dcrat | 88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527.exe
Size

1.3MB
MD5

7aab78b9433b32493b1001f29dd32a1e
SHA1

7a77294af35b949e00fef16ae39b488afbebc449
SHA256

88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527
SHA512

ccbe14e6a40809ccaae2228d4951d6eeeb1795172d2e6f33b92749a22a63ffc2b398f570b2566f7d5233bdc3b341d5c536ad1e06d92cf1ff8d96a2474399e460
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2884	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001920f-9.dat	dcrat
behavioral1/memory/3064-13-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1180-82-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/664-202-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2664-263-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2576-323-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2484-502-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
2484	powershell.exe
2088	powershell.exe
2448	powershell.exe
816	powershell.exe
1872	powershell.exe
2232	powershell.exe
1828	powershell.exe
2052	powershell.exe
1520	powershell.exe
2460	powershell.exe
1500	powershell.exe
3060	powershell.exe
2252	powershell.exe
1840	powershell.exe
2156	powershell.exe
2800	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
3064	DllCommonsvc.exe
1180	audiodg.exe
664	audiodg.exe
2664	audiodg.exe
2576	audiodg.exe
2544	audiodg.exe
3004	audiodg.exe
2484	audiodg.exe
2576	audiodg.exe
2772	audiodg.exe
2192	audiodg.exe
2372	audiodg.exe
1480	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	cmd.exe
2108	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
25	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
28	raw.githubusercontent.com
38	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\System.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3020	schtasks.exe
2064	schtasks.exe
1452	schtasks.exe
1916	schtasks.exe
1844	schtasks.exe
580	schtasks.exe
1964	schtasks.exe
2656	schtasks.exe
1988	schtasks.exe
688	schtasks.exe
2208	schtasks.exe
2176	schtasks.exe
1560	schtasks.exe
788	schtasks.exe
3044	schtasks.exe
2792	schtasks.exe
316	schtasks.exe
1196	schtasks.exe
2960	schtasks.exe
2856	schtasks.exe
1984	schtasks.exe
2776	schtasks.exe
2564	schtasks.exe
1976	schtasks.exe
1980	schtasks.exe
1300	schtasks.exe
912	schtasks.exe
2344	schtasks.exe
2568	schtasks.exe
1548	schtasks.exe
1664	schtasks.exe
1036	schtasks.exe
1280	schtasks.exe
960	schtasks.exe
1352	schtasks.exe
1716	schtasks.exe
1920	schtasks.exe
1032	schtasks.exe
2200	schtasks.exe
880	schtasks.exe
2840	schtasks.exe
2532	schtasks.exe
1120	schtasks.exe
2304	schtasks.exe
2160	schtasks.exe
1140	schtasks.exe
3016	schtasks.exe
1904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
2052	powershell.exe
2232	powershell.exe
1520	powershell.exe
816	powershell.exe
1840	powershell.exe
2460	powershell.exe
2252	powershell.exe
2448	powershell.exe
3060	powershell.exe
1500	powershell.exe
1872	powershell.exe
2156	powershell.exe
1828	powershell.exe
2484	powershell.exe
1180	audiodg.exe
2800	powershell.exe
3048	powershell.exe
2088	powershell.exe
664	audiodg.exe
2664	audiodg.exe
2576	audiodg.exe
2544	audiodg.exe
3004	audiodg.exe
2484	audiodg.exe
2576	audiodg.exe
2772	audiodg.exe
2192	audiodg.exe
2372	audiodg.exe
1480	audiodg.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	DllCommonsvc.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1180	audiodg.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	664	audiodg.exe
Token: SeDebugPrivilege	2664	audiodg.exe
Token: SeDebugPrivilege	2576	audiodg.exe
Token: SeDebugPrivilege	2544	audiodg.exe
Token: SeDebugPrivilege	3004	audiodg.exe
Token: SeDebugPrivilege	2484	audiodg.exe
Token: SeDebugPrivilege	2576	audiodg.exe
Token: SeDebugPrivilege	2772	audiodg.exe
Token: SeDebugPrivilege	2192	audiodg.exe
Token: SeDebugPrivilege	2372	audiodg.exe
Token: SeDebugPrivilege	1480	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2088	2156	JaffaCakes118_88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527.exe	30
PID 2156 wrote to memory of 2088	2156	JaffaCakes118_88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527.exe	30
PID 2156 wrote to memory of 2088	2156	JaffaCakes118_88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527.exe	30
PID 2156 wrote to memory of 2088	2156	JaffaCakes118_88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527.exe	30
