dcrat | 15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1.exe
Size

1.3MB
MD5

a6d842509708049f5e955e27835d9dc8
SHA1

f05ccff9a0169d1ee88fbd4031d1848a24b81c22
SHA256

15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1
SHA512

c42058724876e2e7a11a6e61a586ab84736fcb2d9e33a278019fdfc39dc6a6ed840b19c400782a8882785cd543a9fde24c47b2ad9d775571a49a00c64c0b3a36
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2840	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173b2-9.dat	dcrat
behavioral1/memory/2272-13-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/2572-78-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2688-737-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2096-798-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2676	powershell.exe
2568	powershell.exe
1648	powershell.exe
2344	powershell.exe
2220	powershell.exe
1224	powershell.exe
2844	powershell.exe
880	powershell.exe
1764	powershell.exe
2244	powershell.exe
1636	powershell.exe
2500	powershell.exe
1760	powershell.exe
2360	powershell.exe
2896	powershell.exe
2644	powershell.exe
2488	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2272	DllCommonsvc.exe
2572	conhost.exe
3068	conhost.exe
2724	conhost.exe
2756	conhost.exe
2264	conhost.exe
1504	conhost.exe
2896	conhost.exe
1500	conhost.exe
2580	conhost.exe
2176	conhost.exe
2688	conhost.exe
2096	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
848	cmd.exe
848	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
40	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\System.exe	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\lsm.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\ModemLogs\lsm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2628	schtasks.exe
2328	schtasks.exe
2056	schtasks.exe
1856	schtasks.exe
1252	schtasks.exe
1604	schtasks.exe
676	schtasks.exe
3044	schtasks.exe
1700	schtasks.exe
2200	schtasks.exe
2004	schtasks.exe
688	schtasks.exe
1196	schtasks.exe
2124	schtasks.exe
604	schtasks.exe
1800	schtasks.exe
1276	schtasks.exe
1732	schtasks.exe
564	schtasks.exe
3000	schtasks.exe
2556	schtasks.exe
2524	schtasks.exe
3060	schtasks.exe
1952	schtasks.exe
1956	schtasks.exe
1484	schtasks.exe
2152	schtasks.exe
2928	schtasks.exe
684	schtasks.exe
1496	schtasks.exe
1684	schtasks.exe
1164	schtasks.exe
2232	schtasks.exe
768	schtasks.exe
2608	schtasks.exe
1988	schtasks.exe
844	schtasks.exe
112	schtasks.exe
2240	schtasks.exe
2064	schtasks.exe
2756	schtasks.exe
2832	schtasks.exe
2624	schtasks.exe
2800	schtasks.exe
2912	schtasks.exe
1144	schtasks.exe
2100	schtasks.exe
2916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
1648	powershell.exe
1760	powershell.exe
2488	powershell.exe
2644	powershell.exe
2220	powershell.exe
880	powershell.exe
2360	powershell.exe
1636	powershell.exe
2572	conhost.exe
2844	powershell.exe
2344	powershell.exe
2244	powershell.exe
2568	powershell.exe
1224	powershell.exe
1764	powershell.exe
2500	powershell.exe
2676	powershell.exe
2896	powershell.exe
3068	conhost.exe
2724	conhost.exe
2756	conhost.exe
2264	conhost.exe
1504	conhost.exe
2896	conhost.exe
1500	conhost.exe
2580	conhost.exe
2176	conhost.exe
2688	conhost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	DllCommonsvc.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2572	conhost.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3068	conhost.exe
Token: SeDebugPrivilege	2724	conhost.exe
Token: SeDebugPrivilege	2756	conhost.exe
Token: SeDebugPrivilege	2264	conhost.exe
Token: SeDebugPrivilege	1504	conhost.exe
Token: SeDebugPrivilege	2896	conhost.exe
Token: SeDebugPrivilege	1500	conhost.exe
Token: SeDebugPrivilege	2580	conhost.exe
Token: SeDebugPrivilege	2176	conhost.exe
Token: SeDebugPrivilege	2688	conhost.exe
Token: SeDebugPrivilege	2096	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1664	1852	JaffaCakes118_15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1.exe	31
PID 1852 wrote to memory of 1664	1852	JaffaCakes118_15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1.exe	31
PID 1852 wrote to memory of 1664	1852	JaffaCakes118_15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1.exe	31
PID 1852 wrote to memory of 1664	1852	JaffaCakes118_15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1.exe	31
PID 1664 wrote to memory of 848	1664	WScript.exe	32
PID 1664 wrote to memory of 848	1664	WScript.exe	32
PID 1664 wrote to memory of 848	1664	WScript.exe	32
PID 1664 wrote to memory of 848	1664	WScript.exe	32
PID 848 wrote to memory of 2272	848	cmd.exe	34
PID 848 wrote to memory of 2272	848	cmd.exe	34
PID 848 wrote to memory of 2272	848	cmd.exe	34
PID 848 wrote to memory of 2272	848	cmd.exe	34
PID 2272 wrote to memory of 1648	2272	DllCommonsvc.exe	84
