dcrat | b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 00:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903.exe
Size

1.3MB
MD5

8d09eef929457f7558e0f63f01cf9618
SHA1

9d04541cfd277e814501b1b8223e070849beb38d
SHA256

b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903
SHA512

81193543540b61a850c2d42177d5be93738df61e2569fa6fa4bd0bdfd0a137d2b039209d2b1eac0fabae7089c711bf7f7e2446d600c9cc0fd432958d1bcf4acc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2880	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018731-10.dat	dcrat
behavioral1/memory/2316-13-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2532-164-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2116-223-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/396-283-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2924	powershell.exe
2912	powershell.exe
2552	powershell.exe
2504	powershell.exe
1668	powershell.exe
784	powershell.exe
2312	powershell.exe
2616	powershell.exe
2788	powershell.exe
1520	powershell.exe
2708	powershell.exe
2856	powershell.exe
2852	powershell.exe
2784	powershell.exe
2744	powershell.exe
2732	powershell.exe
2904	powershell.exe
2664	powershell.exe
2876	powershell.exe
2608	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2316	DllCommonsvc.exe
2532	sppsvc.exe
2116	sppsvc.exe
396	sppsvc.exe
2544	sppsvc.exe
2728	sppsvc.exe
1760	sppsvc.exe
2904	sppsvc.exe
1216	sppsvc.exe
1824	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	cmd.exe
2068	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Setup\de-DE\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\System32\Setup\de-DE\088424020bedd6	DllCommonsvc.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2636	schtasks.exe
2204	schtasks.exe
1932	schtasks.exe
2428	schtasks.exe
592	schtasks.exe
1648	schtasks.exe
1972	schtasks.exe
2912	schtasks.exe
2904	schtasks.exe
2908	schtasks.exe
1688	schtasks.exe
1044	schtasks.exe
2456	schtasks.exe
812	schtasks.exe
2216	schtasks.exe
536	schtasks.exe
2828	schtasks.exe
2976	schtasks.exe
608	schtasks.exe
1640	schtasks.exe
1372	schtasks.exe
1496	schtasks.exe
944	schtasks.exe
2004	schtasks.exe
2772	schtasks.exe
1804	schtasks.exe
2100	schtasks.exe
1060	schtasks.exe
1704	schtasks.exe
2064	schtasks.exe
2936	schtasks.exe
2824	schtasks.exe
1912	schtasks.exe
2160	schtasks.exe
1868	schtasks.exe
1776	schtasks.exe
2776	schtasks.exe
2344	schtasks.exe
2944	schtasks.exe
1564	schtasks.exe
2896	schtasks.exe
1968	schtasks.exe
1720	schtasks.exe
2020	schtasks.exe
3044	schtasks.exe
2684	schtasks.exe
1756	schtasks.exe
1588	schtasks.exe
1996	schtasks.exe
2752	schtasks.exe
2980	schtasks.exe
2092	schtasks.exe
884	schtasks.exe
1816	schtasks.exe
1184	schtasks.exe
1072	schtasks.exe
3004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2316	DllCommonsvc.exe
2316	DllCommonsvc.exe
2316	DllCommonsvc.exe
2608	powershell.exe
2732	powershell.exe
2552	powershell.exe
2664	powershell.exe
2924	powershell.exe
2856	powershell.exe
2708	powershell.exe
2788	powershell.exe
2876	powershell.exe
2616	powershell.exe
2504	powershell.exe
2912	powershell.exe
2744	powershell.exe
1520	powershell.exe
2852	powershell.exe
1668	powershell.exe
2312	powershell.exe
2904	powershell.exe
2784	powershell.exe
784	powershell.exe
2532	sppsvc.exe
2116	sppsvc.exe
396	sppsvc.exe
2544	sppsvc.exe
2728	sppsvc.exe
1760	sppsvc.exe
2904	sppsvc.exe
1216	sppsvc.exe
1824	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	DllCommonsvc.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2532	sppsvc.exe
Token: SeDebugPrivilege	2116	sppsvc.exe
Token: SeDebugPrivilege	396	sppsvc.exe
Token: SeDebugPrivilege	2544	sppsvc.exe
Token: SeDebugPrivilege	2728	sppsvc.exe
Token: SeDebugPrivilege	1760	sppsvc.exe
Token: SeDebugPrivilege	2904	sppsvc.exe
Token: SeDebugPrivilege	1216	sppsvc.exe
Token: SeDebugPrivilege	1824	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1932	1984	JaffaCakes118_b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903.exe	30
