dcrat | 1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9.exe
Size

1.3MB
MD5

7d8623fead53df5a613e58fc168f66de
SHA1

33cfdc5a6ca83f2f7c758cf255c9faf909fc0446
SHA256

1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9
SHA512

a7b503e36f65136e088d654546358a6d53ee86565ed2ce4bd6b4f02f4c1542bc1076adc98c04c3630530d065fd0c9d70b13dc87dbf7589c6d5941c06828388a5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2648	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001949d-9.dat	dcrat
behavioral1/memory/2768-13-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/2016-58-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2000-208-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2504-268-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/3016-388-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/2080-448-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/3028-508-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2688-628-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe
2660	powershell.exe
2896	powershell.exe
2908	powershell.exe
2956	powershell.exe
2812	powershell.exe
2688	powershell.exe
2912	powershell.exe
2700	powershell.exe
2652	powershell.exe
2744	powershell.exe
2944	powershell.exe
2796	powershell.exe
3012	powershell.exe
2940	powershell.exe
1440	powershell.exe
2028	powershell.exe
2892	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2768	DllCommonsvc.exe
2016	services.exe
2000	services.exe
2504	services.exe
2212	services.exe
3016	services.exe
2080	services.exe
3028	services.exe
1236	services.exe
2688	services.exe
2324	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	cmd.exe
2364	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\debug\WIA\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\SchCache\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\diagnostics\system\PCW\en-US\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\services.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Fonts\services.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1788	schtasks.exe
2140	schtasks.exe
2000	schtasks.exe
2340	schtasks.exe
840	schtasks.exe
2868	schtasks.exe
2876	schtasks.exe
2380	schtasks.exe
2200	schtasks.exe
1776	schtasks.exe
1928	schtasks.exe
1052	schtasks.exe
1268	schtasks.exe
880	schtasks.exe
2404	schtasks.exe
1992	schtasks.exe
3008	schtasks.exe
2064	schtasks.exe
2424	schtasks.exe
2624	schtasks.exe
2444	schtasks.exe
1676	schtasks.exe
2356	schtasks.exe
2696	schtasks.exe
3020	schtasks.exe
1476	schtasks.exe
2456	schtasks.exe
1700	schtasks.exe
1692	schtasks.exe
2056	schtasks.exe
1336	schtasks.exe
3024	schtasks.exe
596	schtasks.exe
1964	schtasks.exe
1392	schtasks.exe
2620	schtasks.exe
304	schtasks.exe
2260	schtasks.exe
1604	schtasks.exe
2492	schtasks.exe
1956	schtasks.exe
636	schtasks.exe
448	schtasks.exe
1512	schtasks.exe
1340	schtasks.exe
316	schtasks.exe
1324	schtasks.exe
2596	schtasks.exe
2964	schtasks.exe
2304	schtasks.exe
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2768	DllCommonsvc.exe
2940	powershell.exe
2744	powershell.exe
2796	powershell.exe
2016	services.exe
2660	powershell.exe
2700	powershell.exe
2028	powershell.exe
2892	powershell.exe
2812	powershell.exe
2912	powershell.exe
1440	powershell.exe
2896	powershell.exe
2956	powershell.exe
2944	powershell.exe
2808	powershell.exe
2908	powershell.exe
2688	powershell.exe
2652	powershell.exe
3012	powershell.exe
2000	services.exe
2504	services.exe
2212	services.exe
3016	services.exe
2080	services.exe
3028	services.exe
1236	services.exe
2688	services.exe
2324	services.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	DllCommonsvc.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2016	services.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2000	services.exe
Token: SeDebugPrivilege	2504	services.exe
Token: SeDebugPrivilege	2212	services.exe
Token: SeDebugPrivilege	3016	services.exe
Token: SeDebugPrivilege	2080	services.exe
Token: SeDebugPrivilege	3028	services.exe
Token: SeDebugPrivilege	1236	services.exe
Token: SeDebugPrivilege	2688	services.exe
Token: SeDebugPrivilege	2324	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2900	2124	JaffaCakes118_1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9.exe	30
PID 2124 wrote to memory of 2900	2124	JaffaCakes118_1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9.exe	30
PID 2124 wrote to memory of 2900	2124	JaffaCakes118_1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9.exe	30
PID 2124 wrote to memory of 2900	2124	JaffaCakes118_1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9.exe	30
PID 2900 wrote to memory of 2364	2900	WScript.exe	31
PID 2900 wrote to memory of 2364	2900	WScript.exe	31
PID 2900 wrote to memory of 2364	2900	WScript.exe	31
PID 2900 wrote to memory of 2364	2900	WScript.exe	31
PID 2364 wrote to memory of 2768	2364	cmd.exe	33
PID 2364 wrote to memory of 2768	2364	cmd.exe	33
PID 2364 wrote to memory of 2768	2364	cmd.exe	33
PID 2364 wrote to memory of 2768	2364	cmd.exe	33
PID 2768 wrote to memory of 2796	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 2796	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 2796	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 2912	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 2912	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 2912	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 2744	2768	DllCommonsvc.exe	88
PID 2768 wrote to memory of 2744	2768	DllCommonsvc.exe	88
PID 2768 wrote to memory of 2744	2768	DllCommonsvc.exe	88
PID 2768 wrote to memory of 2892	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2892	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2892	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2944	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2944	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2944	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2808	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2808	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2808	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2940	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2940	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2940	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2660	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2660	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2660	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2896	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2896	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2896	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2908	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2908	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2908	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2956	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 2956	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 2956	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 2812	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2812	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2812	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2688	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 2688	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 2688	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 3012	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 3012	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 3012	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 2700	2768	DllCommonsvc.exe	100
PID 2768 wrote to memory of 2700	2768	DllCommonsvc.exe	100
PID 2768 wrote to memory of 2700	2768	DllCommonsvc.exe	100
PID 2768 wrote to memory of 2028	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 2028	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 2028	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 2652	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 2652	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 2652	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 1440	2768	DllCommonsvc.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a173c332ba919a838cc666376c0073127585ba8fffe69b0f921b303e9b33cc9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
        6⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2012
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
        8⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2852
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"
        10⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2248
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        12⤵
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1508
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
        14⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1916
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        16⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:332
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        18⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2144
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
        20⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2840
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
        22⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2384
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
        24⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d94d3eaddf3e107757a8814990103648