PID 2272 wrote to memory of 1648	2272	DllCommonsvc.exe	84
PID 2272 wrote to memory of 1648	2272	DllCommonsvc.exe	84
PID 2272 wrote to memory of 1760	2272	DllCommonsvc.exe	85
PID 2272 wrote to memory of 1760	2272	DllCommonsvc.exe	85
PID 2272 wrote to memory of 1760	2272	DllCommonsvc.exe	85
PID 2272 wrote to memory of 1764	2272	DllCommonsvc.exe	87
PID 2272 wrote to memory of 1764	2272	DllCommonsvc.exe	87
PID 2272 wrote to memory of 1764	2272	DllCommonsvc.exe	87
PID 2272 wrote to memory of 2344	2272	DllCommonsvc.exe	89
PID 2272 wrote to memory of 2344	2272	DllCommonsvc.exe	89
PID 2272 wrote to memory of 2344	2272	DllCommonsvc.exe	89
PID 2272 wrote to memory of 2488	2272	DllCommonsvc.exe	90
PID 2272 wrote to memory of 2488	2272	DllCommonsvc.exe	90
PID 2272 wrote to memory of 2488	2272	DllCommonsvc.exe	90
PID 2272 wrote to memory of 2360	2272	DllCommonsvc.exe	91
PID 2272 wrote to memory of 2360	2272	DllCommonsvc.exe	91
PID 2272 wrote to memory of 2360	2272	DllCommonsvc.exe	91
PID 2272 wrote to memory of 2500	2272	DllCommonsvc.exe	92
PID 2272 wrote to memory of 2500	2272	DllCommonsvc.exe	92
PID 2272 wrote to memory of 2500	2272	DllCommonsvc.exe	92
PID 2272 wrote to memory of 1224	2272	DllCommonsvc.exe	94
PID 2272 wrote to memory of 1224	2272	DllCommonsvc.exe	94
PID 2272 wrote to memory of 1224	2272	DllCommonsvc.exe	94
PID 2272 wrote to memory of 2244	2272	DllCommonsvc.exe	95
PID 2272 wrote to memory of 2244	2272	DllCommonsvc.exe	95
PID 2272 wrote to memory of 2244	2272	DllCommonsvc.exe	95
PID 2272 wrote to memory of 1636	2272	DllCommonsvc.exe	97
PID 2272 wrote to memory of 1636	2272	DllCommonsvc.exe	97
PID 2272 wrote to memory of 1636	2272	DllCommonsvc.exe	97
PID 2272 wrote to memory of 2220	2272	DllCommonsvc.exe	98
PID 2272 wrote to memory of 2220	2272	DllCommonsvc.exe	98
PID 2272 wrote to memory of 2220	2272	DllCommonsvc.exe	98
PID 2272 wrote to memory of 2896	2272	DllCommonsvc.exe	99
PID 2272 wrote to memory of 2896	2272	DllCommonsvc.exe	99
PID 2272 wrote to memory of 2896	2272	DllCommonsvc.exe	99
PID 2272 wrote to memory of 2644	2272	DllCommonsvc.exe	100
PID 2272 wrote to memory of 2644	2272	DllCommonsvc.exe	100
PID 2272 wrote to memory of 2644	2272	DllCommonsvc.exe	100
PID 2272 wrote to memory of 880	2272	DllCommonsvc.exe	105
PID 2272 wrote to memory of 880	2272	DllCommonsvc.exe	105
PID 2272 wrote to memory of 880	2272	DllCommonsvc.exe	105
PID 2272 wrote to memory of 2568	2272	DllCommonsvc.exe	107
PID 2272 wrote to memory of 2568	2272	DllCommonsvc.exe	107
PID 2272 wrote to memory of 2568	2272	DllCommonsvc.exe	107
PID 2272 wrote to memory of 2676	2272	DllCommonsvc.exe	108
PID 2272 wrote to memory of 2676	2272	DllCommonsvc.exe	108
PID 2272 wrote to memory of 2676	2272	DllCommonsvc.exe	108
PID 2272 wrote to memory of 2844	2272	DllCommonsvc.exe	109
PID 2272 wrote to memory of 2844	2272	DllCommonsvc.exe	109
PID 2272 wrote to memory of 2844	2272	DllCommonsvc.exe	109
PID 2272 wrote to memory of 2572	2272	DllCommonsvc.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15d4cfa153f293cdf9683dc799866275a1d132b988ca6a9149e16d498d698de1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\de-DE\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"
        6⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1120
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
        8⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1956
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        10⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1852
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
        12⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1976
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        14⤵
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1848
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        16⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1800
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        18⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2952
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
        20⤵
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1228
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
        22⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2440
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
        24⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2620
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        26⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1540
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ModemLogs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcabc41700d44fead7a05ef6ec3addee

