dcrat | 504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe
Size

1.3MB
MD5

ee2939e6b43088446c1cea11b1d260b4
SHA1

6ec0bbd3429a763f74a412c1ada9b87a931a31ac
SHA256

504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4
SHA512

34eae169d468692c5c7971eb99b6f00f6943e0122ada5c37f820abf4c4872de903e93810081e3f4adc357b29e7da9d13a1962de423ead5d98d1a3b734d69fadc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjCz:UbA30GnzV/q+DnsXgl

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2564	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d5d-12.dat	dcrat
behavioral1/memory/2768-13-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/1736-98-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2792	powershell.exe
2760	powershell.exe
2696	powershell.exe
2544	powershell.exe
588	powershell.exe
2560	powershell.exe
2708	powershell.exe
2536	powershell.exe
2148	powershell.exe
2976	powershell.exe
3024	powershell.exe
2908	powershell.exe
2772	powershell.exe
2588	powershell.exe
2584	powershell.exe
1996	powershell.exe
3012	powershell.exe
1324	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2768	DllCommonsvc.exe
1736	Idle.exe
2480	Idle.exe
2712	Idle.exe
2556	Idle.exe
1380	Idle.exe
692	Idle.exe
988	Idle.exe
2932	Idle.exe
876	Idle.exe
3048	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	cmd.exe
2896	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\DISM\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\DISM\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
408	schtasks.exe
2388	schtasks.exe
2832	schtasks.exe
824	schtasks.exe
1728	schtasks.exe
828	schtasks.exe
1284	schtasks.exe
2360	schtasks.exe
2596	schtasks.exe
2836	schtasks.exe
1392	schtasks.exe
1184	schtasks.exe
1020	schtasks.exe
3028	schtasks.exe
1028	schtasks.exe
2248	schtasks.exe
2644	schtasks.exe
2400	schtasks.exe
2520	schtasks.exe
1308	schtasks.exe
540	schtasks.exe
2120	schtasks.exe
1352	schtasks.exe
1716	schtasks.exe
2504	schtasks.exe
2500	schtasks.exe
3056	schtasks.exe
284	schtasks.exe
2972	schtasks.exe
780	schtasks.exe
1560	schtasks.exe
1972	schtasks.exe
656	schtasks.exe
876	schtasks.exe
2880	schtasks.exe
1048	schtasks.exe
1940	schtasks.exe
1616	schtasks.exe
1704	schtasks.exe
712	schtasks.exe
1684	schtasks.exe
2404	schtasks.exe
2888	schtasks.exe
904	schtasks.exe
2164	schtasks.exe
296	schtasks.exe
1380	schtasks.exe
2176	schtasks.exe
2992	schtasks.exe
1572	schtasks.exe
2324	schtasks.exe
992	schtasks.exe
2356	schtasks.exe
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2792	powershell.exe
2584	powershell.exe
2544	powershell.exe
3012	powershell.exe
2760	powershell.exe
2908	powershell.exe
2588	powershell.exe
2148	powershell.exe
1736	Idle.exe
2536	powershell.exe
3024	powershell.exe
2860	powershell.exe
2772	powershell.exe
588	powershell.exe
2708	powershell.exe
2696	powershell.exe
1996	powershell.exe
1324	powershell.exe
2560	powershell.exe
2976	powershell.exe
2480	Idle.exe
2712	Idle.exe
2556	Idle.exe
1380	Idle.exe
692	Idle.exe
988	Idle.exe
2932	Idle.exe
876	Idle.exe
3048	Idle.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	DllCommonsvc.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1736	Idle.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2480	Idle.exe
Token: SeDebugPrivilege	2712	Idle.exe
Token: SeDebugPrivilege	2556	Idle.exe
Token: SeDebugPrivilege	1380	Idle.exe
Token: SeDebugPrivilege	692	Idle.exe
Token: SeDebugPrivilege	988	Idle.exe
Token: SeDebugPrivilege	2932	Idle.exe
Token: SeDebugPrivilege	876	Idle.exe
Token: SeDebugPrivilege	3048	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2736	2056	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe	30
PID 2056 wrote to memory of 2736	2056	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe	30
PID 2056 wrote to memory of 2736	2056	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe	30
PID 2056 wrote to memory of 2736	2056	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe	30
PID 2736 wrote to memory of 2896	2736	WScript.exe	31
PID 2736 wrote to memory of 2896	2736	WScript.exe	31
PID 2736 wrote to memory of 2896	2736	WScript.exe	31
PID 2736 wrote to memory of 2896	2736	WScript.exe	31
PID 2896 wrote to memory of 2768	2896	cmd.exe	33
PID 2896 wrote to memory of 2768	2896	cmd.exe	33
PID 2896 wrote to memory of 2768	2896	cmd.exe	33
PID 2896 wrote to memory of 2768	2896	cmd.exe	33
PID 2768 wrote to memory of 2792	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2792	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2792	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2760	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2760	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2760	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2908	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2908	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2908	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2696	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2696	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2696	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2772	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2772	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2772	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2560	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2560	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2560	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2588	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2588	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2588	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2708	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 2708	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 2708	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 2536	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2536	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2536	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2544	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 2544	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 2544	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 2584	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 2584	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 2584	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 2148	2768	DllCommonsvc.exe	100
PID 2768 wrote to memory of 2148	2768	DllCommonsvc.exe	100
PID 2768 wrote to memory of 2148	2768	DllCommonsvc.exe	100
PID 2768 wrote to memory of 588	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 588	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 588	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 1996	2768	DllCommonsvc.exe	102
PID 2768 wrote to memory of 1996	2768	DllCommonsvc.exe	102
PID 2768 wrote to memory of 1996	2768	DllCommonsvc.exe	102
PID 2768 wrote to memory of 2860	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 2860	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 2860	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 2976	2768	DllCommonsvc.exe	104
PID 2768 wrote to memory of 2976	2768	DllCommonsvc.exe	104
PID 2768 wrote to memory of 2976	2768	DllCommonsvc.exe	104
PID 2768 wrote to memory of 3024	2768	DllCommonsvc.exe	105
PID 2768 wrote to memory of 3024	2768	DllCommonsvc.exe	105
PID 2768 wrote to memory of 3024	2768	DllCommonsvc.exe	105
PID 2768 wrote to memory of 3012	2768	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe
"C:\Users\Admin\AppData\Local\Temp\504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
    - - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        6⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2056
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
        8⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2624
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"
        10⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1912
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        12⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1796
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        14⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2892
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
        16⤵
        