SHA1
09b274120781de23c40311aa7d89168c27227ebd

SHA256
61aa48ea546028b8ccac35bd948e3260e6638a6a71baa54d44838aae3a06d67f

SHA512
c96e087be21dda6d0b044358b1f903c448244349b6a995a642b8fde752dd11c21fd01049da7878ae43425d54ae8ab13e47019afc327997c8a4cb60c53c4a1cb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82d79f6187c3f2eeb20512d68b01472f

SHA1
25323de88f22e1a7ef66af3e50ec502db4c8a2f1

SHA256
8dfd850f3be627b784d7a0217ad4eaafcc7bdd29a1496542b212acd932bca226

SHA512
2be3106b20406e1f842fbfe738017352468a18e4797c1aa829cc0042bbcaa75c0e8b02c41a79b45027a018fa292c714d4a5fbf49b00c36e2b5fcaa3f8361bd22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b36d046eaabe970d61d14ec794659a2

SHA1
f4b2f179774bfdd8de944358e9e3aecb27724cc2

SHA256
50f127fdd52bc208f1a756543501c73fe9fda4c596c5d17fc7eca16b1f543351

SHA512
3be39ea97dde72ed2355243417b878dcf9f69d8fb21bc5f2e102964e1b1a6c9a8e891334cfb9e4a4fe37fd086d79b36f60202621c40ba150b7986b7782fdac5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2e13c0c071dd67d5b1925dbc5b865d2

SHA1
6a476e28326e32fadead879fc11f19b2c479e8dc

SHA256
5ae56a0e59229bbab56a28b280ef93fac66e4c5ffb0c70e20a66aca59bf6dc21

SHA512
166c9993c1224f252a0d2f2b2aa7a15c89bb738ea42b6043727e11d24c08b1cfd5642a2b3b12d38ee64a3b376d061745b045529706d50a746afe45781d614dc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
462aabfda13427a4257969b1553de7de