SHA1
36af644e3cddd086604a803a99ed203760822eed

SHA256
cd9a96873fa65136db6c227009b6388636a645136f34467bc86c484bc0437957

SHA512
42e62ff6e1848ed934d8b42db8ba0f36f0970c96382333c588c09babcc8916705c92c96534aa3a469bbec76a9fd705a05d204404f52e0dc9a73d306c9c5b035f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eedf2f68b576687d098ac3049cf8d63

SHA1
5e6c0b9a2753ee04c98e29652fb9246aea5243f7

SHA256
d59bb6c76d1d735b691d759953b4080a58bbca23abfb59af52408c1127201fa1

SHA512
27cf8fc77c7dfe1a887250487aeff2d0edab9e5364c936929c0220ca29a9ec760c7ab528a1b9a344d839f91c156caf3f289796fb287cd26da5e81617786deef1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f566783025272510e9d0e0f7891d73b

SHA1
05b6f71a8f633d1d0b133b68e83400c638ff92f5

SHA256
b3bb05664aee1e13065403ad962586393d1dc2b789d8602df2a19e078f89ca7c

SHA512
f914c96db048c790b6c28805480f9673d1f0747f8835ce6e3b36be6edfd6baee66d0ff55c790cc1d8f1065921c3ae26b33b18ce991fe9c0805a646125f60d3e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43d34ea6168a4c6925edffb47d7327c0

SHA1
890bb0d34652741762e6d2503bcf4db34a4206e7

SHA256
fc5fc9392d1955678afb3d4f1104b2bba5a5dd51577f4c2e9dce3fec72c79278

SHA512
0ea523de926190f5dbdae32d4ee2acf6a30402e0c7e32e26f844feace37849968f5564ff9813042c952368d0c919b774f79216932a2c1d73b3752f4e346ff06c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97cd127057668b5585325db0d59640ac

SHA1
2eaeb0423bb3b2e4bc48a6d8c311a08c86fcfd91

SHA256
1d47171eda0791f980167191373ff3f5ed577ba2572136b839c0487718e9b2f9

SHA512
a213eb2d899003a6835c625a9da511507df5d14a0e9ab7db7f3dd79a4b0a1837bb2a8bcd5dafe977fd94589f322840869a02b490022bc7939d163433f68735c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1627e86f349dacaf03d43ab780739e7

SHA1
29357a92957d88dba258dcff6d584b7e8c6739c0

SHA256
707dc1061502044770641e7d21e16c2b361c3d1777b8f6b0f81121068b3e7f19

SHA512
24b8240008227c2c1a462cf94481b09e5c2654f1ca9e4adb8dcd6726cacc8d237ecd13763b9eaba1440fd63c805a69aedb12ecbc8cb1a28518d04782c428c4d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd7584c696a0b31a9fc8a1927c637431

