dcrat | 96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c.exe
Size

1.3MB
MD5

70d6711cfaa1d711ccc4b193e76f39cf
SHA1

f88bd9dbcb81d74835f1fd84249dae90a0ba0bfc
SHA256

96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c
SHA512

d166924e1b938ebe5a6206d0ee1bab2cdf907bf24f7ea157a8ab852a77146c594dc85305023f4b3ae71bb18f730eafeedc6c265e7a58cfd829768c3ea5653908
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2560	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015e25-12.dat	dcrat
behavioral1/memory/2700-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/1548-144-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/3028-203-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/2712-263-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2876-324-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/1880-384-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/3028-445-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/884-505-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2188-624-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/308-685-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe
2764	powershell.exe
1428	powershell.exe
1584	powershell.exe
2848	powershell.exe
1872	powershell.exe
1588	powershell.exe
2192	powershell.exe
2248	powershell.exe
2624	powershell.exe
1700	powershell.exe
2744	powershell.exe
2704	powershell.exe
2708	powershell.exe
2756	powershell.exe
2804	powershell.exe
2488	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2700	DllCommonsvc.exe
1896	sppsvc.exe
1548	sppsvc.exe
3028	sppsvc.exe
2712	sppsvc.exe
2876	sppsvc.exe
1880	sppsvc.exe
3028	sppsvc.exe
884	sppsvc.exe
2160	sppsvc.exe
2188	sppsvc.exe
308	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2724	cmd.exe
2724	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
30	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\en-US\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\taskhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe
2100	schtasks.exe
2952	schtasks.exe
2944	schtasks.exe
2468	schtasks.exe
2060	schtasks.exe
960	schtasks.exe
2000	schtasks.exe
1148	schtasks.exe
704	schtasks.exe
1624	schtasks.exe
804	schtasks.exe
1480	schtasks.exe
2976	schtasks.exe
2424	schtasks.exe
1716	schtasks.exe
2120	schtasks.exe
1968	schtasks.exe
2936	schtasks.exe
2340	schtasks.exe
2356	schtasks.exe
1444	schtasks.exe
1980	schtasks.exe
316	schtasks.exe
2072	schtasks.exe
1672	schtasks.exe
2140	schtasks.exe
2096	schtasks.exe
2260	schtasks.exe
1312	schtasks.exe
1200	schtasks.exe
2780	schtasks.exe
2172	schtasks.exe
868	schtasks.exe
1388	schtasks.exe
1608	schtasks.exe
408	schtasks.exe
1284	schtasks.exe
1696	schtasks.exe
884	schtasks.exe
2992	schtasks.exe
2016	schtasks.exe
2168	schtasks.exe
2520	schtasks.exe
2108	schtasks.exe
3032	schtasks.exe
2768	schtasks.exe
1548	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
1896	sppsvc.exe
1548	sppsvc.exe
3028	sppsvc.exe
2712	sppsvc.exe
2876	sppsvc.exe
1880	sppsvc.exe
3028	sppsvc.exe
884	sppsvc.exe
2160	sppsvc.exe
2188	sppsvc.exe
308	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2704	powershell.exe
1584	powershell.exe
1428	powershell.exe
2624	powershell.exe
1700	powershell.exe
1872	powershell.exe
2764	powershell.exe
2248	powershell.exe
2488	powershell.exe
2744	powershell.exe
2588	powershell.exe
2804	powershell.exe
2708	powershell.exe
2848	powershell.exe
2756	powershell.exe
2192	powershell.exe
1588	powershell.exe
1548	sppsvc.exe
3028	sppsvc.exe
2712	sppsvc.exe
2876	sppsvc.exe
1880	sppsvc.exe
3028	sppsvc.exe
884	sppsvc.exe
2160	sppsvc.exe
2188	sppsvc.exe
308	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	DllCommonsvc.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1548	sppsvc.exe
Token: SeDebugPrivilege	3028	sppsvc.exe
Token: SeDebugPrivilege	2712	sppsvc.exe
Token: SeDebugPrivilege	2876	sppsvc.exe
Token: SeDebugPrivilege	1880	sppsvc.exe
Token: SeDebugPrivilege	3028	sppsvc.exe
Token: SeDebugPrivilege	884	sppsvc.exe
Token: SeDebugPrivilege	2160	sppsvc.exe
Token: SeDebugPrivilege	2188	sppsvc.exe
