dcrat | bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0.exe
Size

1.3MB
MD5

d68d7cdb43ebc11023f44f7447945e3e
SHA1

d791e327a451f48989dfc3f169ef56c3fcac8910
SHA256

bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0
SHA512

1bdf9e0cae28b379bbd7f93fda546e784acba2194da1142c5542fe6e1077229db76c9195582c4d2dc0fa5636c3212ef2ee3f8fe8841766800fdf9a179b4448a3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2172	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d1f-9.dat	dcrat
behavioral1/memory/2744-13-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/1740-136-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1916-195-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2720-255-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/2436-315-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1972-375-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2468-435-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/1836-613-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/2136-673-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1544	powershell.exe
1368	powershell.exe
2904	powershell.exe
2988	powershell.exe
1228	powershell.exe
2908	powershell.exe
2732	powershell.exe
1896	powershell.exe
2560	powershell.exe
1516	powershell.exe
2748	powershell.exe
1548	powershell.exe
2936	powershell.exe
2208	powershell.exe
1936	powershell.exe
2304	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2744	DllCommonsvc.exe
1740	System.exe
1916	System.exe
2720	System.exe
2436	System.exe
1972	System.exe
2468	System.exe
316	System.exe
2440	System.exe
1836	System.exe
2136	System.exe
2664	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	cmd.exe
2956	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
21	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\it-IT\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\it-IT\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
792	schtasks.exe
1976	schtasks.exe
776	schtasks.exe
2896	schtasks.exe
3016	schtasks.exe
856	schtasks.exe
2292	schtasks.exe
2360	schtasks.exe
2872	schtasks.exe
2152	schtasks.exe
1584	schtasks.exe
1932	schtasks.exe
1488	schtasks.exe
1736	schtasks.exe
2312	schtasks.exe
1072	schtasks.exe
1660	schtasks.exe
1712	schtasks.exe
892	schtasks.exe
2108	schtasks.exe
2032	schtasks.exe
1492	schtasks.exe
1892	schtasks.exe
1004	schtasks.exe
2084	schtasks.exe
2220	schtasks.exe
1620	schtasks.exe
3020	schtasks.exe
1092	schtasks.exe
2348	schtasks.exe
604	schtasks.exe
2856	schtasks.exe
2444	schtasks.exe
2256	schtasks.exe
1008	schtasks.exe
2224	schtasks.exe
2900	schtasks.exe
1984	schtasks.exe
1172	schtasks.exe
1252	schtasks.exe
1340	schtasks.exe
968	schtasks.exe
2376	schtasks.exe
1696	schtasks.exe
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2936	powershell.exe
1368	powershell.exe
2208	powershell.exe
2988	powershell.exe
2732	powershell.exe
2560	powershell.exe
1548	powershell.exe
1228	powershell.exe
1516	powershell.exe
2904	powershell.exe
2304	powershell.exe
1544	powershell.exe
2748	powershell.exe
1936	powershell.exe
1896	powershell.exe
2908	powershell.exe
1740	System.exe
1916	System.exe
2720	System.exe
2436	System.exe
1972	System.exe
2468	System.exe
316	System.exe
2440	System.exe
1836	System.exe
2136	System.exe
2664	System.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	DllCommonsvc.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1740	System.exe
Token: SeDebugPrivilege	1916	System.exe
Token: SeDebugPrivilege	2720	System.exe
Token: SeDebugPrivilege	2436	System.exe
Token: SeDebugPrivilege	1972	System.exe
Token: SeDebugPrivilege	2468	System.exe
Token: SeDebugPrivilege	316	System.exe
Token: SeDebugPrivilege	2440	System.exe
Token: SeDebugPrivilege	1836	System.exe
Token: SeDebugPrivilege	2136	System.exe
Token: SeDebugPrivilege	2664	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2740	2808	JaffaCakes118_bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0.exe	30
PID 2808 wrote to memory of 2740	2808	JaffaCakes118_bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0.exe	30
PID 2808 wrote to memory of 2740	2808	JaffaCakes118_bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0.exe	30
PID 2808 wrote to memory of 2740	2808	JaffaCakes118_bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0.exe	30
PID 2740 wrote to memory of 2956	2740	WScript.exe	31
PID 2740 wrote to memory of 2956	2740	WScript.exe	31
PID 2740 wrote to memory of 2956	2740	WScript.exe	31
PID 2740 wrote to memory of 2956	2740	WScript.exe	31
PID 2956 wrote to memory of 2744	2956	cmd.exe	33
PID 2956 wrote to memory of 2744	2956	cmd.exe	33
PID 2956 wrote to memory of 2744	2956	cmd.exe	33
PID 2956 wrote to memory of 2744	2956	cmd.exe	33
PID 2744 wrote to memory of 2936	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 2936	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 2936	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 2208	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 2208	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 2208	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 1896	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 1896	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 1896	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 1368	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 1368	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 1368	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 1936	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 1936	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 1936	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 1228	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 1228	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 1228	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 2988	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 2988	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 2988	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 2560	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 2560	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 2560	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 2304	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 2304	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 2304	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 1516	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 1516	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 1516	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 1544	2744	DllCommonsvc.exe	94
PID 2744 wrote to memory of 1544	2744	DllCommonsvc.exe	94
PID 2744 wrote to memory of 1544	2744	DllCommonsvc.exe	94
PID 2744 wrote to memory of 1548	2744	DllCommonsvc.exe	95
PID 2744 wrote to memory of 1548	2744	DllCommonsvc.exe	95
PID 2744 wrote to memory of 1548	2744	DllCommonsvc.exe	95
PID 2744 wrote to memory of 2904	2744	DllCommonsvc.exe	96
PID 2744 wrote to memory of 2904	2744	DllCommonsvc.exe	96
PID 2744 wrote to memory of 2904	2744	DllCommonsvc.exe	96
PID 2744 wrote to memory of 2908	2744	DllCommonsvc.exe	97
PID 2744 wrote to memory of 2908	2744	DllCommonsvc.exe	97
PID 2744 wrote to memory of 2908	2744	DllCommonsvc.exe	97
PID 2744 wrote to memory of 2748	2744	DllCommonsvc.exe	98
PID 2744 wrote to memory of 2748	2744	DllCommonsvc.exe	98
PID 2744 wrote to memory of 2748	2744	DllCommonsvc.exe	98
PID 2744 wrote to memory of 2732	2744	DllCommonsvc.exe	99
PID 2744 wrote to memory of 2732	2744	DllCommonsvc.exe	99
PID 2744 wrote to memory of 2732	2744	DllCommonsvc.exe	99
PID 2744 wrote to memory of 2136	2744	DllCommonsvc.exe	112
PID 2744 wrote to memory of 2136	2744	DllCommonsvc.exe	112
PID 2744 wrote to memory of 2136	2744	DllCommonsvc.exe	112
PID 2136 wrote to memory of 2848	2136	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcba0edec1e22edc96a3862ea86de355121dab20d5a094ea7c14d31848aa9bf0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\it-IT\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\it-IT\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sE7wHhwsEL.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2848
      - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        7⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1524
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        9⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3020
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
        11⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2848
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        13⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1740
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
        15⤵
        