SHA1
a550d5c3ec2bb449ad5e172c0b3836d8708eb30a

SHA256
5bb20768308802023066a89f4fe4585f80c640d03907eba23eb29e69bb24eabe

SHA512
e59fdba5b49daad108a288f2b648802306ea0e26035c0f97849bee6d3d14e96ae8178e0aaefdcc89fc1c2949197cd3862cf014741e609ced4801500b94db7f89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6849d358b84684f406fd86a2c47d5b07

SHA1
7a412cdc6faeea6f91084a41123bdaec9a989c1e

SHA256
275ac24c38d5a071131b64cbfc47e8c0ac7ee3d37563806b348277f6151aedd4

SHA512
2f1826ab0c51862452847d1094f8231a02575859021eb0c66358b278456f0162d8f53a8119641f48e4bfaca2f1fb69ba309d8a0c843176eec3e3933b748039ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
490ca29ea082063158783ce4fa8d31f0

SHA1
c285e280b57125ba4c0b907d8ff0f9479df554c8

SHA256
c26845f3a8ba86473d24bd3dceae44b284b3cc9dce99b3d3af8dc27e8a102505

SHA512
03c31c7c8a8c8ea97d1560ea69388e33f96b1d521edd207857b5bb92bf569aadcf917f708d5bf07d8b7a36128456539146325e59b488405cffa2f11319bb69e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e20a8e1f48001677d7bd7b3d063b96b

SHA1
34b202c63f950f1b830d22a3f4bfe7f237366857

SHA256
2c2df942d9cf29c1170a807209a8d859aa489a7f4dedc2e5444f1d904a3c3e7c

SHA512
b39ce6398c64593c9aadb327c0d64fbe7b666e04fc1ef0c0f315fcfc9b5ca8a9f221992d06de6f2c8740f2572f45079d6991628feed5ea26020485d2de10fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

Filesize
239B

MD5
1fd8f68a9a665ee9582cc0fca4df1c4e

SHA1
dbd0ae308429ab9e837b41a6202761b3a0b19fc8

SHA256
32fbfacfb29dabfbe459457af38343808ce1c0716b0f87615dad4d5f53ef9b67

SHA512
02e328f1b710f88fbfa76b283901bd89540db9c3d42c7118f664ae7bfb10071709457dbf538556f04a2cd72f65e070aa4b0263abcb1cd3622a5b50d100b982f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat

Filesize
239B

MD5
3039057e0fbc0549e29a5abb728ef83b

SHA1
dc574e90ae92a6d3984493d9e87b3ba78523e302

SHA256
586e593c46d683870db694b2979ea9290a051337f1dbbdd3f61327fa3412ee4f

SHA512
95e726e1c016cad830656e5fcdd69ca5acd409e27cbfea647b1cf98c866849a6fbfc0e40943d54ee828bb18ba21bded5e19c797f14f09262d22a2f9226d9e992

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1190.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
239B

MD5
dc85dd65dbb2cac594c587f9d02da211

SHA1
bc8d1ebf9a9d5d55cf9708b0034fae8585028e8a

SHA256
2820e4abca04deb8695f955a882811b1a4fcc3d41af90ce35cb16e02334dcec2

SHA512
1c7c0db2cca804d5e1e71552d7621ada6e11fd00987825ba6717dcfc9887332e0c5b53d8369b965fe240be26c6aebd0d441f26754dd87d7ff34c18ab7e23ff40

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat

Filesize
239B

MD5
8b3a9e280d05f077163860fc1b583a15

SHA1
f49123dcd58ca9c95ce651b54be93fc24a46f3f5

SHA256
3d014e34338cc74a7a571098f5114ad49d0f998aed36b7734d8cb02c4115d72c

SHA512
22e7eb442993db4ac9b09a598d2401007781407086848e55222cf988810cff9009447082be8ebbcddfe880a8e03f163e82396ebdaa5e041d93aa55af86a038a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