SHA1
81621be308c1d7b250be299131c83d894e7dd363

SHA256
bd2f5ef634355677c3a4fc96a640cdf7357fad4ed785ec9150a484b99cd915b9

SHA512
e3dd1cae9f001d8286a86b81d98ad30e7e4a326564598037fdc8f62d8f8c18d2ad2352fec75552189f691168ba7ebd99bc8df41700fc167daeb1781799585acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e8b414e4de23c41b9332b3d0db5c74a

SHA1
85775122d6b6d09423d3d6777a6e390b73e0cb2c

SHA256
82652539d71fdc85cc83cbbf4b6126fb860211a23e62157e08e3ad23f5d4190b

SHA512
f34b0819e4fb4feba9e70a613e766cbf30126d662beb05640a0edd79ccd26e225389e2792c1274a0d422bf841a5b302cda90183d361c59612cdcc0a043f47487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
678f3fe759f05e0a0c4cf00cd55a8233

SHA1
a51a43dff9ff3b02eade60aae3949078661442b6

SHA256
5ab241a849ea802b7c4294b9e6fcdc7345157219659268d3ff127c7be4c6a242

SHA512
e294a83b07fd98ed94275f1bff177d722704433b6265ab1586a466ee1d52a2d9e179b370aa385240d69892dc27825f5f3ec7aa8bee86059edb23d7fda696847e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d645d1e37f0674eba12267eed7779ab

SHA1
e8fb02844e2b08b37e54326d8d5967cabb6f3c4d

SHA256
06fe7547a28a6ddd6975f2274f623c530b5a30db8770091d36fb99b208ba0c16

SHA512
37ccbd91ccee820d11f9c3959ca059d4352e840db635d4ec969b9c92bae9203ce05ed73fc28d308e296e42478475d0a67ed3fee186720b15b412938db33dc8e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0fa43000962fbf6e6517b5e95bdb1ec

SHA1
8c13bdcd417ef12277b57e94bde9dc03d67a299e

SHA256
6e908df3755c348c3bff76cb300c975f578cc01de3df08d09bc74f9f692d8f10

SHA512
c95aab211c8a0339d8fe88af7d79c6a97863917397bce20113185bf51024ea07e4b9932690347424368c00e60dbf044647a4dd1e0dee820e89c9ea58d0ddcd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat

Filesize
233B

MD5
d55ee3e0b04218abc129ef514acff8bd

SHA1
2403a948ab087fb21725648ef79fd240a16e4eb4

SHA256
7abd001f2c330e579379981250dda298ee80ec5958b251b59a7ebeddf11e99ff

SHA512
f23a019c67df3de5a4f218060dbd9d6ad56a08657864b42b1de1ee980b7976ea43c2a58744a25040d163744081c2fb55bb64de6ed9a01229d5cf604947843e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab563D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
233B

MD5
01e9469a4ae0bd11a1d9942bfc66e753

SHA1
459da8fe9ed0b2f1f985dd1116e93e33f401b52b

SHA256
53423e4ecb953bb4a76e767da46ec3e4134f19eed48666db2adab70252d9e3a8

SHA512
a1543b8d837d3d609c958af93d79962756c024d9d5489162dad1855a10b263bf37a41fb9e579230350bcc8338e247b67b178f503034d11b09e0027781459fb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

Filesize
233B

MD5
f11b90e775c992c6bf4edbdddc8f1862

SHA1
67cee14dd5bd7e579ad9fbe79969bc5f6ef90715

SHA256
d61ed835a8751fe9e43a8812092208e00830ffd1b1edaa0e48a1636cd9b85781

SHA512
e90de5afcb6b2732f911e96e5cb164e544083a45d55f2e6cb729fd0fa7b34b0bd36b95209358e1e3a82ffc419377e5b9a0b6712e68645eea8efce7e4e54cdcda