        PID:680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1776
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        18⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1812
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"
        20⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:316
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        22⤵
        
        PID:2636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2936
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        24⤵
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DISM\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\DISM\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\reports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53f01a3265c437816362242d4df81fbb

SHA1
2b4d8cc2d05108d9bdcf27e52f25bacb93a33cca

SHA256
cfff1e56c6c27981b460ba82f47f6f10decd8d0c7b3aa7ea58661f45fd44a69b

SHA512
184084a227014c3cc652844f3bb67ebec1f3f8378a0662ab2db68b6c30d94b49915a158d23fbce621cf28498973718b04e87db60eb3cf61c8a004aea988875c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4285a0f9e6958ab998aaf0c297f2b55a

SHA1
9fcfe664e5526a39101fa5737167e28e2874c0ae

SHA256
a3c8bd03eede5b1edca1c9154f71a81c9fd64ea5470d97ab29829b2319497df4

SHA512
52c6f7a6a9c1dbba644865d758603c4369605ac44ed892bc4dadefecaa4c304d40a69fc2111445d5af1a1396ed220f7d2345207acc42922850519332bfd2ccca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ea0989fec0855ccbe99924439cae497

SHA1
75113fc2354470859ff218f0dbc4cab584df8d6d

SHA256
0ee77a61ad61da8d2bd656e262b792efe77ad97dfb693a548e509199dadd7139

SHA512
c76ffffaa7a59398276f866c19d52743c7e348c4d17c29b10f53b4c3d85d59540fe65b0355c76ae10d85672234dc4acc3a361a5b9f3dc58b981ee87f2b2f4af8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e38885deb1837c618b724b8b3992fb3