        PID:716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2196
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        17⤵
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1936
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        19⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:776
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        21⤵
        
        PID:112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2332
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
        23⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2776
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat"
        25⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2144
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"
        27⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
176288e3396051067dbdb977b1a74f0a

SHA1
9d0aaf5ff31b7c16084ac73b8e5e12a7464fbabb

SHA256
749ae9024de9921791cb57e8900c4c9f2e5b60050fed5afd2da319818276dede

SHA512
951566a0e151abb364865ce33856ced6c55ceac376aef24f4e082c02413ed6e26517409cd11e8bfbd07ce80f4601a5a937cd3220fccf7d6cff2cbac75f1f83ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76f78d6040dd61f4c176edf22d51614e

SHA1
f544b7e86a2c18502fd8706767910fddda446a5c

SHA256
db2af7ef08c38313de57b08da38e9b79438b89474d4f95d96b8e1eb14b5aa1f4

SHA512
5ca5f6dfe98e6fa09e71fa2f93e09c89f6d4d3ef137653abc4913162810d15047b4a3e915ccf49f234551448beacaf9e0ead7415af2bf2ecadb700050dbe2cf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdfd2d1a72e7ec396b63c77f14e0a718

SHA1
795a6205e317b547cf668c588913da48a05eb0ca

SHA256
bb1fb6be8166a9098c9a612708ca6260d1cedf7c7acb6d62569cc9371471f8e0

SHA512
59e5ece9667482f8ae405f32d49a5bd0ab99f22aceb61d66359897e54e8ec349688fc3dbfa8f1b404721232213e52e4afaef4e82cef0c8594e0b7ac2aa05a5eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af76fd01673ab0fb8f02f7c507389397

SHA1
372b8cfacd371dfb537f063cb782341d687b6b50

SHA256
88c0715b29b047febd96a6c04512fed533e11f1e512513fb2ade8988aa532b46

SHA512
f3b5d0a6e9c0a10c1feb93401e9f56b74d6ad9a3c65b647931dcc7bf15d8d1bcc49007367ef78448c91cbfed2d61ce6cb790e16d15cd7673a21a1796931dacdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09f7addb79585e5e29f8fe2e7ad3070