Filesize
239B

MD5
dfcf0b3ad24b75481425f528ae0fff22

SHA1
fd3cd5a0f4d811632d0e9739f46a6ba7aa5edecd

SHA256
73f8cc604e93188f52c9073c35891377458be7b11b6a4474cbb85e5ea9cdbcad

SHA512
a4e94351ca151c5b21db80bc21b1f9869947582fec6f2de0a8342fb4d1255c10c794e2c89fee04893c300645b3714859bc42317e1527240f789ac57242d3ba51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11B2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
239B

MD5
0c3be1f408ac442b9a6e5e6b4756b476

SHA1
c45da1486a0912f9ff1c90303904ad04895fa1fa

SHA256
977f497105491f83d8224013f60876ce5481d2e98b46c2b7d7a026f949a48aa3

SHA512
e70418b82f931e776006738761d8b025b9b704c54af1a7d2a1f60b35d4c2e43c90f148e131be9b7ebd3e93271cd556a27959138193f46ab48169531ce6115ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

Filesize
239B

MD5
267039d949165ccbcc9f2a71a3a030d0

SHA1
72a7c6152fad57b4ced29eb5f205d0137eb89b1b

SHA256
9aa462c52212dc1e6c2833099a0607737a2a9b3685db4466eaf91bf676d0c9b6

SHA512
6b85bc0516c76c1b3403924a3239c1337dac99349fc827a396a7fee024b9a214011035757cfe5c7f565ee12213a40c31c62d1c430dbc1b73aaed384a8edef3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

Filesize
239B

MD5
0eb106f9024a7715a80b43fc2f3248cc

SHA1
e14b4238e2e9443f8af1085d542c37ba99e775d1

SHA256
6d2a0b57f0e2826e9f86d5fc9b3ac478379b2db270e1670729a8d98946ad56b3

SHA512
d73d3d802a14050ae51469d6b2d78d34d9d0c897efcd3f31c1d43201319bda18c7662cb5974dd98b3b11e83358b135edb8a43379f14a8b1cd9fe1051fd1ff803

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
239B

MD5
d393dbbb134451c0e5cae1a3cf543e5d

SHA1
6b621781e97361d4c5ddfa85e76e86fc50d28f0b

SHA256
6c5d6cc4af36f9bfe72f630cb3a7701bbe384875f88609cad0c44e479e74cfdc

SHA512
25d045e875a5a824feaf03558f5f5de03f5d5f129676ff447aeafc847a5668cde0f55f3ba3dd818bfbf7c510f5df8d885eb5c46e77aab7680cf264a161203087

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
239B

MD5
cf20f37d2a6e4fa2884ba993605e2db7

SHA1
4f36739f543907f6a3eb3e60552b7b3178d95fc8

SHA256
abf89fef2ea96958618ecedefc524f31f35b0b303b8997f0bede94e234881eef

SHA512
d91d0b01f9df0783106e043bc2a59e2f5d6301bb0fd2a7343bbebc8fc65b7ca7fdeac4df93dbafa558f729fed5a55268edbe51206c2c46abd0ab619c4040afd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
239B

MD5
1a5b7d4ed5f038a1bcf96bb5120e1030

SHA1
520ad9b6e8aac9519f7e0604b9b27addc01c5de8

SHA256
885a3f7fff1b018f2f0ce57edc7ee607bf510ae2efc6369f4102fd51a4be446a

SHA512
484e761db829a4dd13a36a4397dac71492290e8d62b2efdac681542e90d6fe70bf9999e6c74f67ce81ed5eb88f8fc5edfe384443f4421b7cad036c0e75864e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AGFFJEMGM47DGA8A35FZ.temp

Filesize
7KB

MD5
bdd96aa44a1e44a51a9e5421021d1526

SHA1
a70be16381ef6f071beb7c67cd1ccbe4c73cd42e

SHA256
e94134acd447c36072cc3a1e551e755a39efa50bbb12e20ed0786414b51b6d07

SHA512
5cd1f2320b61b792faa9b61a0e1bc4c7f848cbdaf95b9f3e646fd7a32f192d975f2a665fd171e5347b04a0d807f4ba2aec8a8c6ff4d4081fddd38042a285888c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1504-441-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1648-66-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/1760-64-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2096-798-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2096-799-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2264-381-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2272-17-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/2272-16-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2272-15-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/2272-14-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2272-13-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/2572-143-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2572-78-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/2688-738-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2688-737-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2844-144-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/3068-203-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download