dcrat | 731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe
Size

1.3MB
MD5

414ab4eb821beba7582d839920c0806b
SHA1

30ae9c040c8daaea33591da7040e1ea6b37bad82
SHA256

731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491
SHA512

694e54a99a7e9b2257840bc5f4c8ba28703639e1f4cdbff3abb1cc880660203c5c7bce3cb5b146261b0f0de256f4d7ca376e6be754d54856d8d9b6a4f908e060
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	2540	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2540	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b7a-10.dat	dcrat
behavioral2/memory/2896-13-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3080	powershell.exe
5028	powershell.exe
4544	powershell.exe
4280	powershell.exe
3264	powershell.exe
3548	powershell.exe
1028	powershell.exe
60	powershell.exe
1172	powershell.exe
1464	powershell.exe
3512	powershell.exe
3588	powershell.exe
4868	powershell.exe
2316	powershell.exe
2052	powershell.exe
3656	powershell.exe
2808	powershell.exe
4688	powershell.exe
4344	powershell.exe
516	powershell.exe
116	powershell.exe
1264	powershell.exe
1248	powershell.exe
3160	powershell.exe
4836	powershell.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	powershell.exe

Executes dropped EXE 17 IoCs

pid	Process
2896	DllCommonsvc.exe
1308	DllCommonsvc.exe
3888	powershell.exe
1620	powershell.exe
744	powershell.exe
1468	powershell.exe
2076	powershell.exe
3060	powershell.exe
1372	powershell.exe
2464	powershell.exe
3708	powershell.exe
4280	powershell.exe
3640	powershell.exe
2692	powershell.exe
2288	powershell.exe
2280	powershell.exe
2444	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com
42	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
17	raw.githubusercontent.com
40	raw.githubusercontent.com
47	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
59	raw.githubusercontent.com
21	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\conhost.exe	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\INF\TAPISRV\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\SchCache\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\unsecapp.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Windows\INF\TAPISRV\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\INF\TAPISRV\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4088	schtasks.exe
32	schtasks.exe
264	schtasks.exe
2808	schtasks.exe
2040	schtasks.exe
3464	schtasks.exe
4032	schtasks.exe
228	schtasks.exe
4420	schtasks.exe
4180	schtasks.exe
2896	schtasks.exe
540	schtasks.exe
832	schtasks.exe
4300	schtasks.exe
4844	schtasks.exe
2180	schtasks.exe
60	schtasks.exe
1448	schtasks.exe
2416	schtasks.exe
1576	schtasks.exe
2740	schtasks.exe
228	schtasks.exe
3420	schtasks.exe
3164	schtasks.exe
3504	schtasks.exe
4180	schtasks.exe
1244	schtasks.exe
3504	schtasks.exe
1608	schtasks.exe
4672	schtasks.exe
3504	schtasks.exe
1312	schtasks.exe
2736	schtasks.exe
2664	schtasks.exe
2268	schtasks.exe
404	schtasks.exe
2868	schtasks.exe
5004	schtasks.exe
2104	schtasks.exe
2504	schtasks.exe
3332	schtasks.exe
1440	schtasks.exe
1668	schtasks.exe
3888	schtasks.exe
3888	schtasks.exe
1164	schtasks.exe
5020	schtasks.exe
4992	schtasks.exe
408	schtasks.exe
1152	schtasks.exe
4444	schtasks.exe
2820	schtasks.exe
4684	schtasks.exe
2384	schtasks.exe
4800	schtasks.exe
3468	schtasks.exe
3264	schtasks.exe
4108	schtasks.exe
1564	schtasks.exe
5016	schtasks.exe
3168	schtasks.exe
1752	schtasks.exe
4980	schtasks.exe
4876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
3080	powershell.exe
3080	powershell.exe
1248	powershell.exe
1248	powershell.exe
116	powershell.exe
116	powershell.exe
3588	powershell.exe
3588	powershell.exe
4544	powershell.exe
4544	powershell.exe
4344	powershell.exe
4344	powershell.exe
1464	powershell.exe
1464	powershell.exe
3512	powershell.exe
3512	powershell.exe
5028	powershell.exe
5028	powershell.exe
3160	powershell.exe
3160	powershell.exe
4688	powershell.exe
4688	powershell.exe
1172	powershell.exe
1172	powershell.exe
4868	powershell.exe
4868	powershell.exe
516	powershell.exe
516	powershell.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1248	powershell.exe
4344	powershell.exe
3080	powershell.exe
3160	powershell.exe
116	powershell.exe
4544	powershell.exe
3588	powershell.exe
3512	powershell.exe
