dcrat | 7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe
Size

1.3MB
MD5

a4106fa2800a9cd95a6d945c73a0e593
SHA1

5ea1b38b8ceebc411729307e935b722f0ab97487
SHA256

7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf
SHA512

0d16cac3d2ff5ab32dc6c56aef4179761db2dcb72a95a369ccefbc5312754a3e1a3cfabbc33a70feb85a595a75a731d2d960748d284a30aaf7858b0a852253b4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3608	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b63-9.dat	dcrat
behavioral2/memory/876-13-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1184	powershell.exe
4348	powershell.exe
2388	powershell.exe
3032	powershell.exe
3328	powershell.exe
4888	powershell.exe
3444	powershell.exe
3716	powershell.exe
956	powershell.exe
4204	powershell.exe
740	powershell.exe
4916	powershell.exe
1908	powershell.exe
2812	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 15 IoCs

pid	Process
876	DllCommonsvc.exe
2576	Registry.exe
2736	Registry.exe
2940	Registry.exe
4936	Registry.exe
3236	Registry.exe
1268	Registry.exe
816	Registry.exe
3096	Registry.exe
2936	Registry.exe
1972	Registry.exe
4264	Registry.exe
4904	Registry.exe
4100	Registry.exe
3976	Registry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
12	raw.githubusercontent.com
21	raw.githubusercontent.com
37	raw.githubusercontent.com
52	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
51	raw.githubusercontent.com
50	raw.githubusercontent.com
13	raw.githubusercontent.com
36	raw.githubusercontent.com
38	raw.githubusercontent.com
48	raw.githubusercontent.com
42	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicyUsers\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\System32\GroupPolicyUsers\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\System32\GroupPolicyUsers\RuntimeBroker.exe	DllCommonsvc.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\reports\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\reports\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\sysmon.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Tasks\sysmon.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\121e5b5079f7c0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2156	schtasks.exe
1600	schtasks.exe
1484	schtasks.exe
1204	schtasks.exe
3920	schtasks.exe
2320	schtasks.exe
3744	schtasks.exe
4216	schtasks.exe
5104	schtasks.exe
4080	schtasks.exe
3104	schtasks.exe
4604	schtasks.exe
4964	schtasks.exe
3240	schtasks.exe
4816	schtasks.exe
1720	schtasks.exe
1588	schtasks.exe
4892	schtasks.exe
3480	schtasks.exe
4592	schtasks.exe
1920	schtasks.exe
3888	schtasks.exe
4400	schtasks.exe
2504	schtasks.exe
2960	schtasks.exe
4924	schtasks.exe
1188	schtasks.exe
2208	schtasks.exe
536	schtasks.exe
2724	schtasks.exe
5100	schtasks.exe
4904	schtasks.exe
4708	schtasks.exe
4352	schtasks.exe
3060	schtasks.exe
3148	schtasks.exe
1884	schtasks.exe
880	schtasks.exe
1728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
3328	powershell.exe
3328	powershell.exe
740	powershell.exe
740	powershell.exe
2812	powershell.exe
2812	powershell.exe
4204	powershell.exe
4204	powershell.exe
1184	powershell.exe
1184	powershell.exe
3032	powershell.exe
3032	powershell.exe
1908	powershell.exe
1908	powershell.exe
4348	powershell.exe
4348	powershell.exe
3444	powershell.exe
3444	powershell.exe
4916	powershell.exe
4916	powershell.exe
956	powershell.exe
956	powershell.exe
4888	powershell.exe
4888	powershell.exe
2388	powershell.exe
2388	powershell.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
2576	Registry.exe
2576	Registry.exe
740	powershell.exe
2812	powershell.exe
3328	powershell.exe
4204	powershell.exe
956	powershell.exe
4916	powershell.exe
1184	powershell.exe
1908	powershell.exe
2388	powershell.exe
3032	powershell.exe
4888	powershell.exe
4348	powershell.exe
3444	powershell.exe
2736	Registry.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	DllCommonsvc.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	2576	Registry.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	2736	Registry.exe
Token: SeDebugPrivilege	2940	Registry.exe