PID 1984 wrote to memory of 1932	1984	JaffaCakes118_b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903.exe	30
PID 1984 wrote to memory of 1932	1984	JaffaCakes118_b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903.exe	30
PID 1984 wrote to memory of 1932	1984	JaffaCakes118_b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903.exe	30
PID 1932 wrote to memory of 2068	1932	WScript.exe	31
PID 1932 wrote to memory of 2068	1932	WScript.exe	31
PID 1932 wrote to memory of 2068	1932	WScript.exe	31
PID 1932 wrote to memory of 2068	1932	WScript.exe	31
PID 2068 wrote to memory of 2316	2068	cmd.exe	33
PID 2068 wrote to memory of 2316	2068	cmd.exe	33
PID 2068 wrote to memory of 2316	2068	cmd.exe	33
PID 2068 wrote to memory of 2316	2068	cmd.exe	33
PID 2316 wrote to memory of 2744	2316	DllCommonsvc.exe	92
PID 2316 wrote to memory of 2744	2316	DllCommonsvc.exe	92
PID 2316 wrote to memory of 2744	2316	DllCommonsvc.exe	92
PID 2316 wrote to memory of 2852	2316	DllCommonsvc.exe	93
PID 2316 wrote to memory of 2852	2316	DllCommonsvc.exe	93
PID 2316 wrote to memory of 2852	2316	DllCommonsvc.exe	93
PID 2316 wrote to memory of 2856	2316	DllCommonsvc.exe	94
PID 2316 wrote to memory of 2856	2316	DllCommonsvc.exe	94
PID 2316 wrote to memory of 2856	2316	DllCommonsvc.exe	94
PID 2316 wrote to memory of 2924	2316	DllCommonsvc.exe	95
PID 2316 wrote to memory of 2924	2316	DllCommonsvc.exe	95
PID 2316 wrote to memory of 2924	2316	DllCommonsvc.exe	95
PID 2316 wrote to memory of 2788	2316	DllCommonsvc.exe	96
PID 2316 wrote to memory of 2788	2316	DllCommonsvc.exe	96
PID 2316 wrote to memory of 2788	2316	DllCommonsvc.exe	96
PID 2316 wrote to memory of 2616	2316	DllCommonsvc.exe	97
PID 2316 wrote to memory of 2616	2316	DllCommonsvc.exe	97
PID 2316 wrote to memory of 2616	2316	DllCommonsvc.exe	97
PID 2316 wrote to memory of 2784	2316	DllCommonsvc.exe	98
PID 2316 wrote to memory of 2784	2316	DllCommonsvc.exe	98
PID 2316 wrote to memory of 2784	2316	DllCommonsvc.exe	98
PID 2316 wrote to memory of 2876	2316	DllCommonsvc.exe	99
PID 2316 wrote to memory of 2876	2316	DllCommonsvc.exe	99
PID 2316 wrote to memory of 2876	2316	DllCommonsvc.exe	99
PID 2316 wrote to memory of 1520	2316	DllCommonsvc.exe	100
PID 2316 wrote to memory of 1520	2316	DllCommonsvc.exe	100
PID 2316 wrote to memory of 1520	2316	DllCommonsvc.exe	100
PID 2316 wrote to memory of 2732	2316	DllCommonsvc.exe	101
PID 2316 wrote to memory of 2732	2316	DllCommonsvc.exe	101
PID 2316 wrote to memory of 2732	2316	DllCommonsvc.exe	101
PID 2316 wrote to memory of 2608	2316	DllCommonsvc.exe	102
PID 2316 wrote to memory of 2608	2316	DllCommonsvc.exe	102
PID 2316 wrote to memory of 2608	2316	DllCommonsvc.exe	102
PID 2316 wrote to memory of 2664	2316	DllCommonsvc.exe	103
PID 2316 wrote to memory of 2664	2316	DllCommonsvc.exe	103
PID 2316 wrote to memory of 2664	2316	DllCommonsvc.exe	103
PID 2316 wrote to memory of 2552	2316	DllCommonsvc.exe	104
PID 2316 wrote to memory of 2552	2316	DllCommonsvc.exe	104
PID 2316 wrote to memory of 2552	2316	DllCommonsvc.exe	104
PID 2316 wrote to memory of 2912	2316	DllCommonsvc.exe	105
PID 2316 wrote to memory of 2912	2316	DllCommonsvc.exe	105
PID 2316 wrote to memory of 2912	2316	DllCommonsvc.exe	105
PID 2316 wrote to memory of 2312	2316	DllCommonsvc.exe	107
PID 2316 wrote to memory of 2312	2316	DllCommonsvc.exe	107
PID 2316 wrote to memory of 2312	2316	DllCommonsvc.exe	107
PID 2316 wrote to memory of 784	2316	DllCommonsvc.exe	108
PID 2316 wrote to memory of 784	2316	DllCommonsvc.exe	108
PID 2316 wrote to memory of 784	2316	DllCommonsvc.exe	108
PID 2316 wrote to memory of 1668	2316	DllCommonsvc.exe	109
PID 2316 wrote to memory of 1668	2316	DllCommonsvc.exe	109
PID 2316 wrote to memory of 1668	2316	DllCommonsvc.exe	109
PID 2316 wrote to memory of 2504	2316	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3e84b19888859e23a5402bc85c755495eb5667a7fe01ed7f84c159198447903.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Setup\de-DE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vQUlHHMhir.bat"
        5⤵
        