Token: SeDebugPrivilege	308	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3064	2848	JaffaCakes118_96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c.exe	30
PID 2848 wrote to memory of 3064	2848	JaffaCakes118_96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c.exe	30
PID 2848 wrote to memory of 3064	2848	JaffaCakes118_96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c.exe	30
PID 2848 wrote to memory of 3064	2848	JaffaCakes118_96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c.exe	30
PID 3064 wrote to memory of 2724	3064	WScript.exe	31
PID 3064 wrote to memory of 2724	3064	WScript.exe	31
PID 3064 wrote to memory of 2724	3064	WScript.exe	31
PID 3064 wrote to memory of 2724	3064	WScript.exe	31
PID 2724 wrote to memory of 2700	2724	cmd.exe	33
PID 2724 wrote to memory of 2700	2724	cmd.exe	33
PID 2724 wrote to memory of 2700	2724	cmd.exe	33
PID 2724 wrote to memory of 2700	2724	cmd.exe	33
PID 2700 wrote to memory of 1872	2700	DllCommonsvc.exe	83
PID 2700 wrote to memory of 1872	2700	DllCommonsvc.exe	83
PID 2700 wrote to memory of 1872	2700	DllCommonsvc.exe	83
PID 2700 wrote to memory of 1428	2700	DllCommonsvc.exe	84
PID 2700 wrote to memory of 1428	2700	DllCommonsvc.exe	84
PID 2700 wrote to memory of 1428	2700	DllCommonsvc.exe	84
PID 2700 wrote to memory of 1584	2700	DllCommonsvc.exe	86
PID 2700 wrote to memory of 1584	2700	DllCommonsvc.exe	86
PID 2700 wrote to memory of 1584	2700	DllCommonsvc.exe	86
PID 2700 wrote to memory of 1588	2700	DllCommonsvc.exe	87
PID 2700 wrote to memory of 1588	2700	DllCommonsvc.exe	87
PID 2700 wrote to memory of 1588	2700	DllCommonsvc.exe	87
PID 2700 wrote to memory of 1700	2700	DllCommonsvc.exe	89
PID 2700 wrote to memory of 1700	2700	DllCommonsvc.exe	89
PID 2700 wrote to memory of 1700	2700	DllCommonsvc.exe	89
PID 2700 wrote to memory of 2744	2700	DllCommonsvc.exe	90
PID 2700 wrote to memory of 2744	2700	DllCommonsvc.exe	90
PID 2700 wrote to memory of 2744	2700	DllCommonsvc.exe	90
PID 2700 wrote to memory of 2248	2700	DllCommonsvc.exe	92
PID 2700 wrote to memory of 2248	2700	DllCommonsvc.exe	92
PID 2700 wrote to memory of 2248	2700	DllCommonsvc.exe	92
PID 2700 wrote to memory of 2704	2700	DllCommonsvc.exe	94
PID 2700 wrote to memory of 2704	2700	DllCommonsvc.exe	94
PID 2700 wrote to memory of 2704	2700	DllCommonsvc.exe	94
PID 2700 wrote to memory of 2848	2700	DllCommonsvc.exe	96
PID 2700 wrote to memory of 2848	2700	DllCommonsvc.exe	96
PID 2700 wrote to memory of 2848	2700	DllCommonsvc.exe	96
PID 2700 wrote to memory of 2192	2700	DllCommonsvc.exe	97
PID 2700 wrote to memory of 2192	2700	DllCommonsvc.exe	97
PID 2700 wrote to memory of 2192	2700	DllCommonsvc.exe	97
PID 2700 wrote to memory of 2488	2700	DllCommonsvc.exe	100
PID 2700 wrote to memory of 2488	2700	DllCommonsvc.exe	100
PID 2700 wrote to memory of 2488	2700	DllCommonsvc.exe	100
PID 2700 wrote to memory of 2804	2700	DllCommonsvc.exe	101
PID 2700 wrote to memory of 2804	2700	DllCommonsvc.exe	101
PID 2700 wrote to memory of 2804	2700	DllCommonsvc.exe	101
PID 2700 wrote to memory of 2624	2700	DllCommonsvc.exe	102
PID 2700 wrote to memory of 2624	2700	DllCommonsvc.exe	102
PID 2700 wrote to memory of 2624	2700	DllCommonsvc.exe	102
PID 2700 wrote to memory of 2756	2700	DllCommonsvc.exe	103
PID 2700 wrote to memory of 2756	2700	DllCommonsvc.exe	103
PID 2700 wrote to memory of 2756	2700	DllCommonsvc.exe	103
PID 2700 wrote to memory of 2764	2700	DllCommonsvc.exe	104
PID 2700 wrote to memory of 2764	2700	DllCommonsvc.exe	104
PID 2700 wrote to memory of 2764	2700	DllCommonsvc.exe	104
PID 2700 wrote to memory of 2588	2700	DllCommonsvc.exe	105
PID 2700 wrote to memory of 2588	2700	DllCommonsvc.exe	105
PID 2700 wrote to memory of 2588	2700	DllCommonsvc.exe	105
PID 2700 wrote to memory of 2708	2700	DllCommonsvc.exe	106
PID 2700 wrote to memory of 2708	2700	DllCommonsvc.exe	106
PID 2700 wrote to memory of 2708	2700	DllCommonsvc.exe	106
PID 2700 wrote to memory of 2300	2700	DllCommonsvc.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96fa3d1a5df0307f595868e7bbb0c17b607068e2e020eca17144b0488320cf3c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZcgs6686p.bat"
        5⤵
        