PID 2088 wrote to memory of 2108	2088	WScript.exe	31
PID 2088 wrote to memory of 2108	2088	WScript.exe	31
PID 2088 wrote to memory of 2108	2088	WScript.exe	31
PID 2088 wrote to memory of 2108	2088	WScript.exe	31
PID 2108 wrote to memory of 3064	2108	cmd.exe	33
PID 2108 wrote to memory of 3064	2108	cmd.exe	33
PID 2108 wrote to memory of 3064	2108	cmd.exe	33
PID 2108 wrote to memory of 3064	2108	cmd.exe	33
PID 3064 wrote to memory of 2052	3064	DllCommonsvc.exe	83
PID 3064 wrote to memory of 2052	3064	DllCommonsvc.exe	83
PID 3064 wrote to memory of 2052	3064	DllCommonsvc.exe	83
PID 3064 wrote to memory of 2232	3064	DllCommonsvc.exe	84
PID 3064 wrote to memory of 2232	3064	DllCommonsvc.exe	84
PID 3064 wrote to memory of 2232	3064	DllCommonsvc.exe	84
PID 3064 wrote to memory of 3048	3064	DllCommonsvc.exe	85
PID 3064 wrote to memory of 3048	3064	DllCommonsvc.exe	85
PID 3064 wrote to memory of 3048	3064	DllCommonsvc.exe	85
PID 3064 wrote to memory of 1500	3064	DllCommonsvc.exe	87
PID 3064 wrote to memory of 1500	3064	DllCommonsvc.exe	87
PID 3064 wrote to memory of 1500	3064	DllCommonsvc.exe	87
PID 3064 wrote to memory of 1520	3064	DllCommonsvc.exe	88
PID 3064 wrote to memory of 1520	3064	DllCommonsvc.exe	88
PID 3064 wrote to memory of 1520	3064	DllCommonsvc.exe	88
PID 3064 wrote to memory of 1872	3064	DllCommonsvc.exe	92
PID 3064 wrote to memory of 1872	3064	DllCommonsvc.exe	92
PID 3064 wrote to memory of 1872	3064	DllCommonsvc.exe	92
PID 3064 wrote to memory of 816	3064	DllCommonsvc.exe	93
PID 3064 wrote to memory of 816	3064	DllCommonsvc.exe	93
PID 3064 wrote to memory of 816	3064	DllCommonsvc.exe	93
PID 3064 wrote to memory of 2484	3064	DllCommonsvc.exe	94
PID 3064 wrote to memory of 2484	3064	DllCommonsvc.exe	94
PID 3064 wrote to memory of 2484	3064	DllCommonsvc.exe	94
PID 3064 wrote to memory of 2800	3064	DllCommonsvc.exe	95
PID 3064 wrote to memory of 2800	3064	DllCommonsvc.exe	95
PID 3064 wrote to memory of 2800	3064	DllCommonsvc.exe	95
PID 3064 wrote to memory of 2156	3064	DllCommonsvc.exe	96
PID 3064 wrote to memory of 2156	3064	DllCommonsvc.exe	96
PID 3064 wrote to memory of 2156	3064	DllCommonsvc.exe	96
PID 3064 wrote to memory of 1840	3064	DllCommonsvc.exe	97
PID 3064 wrote to memory of 1840	3064	DllCommonsvc.exe	97
PID 3064 wrote to memory of 1840	3064	DllCommonsvc.exe	97
PID 3064 wrote to memory of 2448	3064	DllCommonsvc.exe	98
PID 3064 wrote to memory of 2448	3064	DllCommonsvc.exe	98
PID 3064 wrote to memory of 2448	3064	DllCommonsvc.exe	98
PID 3064 wrote to memory of 1828	3064	DllCommonsvc.exe	99
PID 3064 wrote to memory of 1828	3064	DllCommonsvc.exe	99
PID 3064 wrote to memory of 1828	3064	DllCommonsvc.exe	99
PID 3064 wrote to memory of 2252	3064	DllCommonsvc.exe	100
PID 3064 wrote to memory of 2252	3064	DllCommonsvc.exe	100
PID 3064 wrote to memory of 2252	3064	DllCommonsvc.exe	100
PID 3064 wrote to memory of 2088	3064	DllCommonsvc.exe	102
PID 3064 wrote to memory of 2088	3064	DllCommonsvc.exe	102
PID 3064 wrote to memory of 2088	3064	DllCommonsvc.exe	102
PID 3064 wrote to memory of 2460	3064	DllCommonsvc.exe	103
PID 3064 wrote to memory of 2460	3064	DllCommonsvc.exe	103
PID 3064 wrote to memory of 2460	3064	DllCommonsvc.exe	103
PID 3064 wrote to memory of 3060	3064	DllCommonsvc.exe	104
PID 3064 wrote to memory of 3060	3064	DllCommonsvc.exe	104
PID 3064 wrote to memory of 3060	3064	DllCommonsvc.exe	104
PID 3064 wrote to memory of 1180	3064	DllCommonsvc.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88518488362ebd0ba5a2600cd3f793d5e0310b198893282dafba779a1a1ee527.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"
        6⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2548
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        8⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1468
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
        10⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2028
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        12⤵
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1672
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
        14⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2824
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
        16⤵
        
