dcrat | bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d.exe
Size

1.3MB
MD5

1cbb924712fba204112deecebeeeae7e
SHA1

055b91533f59f475ca5f97995d70b7b30c14648f
SHA256

bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d
SHA512

d374748b8f4d7b6b228d68e2d6ba38dc9e529393e5969d35c4890941e3604e65007f3b2424a9e08474c0b0b022242bb4d03c00013bdeb7e50a71be47d613dd76
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2984	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018d7b-10.dat	dcrat
behavioral1/memory/2744-13-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2812-56-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2824-196-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2116-434-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1992-494-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1924-554-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/1440-614-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/1140-674-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/2460-794-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
768	powershell.exe
2696	powershell.exe
2580	powershell.exe
3032	powershell.exe
2000	powershell.exe
1696	powershell.exe
3040	powershell.exe
2088	powershell.exe
1580	powershell.exe
1692	powershell.exe
2788	powershell.exe
1556	powershell.exe
2300	powershell.exe
1964	powershell.exe
1592	powershell.exe
3028	powershell.exe
2516	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2744	DllCommonsvc.exe
2812	explorer.exe
2824	explorer.exe
2188	explorer.exe
3044	explorer.exe
2728	explorer.exe
2116	explorer.exe
1992	explorer.exe
1924	explorer.exe
1440	explorer.exe
1140	explorer.exe
2180	explorer.exe
2460	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	cmd.exe
2328	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
1720	schtasks.exe
2916	schtasks.exe
1096	schtasks.exe
324	schtasks.exe
1404	schtasks.exe
340	schtasks.exe
1672	schtasks.exe
1716	schtasks.exe
1244	schtasks.exe
1812	schtasks.exe
2288	schtasks.exe
908	schtasks.exe
1700	schtasks.exe
584	schtasks.exe
1296	schtasks.exe
2272	schtasks.exe
2820	schtasks.exe
2100	schtasks.exe
1940	schtasks.exe
2548	schtasks.exe
1752	schtasks.exe
2884	schtasks.exe
708	schtasks.exe
2116	schtasks.exe
1616	schtasks.exe
772	schtasks.exe
2284	schtasks.exe
2936	schtasks.exe
2604	schtasks.exe
2772	schtasks.exe
320	schtasks.exe
2108	schtasks.exe
632	schtasks.exe
1032	schtasks.exe
1044	schtasks.exe
1764	schtasks.exe
2656	schtasks.exe
1336	schtasks.exe
2964	schtasks.exe
1996	schtasks.exe
2880	schtasks.exe
2436	schtasks.exe
2992	schtasks.exe
672	schtasks.exe
764	schtasks.exe
2644	schtasks.exe
2264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2580	powershell.exe
1580	powershell.exe
1696	powershell.exe
1592	powershell.exe
3032	powershell.exe
1964	powershell.exe
2516	powershell.exe
1692	powershell.exe
3040	powershell.exe
2000	powershell.exe
2788	powershell.exe
768	powershell.exe
1556	powershell.exe
3028	powershell.exe
2088	powershell.exe
2696	powershell.exe
2812	explorer.exe
2824	explorer.exe
2188	explorer.exe
3044	explorer.exe
2728	explorer.exe
2116	explorer.exe
1992	explorer.exe
1924	explorer.exe
1440	explorer.exe
1140	explorer.exe
2180	explorer.exe
2460	explorer.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	DllCommonsvc.exe
Token: SeDebugPrivilege	2812	explorer.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2824	explorer.exe
Token: SeDebugPrivilege	2188	explorer.exe
Token: SeDebugPrivilege	3044	explorer.exe
Token: SeDebugPrivilege	2728	explorer.exe
Token: SeDebugPrivilege	2116	explorer.exe
Token: SeDebugPrivilege	1992	explorer.exe
Token: SeDebugPrivilege	1924	explorer.exe
Token: SeDebugPrivilege	1440	explorer.exe
Token: SeDebugPrivilege	1140	explorer.exe
Token: SeDebugPrivilege	2180	explorer.exe
Token: SeDebugPrivilege	2460	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1808	1288	JaffaCakes118_bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d.exe	30
PID 1288 wrote to memory of 1808	1288	JaffaCakes118_bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d.exe	30
PID 1288 wrote to memory of 1808	1288	JaffaCakes118_bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d.exe	30