5028	powershell.exe
4688	powershell.exe
1464	powershell.exe
4868	powershell.exe
1172	powershell.exe
516	powershell.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
1308	DllCommonsvc.exe
4280	powershell.exe
3548	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	DllCommonsvc.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1308	DllCommonsvc.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 3556	4504	731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe	82
PID 4504 wrote to memory of 3556	4504	731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe	82
PID 4504 wrote to memory of 3556	4504	731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe	82
PID 3556 wrote to memory of 2528	3556	WScript.exe	83
PID 3556 wrote to memory of 2528	3556	WScript.exe	83
PID 3556 wrote to memory of 2528	3556	WScript.exe	83
PID 2528 wrote to memory of 2896	2528	cmd.exe	85
PID 2528 wrote to memory of 2896	2528	cmd.exe	85
PID 2896 wrote to memory of 3080	2896	DllCommonsvc.exe	129
PID 2896 wrote to memory of 3080	2896	DllCommonsvc.exe	129
PID 2896 wrote to memory of 5028	2896	DllCommonsvc.exe	130
PID 2896 wrote to memory of 5028	2896	DllCommonsvc.exe	130
PID 2896 wrote to memory of 4688	2896	DllCommonsvc.exe	131
PID 2896 wrote to memory of 4688	2896	DllCommonsvc.exe	131
PID 2896 wrote to memory of 3588	2896	DllCommonsvc.exe	132
PID 2896 wrote to memory of 3588	2896	DllCommonsvc.exe	132
PID 2896 wrote to memory of 4344	2896	DllCommonsvc.exe	133
PID 2896 wrote to memory of 4344	2896	DllCommonsvc.exe	133
PID 2896 wrote to memory of 516	2896	DllCommonsvc.exe	134
PID 2896 wrote to memory of 516	2896	DllCommonsvc.exe	134
PID 2896 wrote to memory of 1172	2896	DllCommonsvc.exe	135
PID 2896 wrote to memory of 1172	2896	DllCommonsvc.exe	135
PID 2896 wrote to memory of 1464	2896	DllCommonsvc.exe	136
PID 2896 wrote to memory of 1464	2896	DllCommonsvc.exe	136
PID 2896 wrote to memory of 116	2896	DllCommonsvc.exe	137
PID 2896 wrote to memory of 116	2896	DllCommonsvc.exe	137
PID 2896 wrote to memory of 4544	2896	DllCommonsvc.exe	138
PID 2896 wrote to memory of 4544	2896	DllCommonsvc.exe	138
PID 2896 wrote to memory of 4868	2896	DllCommonsvc.exe	139
PID 2896 wrote to memory of 4868	2896	DllCommonsvc.exe	139
PID 2896 wrote to memory of 3512	2896	DllCommonsvc.exe	140
PID 2896 wrote to memory of 3512	2896	DllCommonsvc.exe	140
PID 2896 wrote to memory of 1264	2896	DllCommonsvc.exe	141
PID 2896 wrote to memory of 1264	2896	DllCommonsvc.exe	141
PID 2896 wrote to memory of 1248	2896	DllCommonsvc.exe	142
PID 2896 wrote to memory of 1248	2896	DllCommonsvc.exe	142
PID 2896 wrote to memory of 3160	2896	DllCommonsvc.exe	143
PID 2896 wrote to memory of 3160	2896	DllCommonsvc.exe	143
PID 2896 wrote to memory of 1308	2896	DllCommonsvc.exe	159
PID 2896 wrote to memory of 1308	2896	DllCommonsvc.exe	159
PID 1308 wrote to memory of 4280	1308	DllCommonsvc.exe	187
PID 1308 wrote to memory of 4280	1308	DllCommonsvc.exe	187
PID 1308 wrote to memory of 3264	1308	DllCommonsvc.exe	188
PID 1308 wrote to memory of 3264	1308	DllCommonsvc.exe	188
PID 1308 wrote to memory of 3548	1308	DllCommonsvc.exe	189
PID 1308 wrote to memory of 3548	1308	DllCommonsvc.exe	189
PID 1308 wrote to memory of 60	1308	DllCommonsvc.exe	190
PID 1308 wrote to memory of 60	1308	DllCommonsvc.exe	190
PID 1308 wrote to memory of 2808	1308	DllCommonsvc.exe	191
PID 1308 wrote to memory of 2808	1308	DllCommonsvc.exe	191
PID 1308 wrote to memory of 3656	1308	DllCommonsvc.exe	192
PID 1308 wrote to memory of 3656	1308	DllCommonsvc.exe	192
PID 1308 wrote to memory of 2052	1308	DllCommonsvc.exe	193
PID 1308 wrote to memory of 2052	1308	DllCommonsvc.exe	193
PID 1308 wrote to memory of 4836	1308	DllCommonsvc.exe	195
PID 1308 wrote to memory of 4836	1308	DllCommonsvc.exe	195
PID 1308 wrote to memory of 2316	1308	DllCommonsvc.exe	196
PID 1308 wrote to memory of 2316	1308	DllCommonsvc.exe	196
PID 1308 wrote to memory of 1028	1308	DllCommonsvc.exe	197
PID 1308 wrote to memory of 1028	1308	DllCommonsvc.exe	197
PID 1308 wrote to memory of 3664	1308	DllCommonsvc.exe	207
PID 1308 wrote to memory of 3664	1308	DllCommonsvc.exe	207
PID 3664 wrote to memory of 3128	3664	cmd.exe	209
PID 3664 wrote to memory of 3128	3664	cmd.exe	209