        PID:1500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2584
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
        18⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2748
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        20⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2764
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
        22⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1844
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
        24⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1696
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        26⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:692
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e53fdafe9ca60bee75ea7a33cf87fad

SHA1
3c0d44d5495e9c0353bc34a6485f9abdde2a098a

SHA256
c95a37d9d842e9b4cc30fa2099a5ef8432ca6b04f1f9ad0fe6ca3867545459ec

SHA512
0ae0552c3d6b64cd2c72bb32500ba8aa379dae3ce60d184f089ed9158eef0e607fec0021754ef166d73716ee0b434fc9c82122d18d257b62843b6cf9674d5755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0e90e1d98f259f5fa7a699e1ca229b5

SHA1
ee58e3da75f4a8a7e2e5be1359dc444081c93a0e

SHA256
1e89c3e5eb0867f47685cacf270844fa254f84a33b79d246fc8df58172c95c70

SHA512
7d397250bfb04b9f4727062593f3d322d854f1cf4238516856a06c7b701d266a11ce5c32201ac411df9fc9143912d1809df2ed748b5eddcf9af0fa017a9549e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b8b39c88c4b398047134c65f0b7ef39

SHA1
114d10c4d540a27594ebc548955cdb519e63a81d

SHA256
d8167d835b4d968b76666575d8c92b4a163a34995d8ff95f03049af9ae915145

SHA512
fede44f94fdb6f93a9a371c366a1e764ffee18ef627d37da637b661b3d30bfe2d0df16744a781f5d673b3d129e1b10826eb4f0262447106571cb5f641ec314d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
353f6c72c03a913eee1ca31b8383d921

SHA1
3800c8f7401b4e057f8a7767667da29eb317a1f7

SHA256
dc0159b0040ff5c5df702a66d314b8d69416707b32e4bc28fbc105cfc718317d

SHA512
b8f75d3e37d875a38e29adae49d5176bc00bea9eb7948bb390b829d50174591ffd640849b3deb726e20e7236d24790684ffeb82523bab6985c7a0c5c6f5afca1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48206060f8370376dd70d276647f64f3

SHA1
4b10ddeacd8e61ef39286bb4d9cd5af59c56a2c9

SHA256
bb614d82b6e30396511f5f2137d3fc5a412cd91bc8397776d3a0ea3b99145cc1

SHA512
8769c03a619a5c09048326771f78437d276dc7f2418b39edf78506d4023ebb39de30d826b00540998ad515b69e38e2960432e82ed64c58354c696ede360387e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aa070208f60c09084b4e27d2c4cb606

SHA1
8913eca8229bc60c7f92ebd4864b4dec37057ee3

SHA256
c40b4e5289fa0e0ca92e6a7a156d155609a1612607a28c21edaf39faa9d5ee84

SHA512
9bc3cb64050b13fb156beb9a988c42606617ee3f32ef35063c999d9a6c9a98e4442c52636815fe4f487dfe8fa2b38f534ae06280c787b35542139ea27298b9de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae6a2586ba48c7e8105a1682f7356c64