Token: SeDebugPrivilege	4936	Registry.exe
Token: SeDebugPrivilege	3236	Registry.exe
Token: SeDebugPrivilege	1268	Registry.exe
Token: SeDebugPrivilege	816	Registry.exe
Token: SeDebugPrivilege	3096	Registry.exe
Token: SeDebugPrivilege	2936	Registry.exe
Token: SeDebugPrivilege	1972	Registry.exe
Token: SeDebugPrivilege	4264	Registry.exe
Token: SeDebugPrivilege	4904	Registry.exe
Token: SeDebugPrivilege	4100	Registry.exe
Token: SeDebugPrivilege	3976	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 3808	4856	JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe	83
PID 4856 wrote to memory of 3808	4856	JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe	83
PID 4856 wrote to memory of 3808	4856	JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe	83
PID 3808 wrote to memory of 1344	3808	WScript.exe	85
PID 3808 wrote to memory of 1344	3808	WScript.exe	85
PID 3808 wrote to memory of 1344	3808	WScript.exe	85
PID 1344 wrote to memory of 876	1344	cmd.exe	87
PID 1344 wrote to memory of 876	1344	cmd.exe	87
PID 876 wrote to memory of 1184	876	DllCommonsvc.exe	129
PID 876 wrote to memory of 1184	876	DllCommonsvc.exe	129
PID 876 wrote to memory of 4888	876	DllCommonsvc.exe	130
PID 876 wrote to memory of 4888	876	DllCommonsvc.exe	130
PID 876 wrote to memory of 3444	876	DllCommonsvc.exe	131
PID 876 wrote to memory of 3444	876	DllCommonsvc.exe	131
PID 876 wrote to memory of 3716	876	DllCommonsvc.exe	132
PID 876 wrote to memory of 3716	876	DllCommonsvc.exe	132
PID 876 wrote to memory of 4348	876	DllCommonsvc.exe	133
PID 876 wrote to memory of 4348	876	DllCommonsvc.exe	133
PID 876 wrote to memory of 956	876	DllCommonsvc.exe	134
PID 876 wrote to memory of 956	876	DllCommonsvc.exe	134
PID 876 wrote to memory of 2388	876	DllCommonsvc.exe	135
PID 876 wrote to memory of 2388	876	DllCommonsvc.exe	135
PID 876 wrote to memory of 4204	876	DllCommonsvc.exe	136
PID 876 wrote to memory of 4204	876	DllCommonsvc.exe	136
PID 876 wrote to memory of 1908	876	DllCommonsvc.exe	137
PID 876 wrote to memory of 1908	876	DllCommonsvc.exe	137
PID 876 wrote to memory of 2812	876	DllCommonsvc.exe	138
PID 876 wrote to memory of 2812	876	DllCommonsvc.exe	138
PID 876 wrote to memory of 4916	876	DllCommonsvc.exe	139
PID 876 wrote to memory of 4916	876	DllCommonsvc.exe	139
PID 876 wrote to memory of 3032	876	DllCommonsvc.exe	140
PID 876 wrote to memory of 3032	876	DllCommonsvc.exe	140
PID 876 wrote to memory of 3328	876	DllCommonsvc.exe	141
PID 876 wrote to memory of 3328	876	DllCommonsvc.exe	141
PID 876 wrote to memory of 740	876	DllCommonsvc.exe	142
PID 876 wrote to memory of 740	876	DllCommonsvc.exe	142
PID 876 wrote to memory of 2576	876	DllCommonsvc.exe	156
PID 876 wrote to memory of 2576	876	DllCommonsvc.exe	156
PID 2576 wrote to memory of 5060	2576	Registry.exe	159
PID 2576 wrote to memory of 5060	2576	Registry.exe	159
PID 5060 wrote to memory of 1876	5060	cmd.exe	161
PID 5060 wrote to memory of 1876	5060	cmd.exe	161
PID 5060 wrote to memory of 2736	5060	cmd.exe	168
PID 5060 wrote to memory of 2736	5060	cmd.exe	168
PID 2736 wrote to memory of 3808	2736	Registry.exe	176
PID 2736 wrote to memory of 3808	2736	Registry.exe	176
PID 3808 wrote to memory of 2524	3808	cmd.exe	178
PID 3808 wrote to memory of 2524	3808	cmd.exe	178
PID 3808 wrote to memory of 2940	3808	cmd.exe	180
PID 3808 wrote to memory of 2940	3808	cmd.exe	180
PID 2940 wrote to memory of 1540	2940	Registry.exe	185
PID 2940 wrote to memory of 1540	2940	Registry.exe	185
PID 1540 wrote to memory of 4724	1540	cmd.exe	187
PID 1540 wrote to memory of 4724	1540	cmd.exe	187
PID 1540 wrote to memory of 4936	1540	cmd.exe	189
PID 1540 wrote to memory of 4936	1540	cmd.exe	189
PID 4936 wrote to memory of 4428	4936	Registry.exe	191
PID 4936 wrote to memory of 4428	4936	Registry.exe	191
PID 4428 wrote to memory of 4964	4428	cmd.exe	193
PID 4428 wrote to memory of 4964	4428	cmd.exe	193
PID 4428 wrote to memory of 3236	4428	cmd.exe	195
PID 4428 wrote to memory of 3236	4428	cmd.exe	195
PID 3236 wrote to memory of 3168	3236	Registry.exe	197
PID 3236 wrote to memory of 3168	3236	Registry.exe	197