PID 1288 wrote to memory of 1808	1288	JaffaCakes118_bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d.exe	30
PID 1808 wrote to memory of 2328	1808	WScript.exe	31
PID 1808 wrote to memory of 2328	1808	WScript.exe	31
PID 1808 wrote to memory of 2328	1808	WScript.exe	31
PID 1808 wrote to memory of 2328	1808	WScript.exe	31
PID 2328 wrote to memory of 2744	2328	cmd.exe	33
PID 2328 wrote to memory of 2744	2328	cmd.exe	33
PID 2328 wrote to memory of 2744	2328	cmd.exe	33
PID 2328 wrote to memory of 2744	2328	cmd.exe	33
PID 2744 wrote to memory of 768	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 768	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 768	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 1592	2744	DllCommonsvc.exe	84
PID 2744 wrote to memory of 1592	2744	DllCommonsvc.exe	84
PID 2744 wrote to memory of 1592	2744	DllCommonsvc.exe	84
PID 2744 wrote to memory of 1964	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 1964	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 1964	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 2300	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 2300	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 2300	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 1556	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 1556	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 1556	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 1580	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 1580	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 1580	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 1692	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 1692	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 1692	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 1696	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 1696	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 1696	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 2516	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2516	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2516	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2000	2744	DllCommonsvc.exe	93
PID 2744 wrote to memory of 2000	2744	DllCommonsvc.exe	93
PID 2744 wrote to memory of 2000	2744	DllCommonsvc.exe	93
PID 2744 wrote to memory of 3032	2744	DllCommonsvc.exe	95
PID 2744 wrote to memory of 3032	2744	DllCommonsvc.exe	95
PID 2744 wrote to memory of 3032	2744	DllCommonsvc.exe	95
PID 2744 wrote to memory of 2580	2744	DllCommonsvc.exe	96
PID 2744 wrote to memory of 2580	2744	DllCommonsvc.exe	96
PID 2744 wrote to memory of 2580	2744	DllCommonsvc.exe	96
PID 2744 wrote to memory of 3028	2744	DllCommonsvc.exe	98
PID 2744 wrote to memory of 3028	2744	DllCommonsvc.exe	98
PID 2744 wrote to memory of 3028	2744	DllCommonsvc.exe	98
PID 2744 wrote to memory of 2788	2744	DllCommonsvc.exe	99
PID 2744 wrote to memory of 2788	2744	DllCommonsvc.exe	99
PID 2744 wrote to memory of 2788	2744	DllCommonsvc.exe	99
PID 2744 wrote to memory of 3040	2744	DllCommonsvc.exe	102
PID 2744 wrote to memory of 3040	2744	DllCommonsvc.exe	102
PID 2744 wrote to memory of 3040	2744	DllCommonsvc.exe	102
PID 2744 wrote to memory of 2696	2744	DllCommonsvc.exe	103
PID 2744 wrote to memory of 2696	2744	DllCommonsvc.exe	103
PID 2744 wrote to memory of 2696	2744	DllCommonsvc.exe	103
PID 2744 wrote to memory of 2088	2744	DllCommonsvc.exe	104
PID 2744 wrote to memory of 2088	2744	DllCommonsvc.exe	104
PID 2744 wrote to memory of 2088	2744	DllCommonsvc.exe	104
PID 2744 wrote to memory of 2812	2744	DllCommonsvc.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc63216e50cf324ceb0e78ca0d3ae7028a29bfa628e9a1a3d1f72a627a356b9d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Purble Place\de-DE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        6⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3056
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        8⤵
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2476
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"
        10⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3060
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
        12⤵
        