SHA1
bede78aeba22c942ead50753d36fecbaab07ad15

SHA256
f8c26c877c8fbc48bfb38a063ef86177ad9d86aebd174535469dba701c114785

SHA512
46cb470a6265cccbb3c6e90421a9c6f97380407cc8d5788d8f6dd21250478de35510b577e89a88821591f2d90c0c033066e72aefe9c34b95447fc8358434a109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58a7fa5f404a164a3b899048963d5e1b

SHA1
7192c94436dfa44246d7094b0fb23eb7f15de847

SHA256
e85309bca9b7331171eb9f472bc890792eaa7fa2c68f768eb628f3886479e214

SHA512
cb6fbd85d198f5867ecf53ce531e86cf36865e9dbb122f565f0a1521e6acf6631c13fde328c785a4c9d1679fba2f70174129d402d2e620b8d498639b24bfeda8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90cff4acc90eaf89be2cba7c2ea50aa1

SHA1
ec8dae8cdb793a8059b1f37856e5ee219f047be8

SHA256
2431c07fd91ac4b536feb2da237a67572c0e7eeba3dedc9893f80fde74fab81b

SHA512
b1075c4e9b1aa7fe501e971ba29aa9dc6dd0b5ebe337ee30ec678042de5651d643b484e679038809e70a1ab15b60c26b0e0233870d7aeae6491bd6321e79240b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcf47112edbb3d17ba1b1c12059c0073

SHA1
08af88512574c0b6a5638e165855749955d56e73

SHA256
0158b09f625c33fe918f7accc9b5fbdbfaaa5e00d1ac49150f1a0110bbe1cd0f

SHA512
8bf67e00638ff7a8e578e9cac25928308a077eec93c215c6704e267f79aeaa7dbb844bfcaec0222700701aa9fc33e301a6d4f03fa433dd6917c39795185bcf8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
225B

MD5
4c38056c6dddba00a5a1c269a5a47738

SHA1
490d1d69f41369c7b02d4a1ca004b1464d8c87fe

SHA256
577858c7aca81cdb5b315d83bb37e2873146e463b7eed7bc90397e5a12a087ef

SHA512
605fc90fea8bac95639edaed4802c3750fa3fae287f5160300d93877b4daf0e2e9dd20761a02bdd939c86a673621e82ada15249cdd40da5d819699ac073b4ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

Filesize
225B

MD5
18a754eba84441d6437231e13e13e420

SHA1
adcab91f4de81ce62b85625ed88235f3eaf83472

SHA256
5b82c2af4c550962e19c91b9129d735cd74d8cc362218d6ce2618dcae67b8db1

SHA512
ef6d63ddca208a054407358b412a57c7df905a4f67a65523b16a2c37b77577bcd0495c167cab0406b014fca1ad221beac3054921d12f3c52b2a585cb4c1f672c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE726.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
225B

MD5
ed203521fd5f24beebc7ad87a00114eb

SHA1
8b84d95b11c5d9bfc2c1ab0e0ec18ecfac2ec2be

SHA256
4dad6d6b55684ff76e003afbfae3cfbbbdb6fd7aa103778ed30e65e7bbf78974

SHA512
2c76857141b3faa7068cd91945d1db7fca11fd4de0f50442e503f3d2439ede3a7ca269115facf12626cb826fc0461b691a6b7ac5fb8c791b6632e777c7430cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
225B

MD5
b28141d3f91642afcfcb46ad4e6b5272

SHA1
0f1abb9017c8b96151626e4bda7d664535d73361

SHA256
0cbb7d1ab363f2cecce4987a3c460e4f886201e35a3c105b3e17a574d71e1739

SHA512
5747f9317f71a4acff23448138f690c3171a299b99034b4f04ff71bc589b55fae6360f25c093d424b3ff9030f4d2bf6a93754f5bc27f822bef80aea4539f305f