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
233B

MD5
9ab51ce8f7fb7a833726841e90279926

SHA1
4f322ee0309e9c6442052f46198e455b8336ba75

SHA256
57c8b420202e331da20d4022f954024cafc61d379576f1914940e2c39cf26dd0

SHA512
882c99df9f61d9a32786ffde55c637247230d5b7ad51be0ca7b08fe78b0bcb719bddffe2257bc71ba6333fc408efa1c5c36203d873537c4f8a3752ee21429cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar564F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

Filesize
233B

MD5
a2cbbf6e9ec66791400257b713fafd97

SHA1
afdc385f412e5404b83f217adc5025a82a3eb77c

SHA256
78e477c61f792a80b932bd80072de20fda409d48d7c9c2ed11c6024f9481cf4b

SHA512
82de4a96a0a4778b1f8fdabc193e44ce646e4738193afab3eee4f628fc0fcfa6b997d2255269401d3ac543259b5d4e5e24ad0e4ec339c1b43baddca13c5b657d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

Filesize
233B

MD5
b12a9cbe5c458e1ffbf82648c3fd7967

SHA1
767215949df866f2067e0b50d5ea06d1ab8c6ccb

SHA256
6028957eaa9cbae4a950278fb8987661a778713b5ecb28ac700249d735e699b5

SHA512
dcc9688b932c3f25c70b83face0b90b7be1d786610668e125380a5363d7313b528b389c3965b67753918cc4c35867250bda5e25f854d12bc9419899e55f8c0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
233B

MD5
a8c141d016fe9d0ab1fa943efc81ae1c

SHA1
3cec3a8db30594f249b15c07cc4d6d7848e00663

SHA256
ca96174922fc41b7814f7043b2a2182e216cd9abf43f3ef1a59ac2e7d31d2172

SHA512
2dbbb55788a546d9a89d05e2b78f62936e383d08d32799b035f8368d29977b40c68147c9646d40fcff2c3e3bf12f70edcefd887090eba9a40c5785fc48f6218f

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

Filesize
233B

MD5
03fadeb5703269fe1cac92b0e56dff0a

SHA1
61b3b0ee661c0c21990b39951f7e93de8f447352

SHA256
c2c079564b5c576a9b640b56f7e0b3fe899002e39473204ce214c972ea174e80

SHA512
3173d5d536f08af8fa30ca610b6ba5974aec66390328cb0e824300ff6a66ffde1534f90270c3ec14f968b41b6035ba70e652623a23907585698d9b6ed0571439

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

Filesize
233B

MD5
4860fda4af5a7eefdad41bfa9d75a6af

SHA1
e094b37810daffd3151433713b5752bb1d36355e

SHA256
6943283b44e6473a720b4feb47c79f391f279cdcf1aae73e92be59f43ddd51db

SHA512
7923965a51cdbd2eb16ea8abec9f41dfd935501e3c033d8c2ca0ed4f4603b2557e4a5e42f68fcde79d2933b6e0baf88cfd3457f2a6fdb58a047821757a31d3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

Filesize
233B

MD5
cbbae1616a0fbfeb4152fbe53d94507e

SHA1
830455c8489b1cc9e8765fe6806c833c5505b251

SHA256
8d948c71206879db09195b2bcc1d79fbb0fc8250164566749aff718c1eea39ac

SHA512
c7cd5de0ca008113dfc5bd7fc2a42c549be22e14906b5ba80a2202a2c03297d8f6558cddb513f0ff885db0017f18a5e27da354edb90cbc4ab624df60e57440eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
43ffb14598130de00c6f2b7de73447bc

SHA1
ada5873c53686513e5ccd592a025fff1853aecb7

SHA256
30e3e7a599e1047c8ea0c51fb67c77341b8621569a46f37dc7dd88baeccc013b

SHA512
e5cac28a860ee67e8d6a7eeb3c08ddfc81189f8bc4ee013c5b4341f5f39368531de3d4d9c3382cfab3ba7c46904033e1fbedd80b3543bea6cbfd9d5752ab961f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1236-568-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2000-208-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2016-58-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2080-448-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download
memory/2504-269-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2504-268-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2688-628-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2744-69-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2768-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2768-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2768-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2768-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2768-13-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/2940-70-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/3016-388-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-508-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download