SHA1
62506f0aa7f3fad39894d1cf4907c07d9c33745c

SHA256
9eeeca0c5f85b912267bc1b2db44e368c9f411c6adaf46ccfb5902680b953d96

SHA512
6e58a9f87ae120451270f29427a32cef4662dd8bd8a6b6bbb12f7d5a2ea2b41c857d500fa14ece316a8d0e3bbd2ef6181000589897e408669d12b261cfce1e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0f3eaefedc434ffb0136ace07063184

SHA1
24dc587e9a4c2b77264f63faa5469e6b90aad1e4

SHA256
579cbd36081cab831f9ad561a8e76570e4464ce2f44f6105d38c913e66a5d0a1

SHA512
e069a09d4ca51289c4d18e6fd9c92355c74b290583680ab125bd3997ab57bc6ad430a72297fed9eaadd1f099f75eed19d5761c5bd638dd45372d684402beaa29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbc4120b0d1014b614bcbab8a036361b

SHA1
2770db72857a4e58cc5be0c3adfe0da620f00dc7

SHA256
21e014c23f1d66c3698c010216df2d434626a204da7021d1ae2cb95abff6ce7b

SHA512
9e8703b2148be6a4a111c1f3b1a107c927cc222550a0f7665ca4fff395cf522f39046ba8e9ac092c24d26e908f19eb77041dc548047bdc519ba8102f5058253e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
147403367dc36b3dae7c18ff13e6be4d

SHA1
52dac57faf03baaf991244ae1eb84ae1c29a7d7c

SHA256
be5fda7f25257f098fe133afa45555893ae7a54e4a9dcbbc2613dd4e4b304a1a

SHA512
b41e78b5d82d852369f9ea7c8ef40970aa966c2ef9f0977528c77abaaa961b7096c33e637baa397f538ee7827462b0bbb6c80c8baa77f92da16a4eaa47677ab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92579f18225cfcdd13fb08b8a5a6b299

SHA1
47ff87846a972cbaf2e0d3eea4e206b5450a3276

SHA256
b6d1b5e9e59a474cd9ff696b399e8d3fb3349157f0a92ba97081c506cac8ff9f

SHA512
1a2fd80436237e5a1c4d533d5423d1f93b888ba9617fecd4d2abea1cbac1a253b2e2a80b1cb2de993cdfe8dacdd615dbc844b60591dfe051d0836a5272d80c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e42b41017da303d919643d292272f9a0

SHA1
75802ff91ae2a4a09902cec7912ff14c8e28031c

SHA256
ab3506ec6ebdcabe4186c21f30dae702b8400a6c1b297cb8b060b8d73a3e7fc7

SHA512
f662f65dabbf297f82d25446d55e4c93c5705db337e19aa34690ee2655772407eaa38a3c8bea7be8a3b0662d5167bfcc933a1e6e30dd43aebfe362ff02e13b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat

Filesize
236B

MD5
1bbcc46095dbbf913d59f6a3807e2730

SHA1
3690af208681165fa24b1560b2c6a8086246caf5

SHA256
b90dd6354a13e34be42b2669f32e8be6c88cbb9ae454ffc06353b8f3883cad94

SHA512
4aee6b2488224dd752b4af4527395143c2bdca8ae08cd1054b0a79ebd0b864f9c468e567dd85a419c4f0435d63f043a072f6ddbf7826c2ef6257d6b4b3e9ab0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E1D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat

Filesize
236B

MD5
d8d96959c52df1b686d0dbb01b060468

SHA1
6e42abce5e279ae5aaedaace07852167d0b5e0bf

SHA256
009df2cf4026fbfa6e7e0230216270d6b320429ac37f137ea9600d1e5fa64d6e

SHA512
3f00521406614af0ce01eefcf6f3e0270b53e6b1cbc8873df1a85aae4e3480ce16a4d6d98136cf46eea88070be916f4eb5748d53885932eb73ef2d958271d968

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
236B

MD5
b2c9380d9919d2fb6b77227fdf9933f0

SHA1
5ec9488eddf3f61638979a8b968cfefbd8a2dcf6

SHA256
a29af6b75947e59fc5efa0d59fd9bf54cffaed4c0aa788389a9edb0d9853c67f

SHA512
7b2d92b0566123847a75df110fa16a971738d200ef24f4890c78971444ebbde326b7a19e8b042e8e2eac811fdd78f536fe6552e06ad3d2d3f981b43aa2d215f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E3F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
236B