        PID:2300
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1808
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        7⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:796
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        9⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1704
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        11⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2540
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"
        13⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1960
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        15⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2724
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        17⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1776
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        19⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2152
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        21⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1628
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        23⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2476
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"
        25⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2300
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f614fd96117f94d0aacd11634a96e52c

SHA1
8d6896c0f3563a1d76b27eff1711ffeb4e771803

SHA256
50ad3865b6cc7ef64a0e493e4ed0b2b511a7452ebca99e56c828192e238a6592

SHA512
6a14b3e2a42a9058b6bfb82fabeac5811d685e76ec52ae3d9fae94b41be8d2aa55cba5eb59536d759da9e3c7b3b1c78b441c74cdf722b29c3e46c5360c745e2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0723b602a728d8397428f3ba0aba9c5

SHA1
03d5747843ca4cf7cd9913bd630f07228aa41030

SHA256
f02b7ada53f9fd9685ab0d56b04793f3b9168be417376ec91753a0990d551026

SHA512
5d11d631d6e506d52627dd10e5652f5b177600cd263c3b65c96b06e96a03242b4f69b7d3b76a98a78b154c1b572c1003be97da751e0bf5c5677a65102b3cdc45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
822a3843152dca02edac91915a05f213

SHA1
524b2761c4563b4d8750617f9c6fb80408948a72

SHA256
866492b7e1603fbc766b8bf7c2eafc31b0b893c64bf004ad04a4bb879bbadbf4

SHA512
ff505becfdc4172cb0731b60f9a42cb0dfdc97d7cecc2c077ac92e358162e32e8852b0b0b5df4e9154b880b1393ccb6974b3a76a1ac26194a2d37f72136c98a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92fe47998b03ccfd53e3543ba510a62a