SHA1
95e770550b8b8519b625b3b5faf0a113ffb27acf

SHA256
4f3024ead87b182ae5a4776f0f50f012aa09946bbf8f9cce670147cb78a458d6

SHA512
96462f6dbc4c2769d2a1fbe912ae5c07eb9d44a9e03477144b8bdb82328a051603fb0c26535fd7f8b4da6f9d8b631ea3dda6977f72e13877cc4f7f1e5b06261b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60b7710f35b2cc6293bab8523dc9d6a8

SHA1
aa6ceb62dfeb8e29a1d9346f344cb1c440f2a7e4

SHA256
7dabc2dfbff372fc5f630c4d5fc0c2c79f93cd52ba8aa83ffc6de6de88cebbcf

SHA512
a3f3d39390d19bbad00d0fc319682122974c0c80d27c45e42ce31aa7fa55d7cd73b31977616340e2f6b96e859702d744ee5cc27dca930245b742c74cf40390fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f522f7e54f945c949c42c4910b74864

SHA1
70e17e4bfc36ff7c158c2bd9fd7c17d558ee25b0

SHA256
05fa4d71cf567faa09f6b616d58eaaba7adbe36e07aa40d92b179251f4754983

SHA512
0eb8429c95f0fac5178cbf765b4de9a212e1e85eaa5d04722ca52f41bcdad6eb323066af12c1ab3142a16d5ed37dd6d5d8038ab2695b7121cd886f3fd298b67e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
994b9d52606aba07d79e087131fdf4cd

SHA1
4143c9c129b1669b4cc6df79a5eb81f055bf268a

SHA256
9b74a41c603823b324453533dee8e17c9d4bdaa2b4d3f43e6ea97b75722a5fe5

SHA512
026f884fa76e4f10d6e0c2163947e8ffc61d75af53671dbd1ec8c3ad58e300f8b4e30951b34c2bb2798c55f5b40683f9937c630cd146ff53d0bc542bd8a027c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df7da5fc90a20ffbbb4612cc850572dc

SHA1
8567c84afb1f61be24bd237a2fd2560846fb81b8

SHA256
d9be8fbc803aa00c92b7edb8a10fa02655522f2e798c16704487fe7f6c8071ac

SHA512
23faa807bf130dda237305a47d86853d6bef73c5631a8c47872f943f3a303f4ff8ae009ff22dabdbabb5970071828246025bcaa1eb4c9553f6e13a1e7d784f5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b50956ce48948a2893ad15faf9a996e

SHA1
4c07b6a1c1e51cff42f42e4045b37edc1bf1d5a0

SHA256
83e1485eecbfce41873fa3cfdc05c430e8458d37a62efa7901d5583a7e0c5fbb

SHA512
5daf3d5929b9f3043d3ba607267c8598e91fa4744dce48cbbd0a80f0c6600d950c2acd2039d9b6386f4d500cfbc89ce289ee14712490ed4a884bf805208f08b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
244B

MD5
a40d7fa0f73f5eeb0c1c3b4a1c226a41

SHA1
9a3ad07b101049e870a482cfae73f6b5790e36b8

SHA256
0fafc62563b6c79b05e63b08009969e159c96aa07f05ff04a3205418c2ed6ce4

SHA512
4cfadd638f3b0213733108aeda765623fa9673ec1c3fca96bd24623664a21e9945d7625e1f8e854c313fc47098a050d019bee92ed40c9d0f46ea2df1a4e3f057

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat

Filesize
244B

MD5
450eb2a4984bb6f31b3aec7154a53a43

SHA1
37096c39e9a23b079d71456dc5b5b72d026fa6e8

SHA256
aac366bf91f91c6350cee176b03c59d66e077cf354e34539724c61588f1d3843

SHA512
08b8982761497e5d028f1c43582f0e15a2dab8288ef21886306f454336495bd8848e3dd1016e54df4e2658ce8596f76a6e9b763736b417f6b3c0c7004fc427af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC850.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
244B

MD5
8d28c9a63de72f7e3c598bcc30cc3a75

SHA1
dfca9ebac223a46ccd1ddb5640b56895cd617fa2

SHA256
f0bb6017266fd985894ca8a056928efe8568c8c262c30564254fac361c35c6d1

SHA512
d7b68884ac135ef5a503ff7487500df3f7e25537255fdc0c45d6e42e69a8ad18667a203a0b2aaa8eba3596408c92e88968bdccee4fd4264e9bd7f19e068da13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC863.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
244B

MD5
2a899a36b6e82528d70d57bafb0c79ce

SHA1
6141a42432a7403eb13a59e5966f7f7f76a2e3eb

SHA256
6c4295e97d2cee736df3b2d3dd402012aaac32c3a63cbd35d4f6040ccf8858e3

SHA512
549407a3e8047df76bad9bf40b599bf883421a69726db8e20190d02e07266807ad4279e4801a0247c0161851d596c04789db7dcd1b2b44375820d95c71322061