MD5
986994b1cf03c0d75fa56482dd2bf831

SHA1
c5eceea3f58b5f7f429b5d39fa61aaacbcc6eb01

SHA256
48fba194768c774c62fdc45cb6e3c99a169dfd9e26cf059c63a107341850b9a4

SHA512
6c6ba09ae327e8b91e1fab654a941ce05413ba88ae1183a40cd701ec003d637e4a1f1a63125dd10dbf7a9352e001cc1114c941e92444eda081e24db9f80c14eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

Filesize
236B

MD5
2fb9d1b7aab24b1844d089b25169ba7f

SHA1
529fe6764b33e3d9953572b25f192ba7b8c0c767

SHA256
09779626bbbf56965f14a5be60b546e47557049e80907a36af478a13abda6a8a

SHA512
1d898f3c4bfdd9f418576720c66bf58091779a339d9f86ccddcb171d7fd208089340db371fc93d31870d4cbcde62555775013910d0e84f5644b6d5ae7f3c4691

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
236B

MD5
6e6f45e99fd01ee157200ee4123c5d48

SHA1
c1f6b5394668efdeef7c732126def6381ec158da

SHA256
548b7c2b2de1270ba302c07a32d73865681cf63d33693b5d2944b508274d02d6

SHA512
6139837ecd44bf18d64f8ddef0b0cbcd5ffd8e42ca5d26be3ebc0df782e3616f720503acfcfae3f17ac5f79974b32d960dc129e20bb9945549b9451c87702f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
236B

MD5
2d3f1a74db0183c17b7359bd2b0509ee

SHA1
e22015c806cb919bd760a273cbe837d91e866e50

SHA256
731c75620395baaaeea45c34ea9e6336944ecb8a1babb05c6314723f901f9afd

SHA512
c5fe4b0e137fb2e236ccb4c1901c9101b0e59a37ac9620ed01ddaab056d967a076d230ae96b508a9dde83d2e67bfe01d418eaa75f3d937b26cb7836e3d691b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
236B

MD5
369dc5bc1d1b577136883c5c2c9ad2fe

SHA1
e430a43a8a202f0b938a7652b5585fca4a91c480

SHA256
1c71ec51885fd2318cad49dab270de7b571e5ba6496066464ece616dc88536a5

SHA512
e965fb7ef01b2f8c474366855747189b26ec6a2d644083603a70fd7a032d94cfce7b818c043d160ff18ac9437e7826d551603f247002f1aee15652490e12d17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

Filesize
236B

MD5
84f9135b6632ccd0f629a0f3daad1dbb

SHA1
a1aa5ec133afb0705194c572f3e8e4a22ea88a86

SHA256
5b17ef809c382ee8f9b306b7c0f7d39ae974607964a014207f609b27614430e0

SHA512
d0ee8f556d3f11c7983c057f26b45cadcd6671cbb9c711db14eaef447d40e2dc7c5228913ef50ca951dea3a4676378c735e627796a54b9d4dae06978cf4cbeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
236B

MD5
b01e8e15a44003a4413d0f555faf76a7

SHA1
5cc8992874615b9aa858613f5bd327f83eed86ec

SHA256
df8aa1d4bce4d63e69ca98b11d9c58bf582ef4f3306a71898e2e0a54ed22bcd0

SHA512
f7931134047f851fc2dbc2c632c9a36cde49418dc29d547f5c6c8bd95ba6da81c91ac2ac6cd64e47bd7080af1cadc4646a1082cf9617683c77039e13a6b221db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
59eb6698118507c9c3bea7bd0f01c3b5

SHA1
1fde5816c55dd4502352b4081771420b282a2b4f

SHA256
a4bb797114f617f111e76f9fa7f36dbb14b4afb87f8f74b56283c34cbd16d50a

SHA512
1cd02878367fcf1934375c6184834c9ec0c85528693f8e2938e04033ecc736ddedc720535f7fdc17df4ffef504a8bca0559a2ff7af2ccc016ed37bb801e90355

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/692-443-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/988-503-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1736-148-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1736-98-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2768-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2768-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2768-15-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2768-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2768-13-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2792-66-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2792-81-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2932-563-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download