SHA1
6834021845451d115fae3338eb502948759d54b9

SHA256
d755f8a550e05fbc151765f4285b8878a625641d8647016e19be8c612733be76

SHA512
0362726df62ea7b534fcf2927371d232bf450945533a39a15c3bdaa48fa38e7628e92697cb54dbfef27401ede2239e2468adc7349da60bd06c3491c3b34c18fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
191651499017f6bbbcf6fe148217209b

SHA1
624cc17b46e8c9c2b5bbf16d5df4dddb7218e035

SHA256
8f60bf143d779d7d195fbe53caafc89602742ce0261c052c8427e481b1d636f5

SHA512
2b816db4d48c94b997622726ba275b0cbbff5f82cfa6c6447dedd755fab6b8d38c87c746fb65d7ad1cd0f3cc9251b0f7d9ca7dd8b2a82a81479099149df9fef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f3c8e6011cb12bc0a0ea401c46a30b4

SHA1
fb926d8c455740bc08e58c315ddc6687e67e07be

SHA256
cb4f5b67705d8ec387812b0975af552b78b63832054583b5c5696aeea412ae5c

SHA512
51c42f60c53f37647a11bbae131f90d42e64cd36d84dfd1081459a9cd01705e0c1c9b521156bb9bb71c1d10cf22e27314f3758c7db1692ceb3031ddb1a4cefd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fdfaa14d57e7db827c7772d3f887329

SHA1
2a7a8a96265a931cf4b7f3b77ec4f349733b499d

SHA256
c9fc2c79f8618866d1d9e857b22037f05bef7219b8defa22586efff01d65cf6d

SHA512
e960381da81422a4ca7bffae8ac947a8e1b6968dac27d7ed49efb5946f46bca7ad83e8c50bcc754bf0be9134e6eaa922098c73d099dd9ce96a8945ca556303a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
361312d2b243199405be742abf358ead

SHA1
1027cccde152fa962e9452de502436d74d5da0f2

SHA256
c109c30332675d54750b3303c1bd3d5e14c2cb6c17070406fcb557b82d5cfcfb

SHA512
aefbeb8fb31ebd7d7a14fb210d7f92e5f9fc893cc99140f2c8086a4d066352621c5fe6895608fa5f8dee873a78f48386e7c398d7aa9682b73c57d9d2a7c229a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
224B

MD5
5654b3a8549b52f4b54d11fe38427689

SHA1
41474729d647cda232424b196a1283a9721bd0dd

SHA256
56910f4910e23a5219367dcfe0bd0e2c71e3deb59cafc44c25aef21cad03cbe5

SHA512
df74269a22f00e2a890aaa441775b730731643d61697f06c3c186c297f93a004199b4dbc6b9a0b121e7cf425c9a29149670a103e433603df1d48b790c262b937

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
224B

MD5
6af1eef6904c30415b7a136668657898

SHA1
143307b0adcd5508494f1583400352f97c093974

SHA256
509952a5f1934ab5a02caa6512033bc78c93f81779220059d344179bc6b50ba1

SHA512
b361f2429a4eb88e6d328b3e7d55438e96136578d48bdec163c5dd8f09e1e6aa027153a93dfbdb3c3fe262c91c9e63b053557ce89b0c637edea79c8ed6a69daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA11.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
224B

MD5
19ca992fcf2ca58a7aa6e025ea560680

SHA1
dfadd92d674f0c6efe1e7a16250ffea800270f67

SHA256
e90cdadee025c08371f127aeff62cce945b016ac78ad34891a4904b1715206df

SHA512
8a398febe56b22960823520e5f28f0a6c3feaa5991150253cb46b4b522b69660eb2b08db888754fa0d510bf9fb79b187b56b455e8a07424c5570b19b6389bd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA23.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
224B

MD5
1c268cb70d4dc2658f2225a72ceb31a4

SHA1
16d0bd0a428af12c6d67c3846788c41b05f21ade

SHA256
2ad959e625d10293113c82e116e0239ce9b85798b832f297a11a636eb1101b8c

SHA512
1ea41f5b34f7962d4bf8ed4fc46ece53505da3215483d31d0afa54dde16b6bfacb03b25c14e4ac099f9129eaac1b7199b0bb998e2b249b3d9597ddc9cb961dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZcgs6686p.bat