        PID:904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1300
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        14⤵
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2760
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        16⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1732
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"
        18⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3044
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"
        20⤵
        
        PID:772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:688
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        22⤵
        
        PID:1032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1576
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        24⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1648
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        26⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1020
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Purble Place\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Purble Place\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1da94dbc8ffd884b4db8b2623ac7fc4

SHA1
bbdaa5fa29371f34dce62e5e2f10fce8517af362

SHA256
bc9ab1e673ba07cb5b746bf1f93e41e38b69afdd47a35fd1487d7c8a65809d80

SHA512
72419d08af1e5b87e2310e0e7f0566b9dab98d96745ada902ad336670a412d4cd0b960c885db08e56b9ba07ff0ce25aba75f988c07cd8d8333359cd57c2ce91c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eafa0612e4570b2cabaa4b2490e35778

SHA1
59852dabb5b8d9df2f09ad82f7a702ac2b297387

SHA256
f7baf2939768500b552f9a6c4ccad11f28910854a740822695c940d8e98d94af

SHA512
222b34378f03657de0d5b5ceb7aa70016740db7d0f21b4a7dcb8e3646316307903efefd4186931bc22ef9f20757be360428b41cca8bcfdd540744c14a77df28b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d381ef69e1bce742da020645c7ec8476

SHA1
217faad0490feb9a8a00dca614d2c4f6125abb5e

SHA256
acb38e3fe0c718d3b503daf87df83cd3091a7dda6a5e63d313c91220c50182e2

SHA512
fcb0dd607c3ad71c5f256330d21ba038fbafda2579708b036033bcd5b813e815333757f39875665689406f87ac67e879cbc6cc97ba07735a9c040c7e70031792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2de2f327503a9c0033df8a7668d5e4fc

SHA1
8d3baf6843ee0f235326136d188003d579bc3ea3

SHA256
fbea08d7b7761061cfd1e79f310b964acac1cefa4bc20aba00fc7e415f3ef61d

SHA512
9478b58dca9bf31b76543fd67d1f697600dded71ebc1bf2427039c8764e5746731042e4790075da60a4d8671c7b089c6ace7042b71cfeeac1a3fcb41de6d9280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95117cf7998a1541182265781486b96e

SHA1
fd7f7262ef2557548338e01299a910fc3ef28b41

SHA256
0067351ea8df08c5fbb503764e512183ebfdbba682fb9f26f3f7fc08ab31fc31

SHA512
ea603c51502829f14efb8f11dbc94480efa79f50c0d779f4af549a3c1edf2c32b967f5cacfbc053d48a84141c7f65a19791cb133747c98aae550390f5e7abfd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec5d9531156cb9755e82648e0a442e9b

SHA1
06a7f5a2c0238315cd301c8dc26409318ab081ef

SHA256
664af6eb4cdeb0aeda4d27496a20d75c57b3049da7e06bf9bfd2bfe484796134

SHA512
7837ea05d4c78266002f07f18bc7a2894b66886f500a48075609ddab43248c309c37b700cb4f68744e03d1770324e00ffb4acda47a8cad9f9ce15902b2bbba00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0a5efeec93e31d9cd2b9575ec57e593

SHA1
5322bc982cd5365559c8bbf965d0df5ed8f55bf8

SHA256
41f48384b83f9482278de86b77cdb6f56b9c0139f7503589739ed078de0c9f83

SHA512
f6693d43ff762ecc7fb47235bd11961f814656ad1e933437e8d47f1c4b90364aa1dec5e56df319f982bbf626ebb9185be9e62fa69602e1af30ecb44620eec356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b51289a927709d7cc569f56fc085cbc