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe
"C:\Users\Admin\AppData\Local\Temp\731a80c34ce9f891a8a7911f5261a74b233391c910c3ab5b731c4674f75cc491.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\TAPISRV\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\upfc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIrwAdZ66X.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3128
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        8⤵
        
        PID:1840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2740
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
        10⤵
        
        PID:4168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2812
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        12⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4052
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
        14⤵
        
        PID:728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4524
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"
        16⤵
        
        PID:4100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1256
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"
        18⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4800
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        20⤵
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:5076
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
        22⤵
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2112
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        24⤵
        
        PID:4604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:516
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
        26⤵
        
        PID:4492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2788
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        28⤵
        
        PID:3904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4616
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat"
        30⤵
        
        PID:4284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2032
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"
        32⤵
        
        PID:4180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4004
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat"
        34⤵
        
        PID:264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:4900
        
        C:\Windows\SchCache\powershell.exe
        
        "C:\Windows\SchCache\powershell.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
        36⤵
        
        PID:3740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Security\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\schemas\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\TAPISRV\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\INF\TAPISRV\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\INF\TAPISRV\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Links\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\SchCache\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
46bf20e17dec660ef09b16e41372a7c3

SHA1
cf8daa89a45784a385b75cf5e90d3f59706ac5d5

SHA256
719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17

SHA512
91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9405862a3b15dc34824f6a0e5f077f4f

SHA1
bbe0000e06be94fa61d6e223fb38b1289908723d

SHA256
0a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210

SHA512
fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
240B

MD5
af4b165af1ef363ac4bd447238ebf29f

SHA1
4c859b71a8a290d0cdf575729fe39dc444585fe3

SHA256
c5accb8de9868be1a813e42dc9c48bbe2ba6009a374f21bda86bebdee6abecc1

SHA512
ccd9b5782811f5fb6e96701691708a9c9ab4a4b2d65f89ca1bf8b1da9f29b8c7e44c06ac28cf8a647288996c8eb0d7886867e47382cac84fca64b9bc444ebaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat

Filesize
199B

MD5
f576751b0af34e0765c805c29bcbf914

SHA1
d43e2132d9df662903f578b5937020a9bfae713b

SHA256
0bca1d375be36c618536d8d1d84397b4f7d6b429cfb4642815f04d1d6b4a7432

SHA512
1cc18dd421341317082fdf20eb30cf11c2bd3db1e1950d8abe5e5e42633c6e6eedb6e573e268bd492b92429268585e2cdd16e054a9dbed0f31345b52d6e7bba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

Filesize
199B

MD5
8e00824fb9d09bc210acbf6ed0dd9616

SHA1
f77b160cf126974eb1ab247ff78d9d0b34a8718e

SHA256
1aa6a2dddddc2cb702f926f9f6471d4be10f4caebbaeeaf0c88e2c50e866aee5

SHA512
5494c87c620acdb9962294f3fdfb36e6c1f5cfbe817a20ea20731f430ee2ad4ae0c9bcc44b03b83e779db81393bcb5cfd2c727e42191e370868e9889053697c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
199B

MD5
071ecb41ac7cdef05942286dde19de8e

SHA1
f3a1df442f6660b362b81f65e0eeaa124c9e25ee

SHA256
d12ed9b7bfa372ad0fe41ec12f3a27f7cf1b909be2cccbd097eb0fb103fd3b76

SHA512
c06a8afb414cc92bcde5e43f3ebd2d46151950c652f10de54ad23514784c47d1622cfc928e4e9c0cec2d710d05e1c0edaee3566168d17d42a4112cbb0ec493ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat