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat

Filesize
244B

MD5
543c7afb822a63620f6a0b971c692a86

SHA1
29affd909959d1fbb7a17db30ae1f2a4bced60ff

SHA256
c71106fc84c9534798ba4c4e673304eeebe069c478157fb62509ba2574a5c582

SHA512
a0b5bc4a6e2f452bda8b25a4dfe2c7fe0ab6edd79862b1d02ee56c9dd1108aca8154811e515a12788e0d2938ba7bdcb9fe48ce936acf621a92bf937e254bde76

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
244B

MD5
213af44bb3a3b1d66b932b3f5d49202e

SHA1
05b0a3a4cdc83d6a65cc9838f7245e8bfd6d5ee8

SHA256
d456c90e8c5c8b1b5c39d2c985bc00b6a96506602b661934112760e5d4152f78

SHA512
6773fe499f77ce43a974110a442a813a96dff53821c918a9fab3629abdf64b9e8c2b416adc3d28726d4cc756bb869615d21783e601964c78b31fc17524d270b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

Filesize
244B

MD5
c5eb28e97956c8e60c663a31928c1c6c

SHA1
7bdb2637a6c9b5698d648c5bfffa9d3d8431f792

SHA256
13c42df95d438e0dad7a9fe7f42e6d50773b2625339c262070035978b331f3de

SHA512
8ac4114b6ed9c5d39a6a64c0c10331f2cec30651980f1d72d14c965f415aa3cb8d24831dabe306eeccff613f040c70b74a6cacd8247f2af3ed0fbb85a522a4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
244B

MD5
76ca286307389fd3a007728c27b5a38a

SHA1
d3097fda94802be0c790ff21edfc2c21c910b48d

SHA256
18d0f2ef9b621be4adaea15585d9856618e09787781d57a300c59026df2fb327

SHA512
ff780c9acb2613c9683b48deb84ba0d469365d55bc06fa38b95c429a918434bccd30f9ed2bf9672f29cf878fe967f5b695ae860e07053a1140e62782e28534c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat

Filesize
244B

MD5
feaedab8f3fb1e9828daa0b9b84c4585

SHA1
42137afd2ff76176b0041cfec5e34f9a9f2f5860

SHA256
f3d41fe3462ac10823f4ac76d80c97ad8049373b60cc90e18d486ae3d6b28789

SHA512
b05c0a0dd9405704a0fe10834b89be3752c957e5f756f37a8dcf5582d333a82fe3ca73e0556500fe4beaa7d515266cf587b18c82150e52fd787243ff5e8a5ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
244B

MD5
8a5d42bc508212ec052093268460d80b

SHA1
1d52268b334f7224dd58b98cec49003c0189f56c

SHA256
1cc5283bb8486b64bf7cda848790714d49ecb86b6e1d535774a2caf4ae47f3db

SHA512
d3e15a78fb4c8d650c1fde48129cfd0ea549def5aa84f96c4cf0ff63e743a2647a7ff9aed697a34d479a281e67594eeb4d47f03aed8a76b53902734b097ae137

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

Filesize
244B

MD5
0ee6c1f05e800e6fa0ad14d00cd0f57c

SHA1
9435d16f20c76d61977f0354e9771e097753197a

SHA256
041e18dc89672f2217072a4f0eb69b7cfabde80289ace6a06ddf85cdf3ed2b10

SHA512
f2c780ece040831c1ec7e9473bde74bf883974b2bbe6066f91b951a2157211bc1443637433678b6c584b2ec7466040285c0926dc3c8e2909b1a872789a685f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\sE7wHhwsEL.bat

Filesize
244B

MD5
f3527313ff24454a2b3dab13cec5ed4b

SHA1
b1a10adb9fa74ffc06a52a21728486b74cde6b9a

SHA256
90c67923dbd2d87d482c34c610368ae52a3a2186d4d8fdb614274ad3a27dcc53

SHA512
49284f350f2f7f04e183e890522b00f54dae7d9e00cb381557115eb4586d9f2f503a96c345ad7eaccee60115c6d0a6512bea5730f7d705d6f7fa5c41f9f735f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e600e788333f88879b9b8224a9fb8fc3

SHA1
87f3ca7e6c15f8bc9ff2e6efe318d46ae1f942fa

SHA256
d48736cb8055d52e55cbc00d1d5475137bc8941c197724f86e175e99437656dc

SHA512
3003f0dbc9fafdd37a750d0bd8c269216ebc121eb5e787a7601fff15cc4fb4615b4e600adf7525ad0f029b52b166e625a0b6cc0dc80abbbc9528dc4f2297134c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1740-136-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1836-613-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/1916-195-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/1972-375-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/2136-674-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2136-673-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2436-315-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2468-435-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2720-255-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2744-17-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2744-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2744-15-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2744-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2744-13-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/2936-58-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2936-57-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download