SHA1
bd4b866e7d5943921568efd475de3185f105b355

SHA256
81c4f95f1edc1115332581066f33d01dab270ea4a53a05aebdc5b9f301404da0

SHA512
f6a887ecf232491da9808479193733efdaa13556b44629fc63c7df89588c5c68faedc7aac41b239eb3ced767f7f59a7d5543b88b8b5c69272b6db326ac724fb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fb00f59d82d0ec3c8300e98f3aaf7d4

SHA1
b26ca1679a65d5854d2dd59c6eaf40d2b111a2e3

SHA256
ea263cb899ba47bf1c3c77059132464d411e475391baa378a2172648f2f00802

SHA512
8ddd6f48c8a2e673492d7835ec8895bddfc57a88b1a819eb6ba997769e9d6a4097a1c9e1af4e0630fc8151fcbc0c56739805fb35ec60653c6fdd215c28790fe8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
410500bf78cf9f2e4d00398ad7b311f2

SHA1
f519a636c89cc79ccd1e6b42835db7d826336bc0

SHA256
a5feffe431ff13185d6ee17834be067feacd3200f43e712fa0cee8922613c4c3

SHA512
47ecd3201273f87822f12301f120d45c4c5a8f689ca87253d328fe77522b50e8810cb4c000a166c66a7ac648136e7cb7d11fd972c3fb0f660f2a4fe153ef1b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
245B

MD5
9c99060a31248f39f310b01ab85ac3d9

SHA1
2c9b2daa0d6e00445ae9a2b0d369eae4ae5c3af1

SHA256
2ce13280d3033bee96f291edcf73163c6a57f68bd4b8b3b5e53246a0cc6c573a

SHA512
208dc04eea5bde547b8e63229d21632a18d69d4480c30baef3b14dd021ea0c0a52ab2086e0276a91b345f46218bcbb49e2c64aceaeb184f42ed9cb8843e1d80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

Filesize
245B

MD5
3b0690223698236e10884bd576015a20

SHA1
31fac7f4353ab8b514078c66dfd0f98fe257f888

SHA256
082da17c97ad63d27c1678ba41e1c25fba4db7fca94d95d9fce93966be42a602

SHA512
4a235901dd0b531e5c6a2e85c7011b65785bd5104c6eb62ce194fceeaa36ce04364b5b77c39e4cae659e2f54eb877e733baf07ba0c6d5cb4b844488538e86287

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDCD9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
245B

MD5
2ffdf0b80089f97a4161cd1aa64097d7

SHA1
4e6bf59dba3f2a96d98c3cc51e19fd82b13f002d

SHA256
b76011950fceb37b1ed230593003fab6c11f85aaaf45992b38fd39fe6c2da965

SHA512
cd8c03aabc60d283f2069bd2d481ab50b7560167aec0847fb93e189c039cd475cd5817e9e871c3bd6297b1b0b168581ef6ffc785828fc03d917f1c93b88bce4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
245B

MD5
f05bbef8bffa987b643c81c2f889f786

SHA1
239c5d12c1bf292968e97e0df13b614e3f012da0

SHA256
f961da46c2a39a942948b4b88d82387b1db0d6af9873640440b7095fa9c361c7

SHA512
5daf8342b8b8cc19494281ae5a9c7f2255953609ba1948095e0b6099263ddbfb88484b572330fa99d8951c0396c60da3afe3bf3c4e045c398f3f98aaa617a933

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
245B

MD5
40c243117a269a771caba59b89b03893

SHA1
392fef48f593b897a916a2245ccbb7679cc7b36a

SHA256
51f353a1b01161f9c21cd547798867b947943d56f3f4537c3c9b71630f740820

SHA512
044df6e4e244fb18304e3c6984716b1a0a5a5318e96b3828acf8854d55716abdf203df23605e60cf33994f64b7bfa9924d831ef3bef8748970898fddcd255b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
245B