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\GroupPolicyUsers\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
    - - C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1876
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2524
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4724
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4964
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"
        14⤵
        
        PID:3168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4200
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        16⤵
        
        PID:4424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1396
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        18⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3092
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        20⤵
        
        PID:4020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3200
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        22⤵
        
        PID:4072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4012
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
        24⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2088
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        26⤵
        
        PID:3780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:956
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        28⤵
        
        PID:4424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:944
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        30⤵
        
        PID:4496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4552
        
        C:\Recovery\WindowsRE\Registry.exe
        
        "C:\Recovery\WindowsRE\Registry.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"
        32⤵
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\GroupPolicyUsers\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\GroupPolicyUsers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\GroupPolicyUsers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\reports\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Tasks\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office16\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
104B

MD5
2f5cdf236d0c385147196beb516eb395

SHA1
4d4d6438705491079767cbdbec09b58b1d8d9c8b

SHA256
823735d1064079839ba7a3816d86ed592307d748f1ce95320f8b3389c11cf166

SHA512
dafe9400819b91f458627deb34a1a550cc7c9252911ce67d8a1ea687477f8eda42c1d92e0ac0c64ed47f11c4089342c9c50843e4e36e50b00ab37b5256a04302

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
199B

MD5
a94ad22bb07792a3e5bd51cf9a1b3a46

SHA1
5ee3b9a462e19e15acbab8796f56c9aa8420dbc2

SHA256
f0aee7c1ee8904e6f3c5b7ea99966788260aefaa7d9302eadf269f8567acc735

SHA512
79497ba6ddba2f821fde733daeab7b5551afd1e8498b0df539ec4bacc3d0becc9a5c33f12689f540072f43261e848f9cdcf1aba28b650fdc4f0140f524fde3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat

Filesize
199B

MD5
0b5e90e6cfd43f123c6dc867d5eb8d98

SHA1
09f072cd9bad60d8856ab63ab14328acd72a6e0e

SHA256
3bebcf96aef663be762e7ff8012e7cffc1440592dc998561e54639132ddc802a

SHA512
bff01a3c791a4becefd6f9e5bc1ea3c162c47c7953e12e2e7a4d2a85ce1fa17ca60f08d799fbb30537287222af92e87a8c39e216067f76d306b807b9100bfa70

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

Filesize
199B

MD5
218208337c199c38a74e34754b744f89

SHA1
9c50491697d96e52851ebcc56fde5267080b9cf2

SHA256
dbf5c73aab697d85e5fb54aa7980ec118408826086418205a0089b1f62baf017

SHA512
31136d01d1e7643e89d6850e9b1226c161e822c4019d69bd4852a36bd0765699737056adcac342adcbb751ac14c88cdc8f5a142bf0f4b37b6a3e2ea25b7a03d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
199B

MD5
f5dea2a648e0747017495394f346f6f7

SHA1
ced1039accf524bbe9ec84b4f78fd0108990ad5a

SHA256
ca6462b503f55dd0fe5e62648736de13eaa5486c5d0dfdd015b316ad0e268696

SHA512
c86c8d73ff193c210cf4e2cacc83ae66496c22f39794c766b043388b5266c9446259a39836587365d28b60e9effcd4790276dafd33abd7943394e6167bfecded

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
199B

MD5
da0e03fc4bcae144c42e254bdba1957c

SHA1
ca3efd4879883ed3a2a2b3b886be6ca1f34a07c8

SHA256
b9cd84f1b2883fea75461c3a99a97974a4c347a70117ab497412399a7060ccef

SHA512
633a3505116de9fc310cdc6ad66c8a2123b89b62f7ac9fd0e3b1fa675178a44fd3daafb5a47408dc406f036ce7b74618bded59b0958de3b0cc2253bb806aae3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
199B

MD5
298dc34a190e87260165a1c0028603cf

SHA1
0f26842d6af035f22fd1cd4ec7529f3fe8c47a7e

SHA256
2ef72e1cb3860a2eb72625c9c6ca090faac2224f4241460858914ede12827686

SHA512
3647a9189212a8fcd92d5e1b7c22b44d21e872192050454f5b0ac442e7d51e4e0e6e5c409d500b952609437f2117ac3f48b85385bfe5fc86aeb84cc69be64b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