Filesize
224B

MD5
54fd16f0fd3c665b9eee9d3ca36f84bd

SHA1
15f7744d3faaefc70ff2c24664d1245ada13ec7b

SHA256
d2fd11539e0a4cb47ead57f4b4ba8ffed0c0e398b79e35e7b48e8d4050af1a60

SHA512
7f01906d302b03d1704f9abc70c0fd6c5a2fc00bf8c83a9d6da114999d1b674bef16976254b34896a8833d6a10b18ba62690958afb3d7012aff89c3de6c3d499

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
224B

MD5
7a3923f00f190a1d9e77e419c13c2c66

SHA1
54ce8a4c4793304dc7f7b3a5caab6a7bda90f333

SHA256
95f966a2d6bd9ca21aceef87235933e9bc059a694edda836d0128767c329c984

SHA512
a22fc9d0a9b244d340e61a2bb13ef38317837a8e398123a083e481b178dfd873614d49d24fb90efc6f1d97533bde5a7fe77121578f60c2d85f4aa004f96cd629

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
224B

MD5
46c07a6d361b1c6ad1cced215fb620cb

SHA1
4edabd4d5db79b5328b8c800896e9d514b7a76de

SHA256
9a63fd591d749c69435e2d2507e66edeead188e99d6ca26d344b17474532943b

SHA512
f64d73975568ed5c72add1ed11aa1e4389e3ed05a6adfc513edab85d3f1fc8b09711c4746b56f6866cffa9ab18bd9f6a8a65bab4d263b0bba308d8ab145a3bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat

Filesize
224B

MD5
566d1522b8dbb473ce269590de1a5239

SHA1
2e52d145caf41043102683530f564137033ad015

SHA256
567a4d3e4357711c69bc0f96e0ab2d95407fd6c9a14a8e843214a31b9d71808a

SHA512
01720fe27b6e1f060e314cab7b8e6d7866ac03f1786c15043abc5e77ae48595a7bee19787388685960ba63ce554b61b2a00c4335823d4dca89053dbc5d21a257

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
224B

MD5
f4185284c8999297709dfce7038a9726

SHA1
3d697f649902582c2beec6b7263045a6cf825179

SHA256
3bcbdf0773702738fe0b206f297ed6099ac17ed13533625a2004834562a37ead

SHA512
69327b5976a0599a6a1975de7b57c0def2c0b97ab3fad14ac5b495b805ced4a7fbe73efad76266ce134cbcb22caeea99cbc46bef7c9d44102928e083d634cb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat

Filesize
224B

MD5
0a8868ba27e0d8f182de030955cfcb65

SHA1
e13df6ad02bc49db882e8615883ffe398fbb649b

SHA256
5a12f2229bc63c65bc0a225330f36654054d4335b281747328598ce23b16f5c4

SHA512
e1812aaf4579b23b104ac63a1b6d3ed41e853cdc519953e80a22c479794fb7c36dacaf014a76619bd77c0e60d685b1dffb258cb9cb27deed910ad73249a6c001

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e765e2179c1f7a717d5f962fb96a832

SHA1
ea13867a7478dea9f4985bf56aaf2ce753d10b3a

SHA256
ea717332001ba604986f836b7da084e23ec853e23b3edb1086d2655d24abfd0c

SHA512
bf9c407c42bc1595f72c2dbc678f84adeb1ae6c54eaaf90bbbf9c2668f71ec52cadb1d7bf5756a8d1aeb6435b82dfd4a87334af8d09a632053ae5422158eaa4a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/308-686-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/308-685-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/884-505-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/1548-144-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/1880-384-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/1880-385-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2188-624-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2188-625-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2700-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/2700-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2700-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2700-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2700-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2704-63-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2704-62-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2712-264-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2712-263-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2876-324-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-445-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/3028-203-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download