MD5
03b5863cfd78dbdd374ab853717bf126

SHA1
31bf9a0596118e7ab70d4f4299b83ca1661eb3a7

SHA256
86e6cdcc76b31f98c3f10ade50018c78b6c3cd306495e56b77a16fecb517dab3

SHA512
773caa6a90c707b9e05dfe79c69410e02e0583e874e0d912ff77984293e3d32edbfe7f2ca12a476a9dab4517f4beb946c382ef6830812cf603e8b12af777dc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDCFC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat

Filesize
245B

MD5
73e86b3c77dd6868ca1eb5f21ba9d9e6

SHA1
8e01d168e8536e43be715cf70f49ea0ecdd996a6

SHA256
726e85b52ad408cd2821e45373e0be732592754098b4bdc33db65c6a54f53493

SHA512
8377d89acf328bf2d1210bf3220afe7847e71b53f357efdcae52e0218ee5714b640c7242f6bf82a0131cd6ebbd98a14597320ce261d38ae6dc96e0b1305384f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
245B

MD5
e6d41524dc53641f931293b9e62bf590

SHA1
14ea3d2b86ab9bb1552ea4c06c3c3548b21ecf0c

SHA256
40b3ab14e8d2e2c882b49745e62aba8f3f2a1cd8252a915b8c824362198e0e15

SHA512
f432abad01609ffda6e8094a5129c0533f5e46d0baa47563b2849d4d53728fd61d79ad7d24ecfb74c24d73610e263a7366382409b0d36f9d33da020323303861

Download Submit
C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat

Filesize
245B

MD5
8351340369472151aec7b95094abecd4

SHA1
cf71601fbb3374db1a56b80d6e6513cb27e2e0c9

SHA256
6583405892f1f5f82058289b16a9f1e4dc0a58efae461d521a781b23881700df

SHA512
888e1781b468c151c6b533af94be292fef9c3e47898ad4a402d819c7e648cfa0a0a7da78db4630b8e63c8d07e32f7eb75c14b0b7982637e6592f3323f300f970

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat

Filesize
245B

MD5
b298544f8206fd6808f005bd795b7758

SHA1
6d5c2f002dc8e7d7c2f78e4b1f324f3c55ccc46c

SHA256
6ecf63c844eca1d93a02cf58159dfe91d68d5d3e839d77781e413ebff4e2cb27

SHA512
3248f2373ff5853d3afb9dc96ae34ccd9d9443b493ff257acd4a78ce26d26987841de68fb6dd8419b730b056059721034785f08eb183b44ac56d3bf5b5e1efd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
245B

MD5
5f4e789e8c29b657ce6d14ac3c5a3968

SHA1
a9f6a50fd94eb3ccd6589f10fbcd896a1f7f48a8

SHA256
09e65bd466c7728d52d51f90a0a0e93157e86bacce2199e173dfb93cbe81fd7d

SHA512
3c71b0a0c68e57fd171c58e68df321e3795f0402ee91c48a7de76fb534be826f6e05b70a8ad3a9e52549962486c5674317f13d54ef856cc6ddad86f5844e9b37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4JK7HBT3VVCH3JHZJ1IH.temp

Filesize
7KB

MD5
1189ac2bfbe4de9138024bf40f2939b3

SHA1
e0ac4d6ee20fb3b506e0f09fbce64ef381d722f3

SHA256
23782c07f3d5abb6b3f64d7d3c14e937738d99157eb72810f3dca7bd2f2e4c18

SHA512
d426fcbde7a418c41adc720ed203f2eef9e47195e6bb3f42b991ade0ce63655d31e0d16d767474a385d1562f3c5fbf65bceae99cb7065bd4c7ad4ae049bb926b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1140-674-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1440-614-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/1580-71-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1924-554-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/1992-494-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2116-434-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2180-734-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2460-794-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2580-77-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2728-374-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2744-13-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/2744-16-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2744-17-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2744-15-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2744-14-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2812-127-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2812-56-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2824-196-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download