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
225B

MD5
41d4df73ce4f9d2877b6ee8861732208

SHA1
7c38df8a8a0fa771b1799655245bb78409c77d7a

SHA256
248110f1465d62f57a0e2582bba5aa808ecb602d790d676e4b386c46baa120f1

SHA512
da64255b92a72756856aeaa82ef8961a1b808b5b24b9184349ca14078020e09b2e2a766d9182dfca3c738ad75f6cfa11b57cb212f715dae1dfeaf9f1ccbfa15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
225B

MD5
59e148e676906ee0563c589ecb26df93

SHA1
930de75f63d8209690da64a084fa03e49ca9f86b

SHA256
0567d2d018cf4d0cdeac74faac1d36f0429acc2e0c3f232b8498bf8392c563da

SHA512
5380bd872af8afa2987eaf8fef3b3989915cbcb60975807dd6af24d8b133050d110c1e357d3274a5600f6ff0e8c990f9f1f596e352c1b11ca3a33e6b7868dba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

Filesize
225B

MD5
00aefe778758879ce84a15117737d9b2

SHA1
3e40d10f48788f9023be6a9263313d19e1190426

SHA256
7009640d8fa79b4c2ff577e892c285772a5d52acca5d9526ea220b1a690415ae

SHA512
866af07a6b125ec8e8921a479feade60ce5a8d0f5f6bf8bb4a72860f2fb783dd736100e18048e2814a60f6e457e9b938030402f060d0e83e010b306ae76e90ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
225B

MD5
648f51420c26ae51bb8186d065b97c9f

SHA1
2b6c4824c58ee4cc26e4f17b27469ecaad261558

SHA256
2c4b8d81c37b0e9cc7476263b6e0143e2b2483aae14b4de16684d2785d5a3641

SHA512
e29aae49d6f526fd7b44df233e7e631b916ac8e254fc0ff143ce980f47d07751d21c7ff5519c0df4ed133f11e98dac272695e3e9bd2f8e39571f394f91249f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE748.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

Filesize
225B

MD5
e23966eef593c41e2f226e285d495a7b

SHA1
30f48219cd8bf508ce8ae8a3b5ee9551f51fc11a

SHA256
9e3b49e1916d0c020b30cf0e6d9eb3af55634e0591ec4aae4dcaa0f07548eedd

SHA512
24bf21f018ad40f7b2482d2a4664f5b3d5a6935fac303b29380512f8d7d26c54048c47a6ef9863b082f7f5579569efa44dafe87342f3d565526ae04c34d70dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

Filesize
225B

MD5
8e8834f2f85bfac4219118762d43abef

SHA1
dce233675cbd03fdbd75071bba54bdcbeff881bb

SHA256
b3dd65df3765d1300a291bd419fec7ec4ca5d4f5c9fad029c989a3547f75cc6b

SHA512
52968b37fcbd7135e49ef4c2e8eaf32012013d72f8af8df1cabb4b5d971999530a7ec595e738ebf07b8e9a0165ff63418090d6e606a9da0a37d06cf59e24bf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat

Filesize
225B

MD5
9e6fd6b6bc454a236f15a84633bae391

SHA1
c3b02b9fe3efb911057d6582ace2fa7e3f57dc0d

SHA256
ad06c8c22929aad2880a04b54819904ca85b9a5df20b120f208a6087e399d0c0

SHA512
98110175b849cedd27b6261b20b06240ecc135e358b4d2dbff8f7879e3ef97c495064c37e01ad3199e3af5534f71bafec9d6776deda2bef55440634a093cba14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BPNJ0T9XV5HY8GW8AY5K.temp

Filesize
7KB

MD5
0e97956ca987c4f8db964e1b82dba3fc

SHA1
cdf2b48c05278409f6443caabefe383f512e173b

SHA256
5226ea520f57edc098f8cba2db3f203fbf754e3db8a52653afa5bc0945d4efe2

SHA512
37fe305e6a4516e1c9e23b338ed1270f7c859bb86c08163d13f98f16d83ac0a0e67a7a9cdd01db4d4600721dd42a1898288f6598514ef7011ba5fe671fc2c2e5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/664-203-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/664-202-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/1180-124-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1180-82-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/1520-70-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2052-71-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2192-681-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2484-502-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-323-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2664-263-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2772-621-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/3004-442-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/3064-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/3064-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/3064-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/3064-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3064-13-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download