4734ea282af2c0d5776b135dfcfc

SHA512
4950ba8f7d307cf24e10c035ae832119f42ff5dda2830af4aed60af6b47b6a8b89410dff9fea567bb7bfb522420e974ee2583b9bcf44fe76397619a8c7acbe1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

Filesize
222B

MD5
770dda1db9afa4e0b4252381cb3c997a

SHA1
a0bd7e65053021a4a5f9020facfd3a0fdbfca108

SHA256
07a5175c0f6b2fc3e89cb5ab02f9aeb9afbb0fdb79ca3a8a6d8c556a1ddb7dcb

SHA512
ed422c542208f329350a5618dbcdc610d9b7967a814e8dd3e2ce8dbbcaa7c23511fd88e97fea02af0e3d9c30f6f1f53567dd7d55882c5e7d6647a59be0071b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msyYT6rUYC.bat

Filesize
222B

MD5
0d7d3849df0bce3263c11910fa92f807

SHA1
05e2e23bc61f02d57bd8573579fd5ad422303ab4

SHA256
f9d2ec30315d284f2da14e58c60c9043d038db1373c46c2725031b3864be7298

SHA512
e7493ec5999fd478a97c8cb0d2621e88a62ec60c89c6e1a37164ab921754cd648555ae054c70e43b58d0a652369f5c6ae04ef8821e8a7b7129ed62ae610d83b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

Filesize
222B

MD5
fa79e71474db998c6b7f9b07569c811f

SHA1
84d69e86a92cd314d93f6eb8a7a61835b7e227ee

SHA256
1e8ee3ce60e91d7086794f84ac652ca7a3bbd2e945123c64e3124072f670de73

SHA512
17f9686ec28ea802db927daf8cf0b5a509993307e7162e1cafd08e8ff1c5433a08f71e8492bda2be48c3f0e4bad402819b3c303da9b5a315dfba6e6a16fc1ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f21854edceecdd22694ea9121d8927f0

SHA1
7f6cc582d5bb2a735a426987174662a21ca60cbf

SHA256
f4099507838b80303d7fbe10194ad81a79f0fe62d120cc096be935b9eff494d9

SHA512
d79cb57ade79cb9073ee4b22690244651437d7dda80606054dce6d34e0b81607cc7ae3367fe607e27a5888817814646fc079b29568167f064da7694a7b0820c1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/616-628-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/876-567-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/876-568-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1388-327-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/1572-58-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/1572-57-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/1592-748-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2088-387-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/2100-507-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2116-688-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/2448-144-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2448-145-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download
memory/2528-149-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2528-148-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2824-447-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2964-267-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/3004-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/3004-13-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/3004-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/3004-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/3004-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download