Filesize
199B

MD5
4ab595fe76895ba4e1f34aad3ec17cfd

SHA1
a3c1d340539ab3060e1e81227c35ba01b61677fd

SHA256
ee6a4ae8c3301fadff3840a3c07baf92e210488f4a68712301d3fa56e847c1a0

SHA512
c7b42b303d3eba6caa6ace60116483321ebaab217175a59a288aef51258af15ab783b960e61b2da1e48b71f63b2cb80fa3770cdae2f33f19edadf54a6f1db6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIrwAdZ66X.bat

Filesize
199B

MD5
8afaa6e805db97bdec1d71d036c8c463

SHA1
3b49f41ec8be0e91888b5cbafae558249638335a

SHA256
773099f770a6e559572d6275d0907207ce06c751b75e9b0e2d2a331419ea8ef5

SHA512
35a2b21ab33d9bf2ab5fa7e00ee41dc2418f7b6237a8a0ce4e7382c4cdef0349da2a2b54f847c51561b791efeac89f7bcbac76971655161da1fcab00fc5275cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat

Filesize
199B

MD5
ae4604daf1bc547bbf9546c84632d18f

SHA1
155c56e2d22cf0881db52ec461d0b764d4da93b5

SHA256
efd84d8dbf2a2df07de12482b77e93efab690cfe0856eaa56336da1852cd0e1c

SHA512
77674549b5c7c521ea790f7c9c76b4d7a05cb810a22bb077c2ef1a78829f8ce645220a87243a75d73b82770ae405f3b46bc6ffac4ed65a3d722986ddac4de1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

Filesize
199B

MD5
99232eddf54283557b9184e6ab4e908c

SHA1
10dabce0ad60f04733576f9b076a0768f655ee17

SHA256
6d37b00d474f9bbd827444c640c706544e0cf35ead3c1f264d21459e2c2a901d

SHA512
06b882579417583f84924b1e2c438eaa84a153aebd38b30302e36b5a12972dae3cdbfa6835222f0e6a6165f2ff6429fa8e68c0fbdd3160a3403c8d31a2127b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
199B

MD5
c6f564fd2e8c825ca0ee7326d8681ada

SHA1
92491ba8509e2207b426a40a3c1c861a32ff5b14

SHA256
0d1df27b4531d5053c2bb541a33ce7f856a726ada596756adca230ce45b5fff9

SHA512
4f3ed3ea987d6bfc761d6a189e04c82e0719e33858df1b469a1feb804553dcd5500a845c7e878b1dbb6a00e97438dfd54ab87930385bd75c03d4657dd83666b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat

Filesize
199B

MD5
b6d851195b1cd16ecd999d87af0a84c7

SHA1
02643546c9cbb027ae43293b71ed33c989ff4196

SHA256
7f90a5fb90b79efbafd961b2d4173581dffc286908b81c66483b40b6c108dd0d

SHA512
c2f3ffbc836b8b39414b4d63ffea99133b5bb663ce55112fe9f8dc3adfeb0c95117f9fce80bf86fecce729973400b157d2d9f91629f8e3aa69994942a1c84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
199B

MD5
5f5d636b242e30b48f2fb2fe8e52af24

SHA1
71665bb108c7433e04e2ecb33d043fb1b58cca7c

SHA256
980709ff98ac00b048407c8b520f94793e81d580afe2bfd7aa2a31fa68d7f66f

SHA512
5b3d80dbe4356a20b1ba85a410ae5d0e4fbb5a44436ae656c93a95cc1a160157ab4ff014af1b5ca77630dcee7e534f0fc00b97f280d74d1a78dd572c731bd2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g33dsxew.5tm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
199B

MD5
07a6f5a59916c9d5d4c6ed10fdee4182

SHA1
f83b258f6d9f6fbbf2ff0c693c24cfdeb0cfc3ae

SHA256
a2e2ec8d73c4def8985d179379f23fd1c93be5d4f2ebe50e58dba48af6564ace

SHA512
d64526592fd4374e18fbc50b106772d3cf790f83e8b379acfd3c16fad24d9b0e78cdd77dd2bc5a8f79cfda62e859785bdf03e68ddc20ae734e32461a0758ddaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat

Filesize
199B

MD5
7d8e766a14d2e7c2d5786a371b6d9d1d

SHA1
fa2c045bdd050ce7b6ff572b3e51059d31b5e33c

SHA256
e9366955ce40a5ce079012d18f04bae80d78961603c9d381505630d5109d63ca

SHA512
0cc8bf39611eaa05bf507534a90e62560f9254b44dd13a207bcf4f5b92e23e0fa4819f1390519ebca8159207465e166c76f62bb5308ae6b56991491e3c01735e