Filesize
199B

MD5
57842a1ca098e6e4d89748f200a1d7b9

SHA1
75c40f62b0455e5fe56b01fcdf856d353fe71d5d

SHA256
783ab6b223d9324a1539bbcd425caf0a7b48f442d82374515e40c31c54038254

SHA512
234f6bbdde1df45cdde6710d0fb5996f621d5cafc1a7f6247b51a7d24e5c64e0f6b35fecc32c5210b58b31016c5825a0c0c9189b0430d49df3caddf6e60a21da

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
199B

MD5
703b8d767603785c8fbcc6ee885134ce

SHA1
6fd6d3bceb3ed3ab233a56abd9a998ff27e83d5d

SHA256
7b776faa71030f2b73db388dc88dbaca18eb77d7bcace8b6aeceba7602991f65

SHA512
3fa6573b95d30d61a4e68ed9ba0f12f205dc34d72f4f9fb049e5357636376104390280097310c994b8e6515494e2c2577fdca82abaa4e999728b90b9e5ca5845

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdwhzidg.mmv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
199B

MD5
958ad350fda951adac9782415f7de747

SHA1
5fed3bb0f1f2850263dafbe289f24b0e71681eb2

SHA256
9e04ab5c66175c32652ae0a3036bbcbbd78d43e9a6d42eff7077a1318c3913a9

SHA512
8c09b8dedc289f05908ecf4d2a727d3f3e436a20861b673ae5587567b7fa4c7502794eb3dbef7f40c7a4bd784d4de18c573817b7d0556bda19add590f85b4c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

Filesize
199B

MD5
a8fd525e2dbb5ffcb9a8b3bf95efefe8

SHA1
813009058ac04ebcf53d3386a819e79f569886cb

SHA256
9cfb7deb23192fc525449e7fbb94c415c6280912a13e5acfb92ed387e81d1776

SHA512
264db00bd7a52d54acccaa1710dd63f554a29c6a075b57c345d9ac0a4bc93e3dfa66130c64d40aa15ea3a2de05df43c5b0af389bbc08a08e35e2bd925e1a747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
199B

MD5
e99988c64df027095320887a33b82f44

SHA1
597d925c0c816df16f4a37b3806e78e2dae9e20b

SHA256
21d9761449d46f7c6fc32fe379490c2687a679608cfb51597af674a8cc6b5185

SHA512
2acaa813ceb3a4cf5c02a680efd5c04ef13d45f0d4ba09543320e73879afd48ec09d06c0f94836ea7ad6c4477261f61faec0d6927d015407aa8768459442e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
199B

MD5
c89ab037f23a4a3e4c2f4ea8df2725c4

SHA1
620b8b69d316cefd396fa319a193951873cf83d3

SHA256
ff8eb08558efdf16bdbd52d7b70fc3198e6fbe3e9cfb6fff53ed8d79a89a24f4

SHA512
dec8f8b441b1db3d4a255ccda0eb938be7f8663468ad3254276439453bbfe5952d11b230fa0bcbe0cdde4c21363c5688760db97d16f5a0a8deaf983099f16574

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
199B

MD5
bfdd7ba7294ca1ef0750fd9b0aadc23c

SHA1
1e76fe971c283f47e9fd924eebad20191996838f

SHA256
c7572c5d8e48379fb03d327cea6026722cef81d2b20cb2c1e9dee1593ad03971

SHA512
f3a52c002aeceff4b311f19952b41184fa6e9bb84d53a43da63daa473b79a1f258e7ca3b9f98d3d552b612eb2b66d196d8287390111767f484730d45b2c57e20

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/740-64-0x000002466D290000-0x000002466D2B2000-memory.dmp

Filesize
136KB

Download
memory/876-15-0x0000000002620000-0x000000000262C000-memory.dmp

Filesize
48KB

Download
memory/876-12-0x00007FFAC87D3000-0x00007FFAC87D5000-memory.dmp

Filesize
8KB

Download
memory/876-17-0x0000000002610000-0x000000000261C000-memory.dmp

Filesize
48KB

Download
memory/876-14-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/876-16-0x0000000002600000-0x000000000260C000-memory.dmp

Filesize
48KB

Download
memory/876-13-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-155-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/2736-221-0x000000001BCD0000-0x000000001BE3A000-memory.dmp

Filesize
1.4MB

Download
memory/2736-216-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/2940-224-0x000000001B090000-0x000000001B0A2000-memory.dmp

Filesize
72KB

Download
memory/3096-256-0x00000000011B0000-0x00000000011C2000-memory.dmp

Filesize
72KB

Download
memory/3236-237-0x00000000014B0000-0x00000000014C2000-memory.dmp

Filesize
72KB

Download
memory/4100-289-0x0000000002B20000-0x0000000002B32000-memory.dmp

Filesize
72KB

Download
memory/4264-275-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4904-282-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download