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

Filesize
199B

MD5
ef06a6b2071ed707b4ec1976bd19fb39

SHA1
10053dcf5d31a7185563378090126c372e674061

SHA256
6de09f6f01d223d7cab33b90a863aa22ea90d432f495283b15f95bac1e28373b

SHA512
a60d6f94e33a771d0e909298be0b653155be1c03b21174909eae8876123d889eaadad5a8e3eb12b63b132f6e30f4dc3cdb013c1c7ac4b903fa5d4c9ac8dfe7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

Filesize
199B

MD5
767505aa8d47253eec261fad8aaeb822

SHA1
5684118a6f74bc9b5b6a72fdd66916024ed03093

SHA256
e1ac0faae7112d681140e90d3fb3c3c6a399a82998d906d05378aacc8a527be7

SHA512
7c24b64b40058f004c046746d6e1980301be00a39dafb33f65f80e2a6c1ecd583b5badceb344b2f01b39d4efc50b68f3dcf35d9261b58afedc06ffccf34c1efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
199B

MD5
868a8f02473dd130a10bea523aa4c84d

SHA1
21241453de6fb04a123bfb6cf7d58e1a80507424

SHA256
f8abbf21fabfbaed3509dc412497a9deb094c88cbbab324700bbb8f549736480

SHA512
fe64a94fca12b74ceca8fa8a64b96efb89d56ce3c7fbdd7f4fe0c309e4382e7a4b309dfddc16194881fcc4b60004c86c72fcb53c7d257acb339efbe3924c1f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat

Filesize
199B

MD5
220f4101bd817f47646c0e917f5e65a8

SHA1
aff04d0ded0dd5f2212121316f0afebbee815bea

SHA256
8a22c05c40054b12e7498871dc2e8629d1ff6340bbbc295d86e4e9bfe7435d7d

SHA512
07e71c6d586dd0f7138b1d210a6b2064e65d8d621bf121f29b397030694aecae7d06a1bfe2a707e5f26a34a8394316330dbe0c9cad04f8d95916cbda8cc09e2c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/744-368-0x0000000002840000-0x0000000002852000-memory.dmp

Filesize
72KB

Download
memory/744-373-0x000000001BBC0000-0x000000001BCC2000-memory.dmp

Filesize
1.0MB

Download
memory/1248-53-0x000001AC500F0000-0x000001AC50112000-memory.dmp

Filesize
136KB

Download
memory/1308-158-0x0000000001430000-0x0000000001442000-memory.dmp

Filesize
72KB

Download
memory/1372-403-0x000000001BED0000-0x000000001BFD2000-memory.dmp

Filesize
1.0MB

Download
memory/1468-380-0x000000001BB20000-0x000000001BC22000-memory.dmp

Filesize
1.0MB

Download
memory/1620-365-0x000000001BCB0000-0x000000001BE1A000-memory.dmp

Filesize
1.4MB

Download
memory/2076-388-0x000000001C3D0000-0x000000001C4D2000-memory.dmp

Filesize
1.0MB

Download
memory/2076-383-0x0000000002F20000-0x0000000002F32000-memory.dmp

Filesize
72KB

Download
memory/2444-450-0x00000000012C0000-0x00000000012D2000-memory.dmp

Filesize
72KB

Download
memory/2464-410-0x000000001C300000-0x000000001C402000-memory.dmp

Filesize
1.0MB

Download
memory/2896-17-0x000000001B590000-0x000000001B59C000-memory.dmp

Filesize
48KB

Download
memory/2896-16-0x000000001AE70000-0x000000001AE7C000-memory.dmp

Filesize
48KB

Download
memory/2896-15-0x000000001AE60000-0x000000001AE6C000-memory.dmp

Filesize
48KB

Download
memory/2896-13-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2896-12-0x00007FFCFCD53000-0x00007FFCFCD55000-memory.dmp

Filesize
8KB

Download
memory/2896-14-0x000000001AE50000-0x000000001AE62000-memory.dmp

Filesize
72KB

Download
memory/3060-391-0x0000000001140000-0x0000000001152000-memory.dmp

Filesize
72KB

Download
memory/3060-396-0x000000001BF70000-0x000000001C072000-memory.dmp

Filesize
1.0MB

Download
memory/3708-417-0x000000001C310000-0x000000001C412000-memory.dmp

Filesize
1.0MB

Download
memory/3888-358-0x000000001C100000-0x000000001C202000-memory.dmp

Filesize
1.0MB

Download
memory/3888-353-0x0000000001560000-0x0000000001572000-memory.dmp

Filesize
72KB

Download