        PID:2992
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2900
      - C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
        7⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:980
        
        C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        9⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1940
        
        C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        11⤵
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2996
        
        C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
        13⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1588
        
        C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat"
        15⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1300
        
        C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
        17⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2908
        
        C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
        19⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1912
        
        C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        21⤵
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2600
        
        C:\Users\Default\Local Settings\sppsvc.exe
        
        "C:\Users\Default\Local Settings\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\Setup\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\Setup\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\Setup\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Documents\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d90ab06e740ad06656ef30738e658c97

SHA1
a74f248157b0623f84533048f45db45948f977ed

SHA256
791c94e798f1be0fcb1da83ae61cd3ac3582561e7b0b574a4835d6fa06b35b8a

SHA512
68ca95a5bdf922f3410395a7b8ebd1b3bf80775978e1e2a39ab2b60fd11683d94eba4bbf6f2325d70fbcd4927d6d35772a2111b178987b850d6a33294bf35313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2001cd129015880eac8f052cd3d8fab8

SHA1
004284b36347360b24d9aa3b8cd09c802b01d743

SHA256
2e95dde195ea46d097ebba69c5b1d205a086672c3ea5d41e8080f645f78d3ed3

SHA512
e3cfb67ab2d36d4e1bcebff09d73c0b0732fe658531285e2e66c1ad935ef91acf0451d45292df979b17338fbefdbb32ec8ca2f9b3534ab371a1633e6abfb602c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b0cb82c90150abebb1cb1fe0c098dc0

SHA1
1658877240e4d1d42b1b5503587853cc7a0f8250

SHA256
2364591794c70d4871fa7834798f91e66fdd9e3a8c9adee22222d26c68c7aa45

SHA512
84c5622f2086142563c2d718725a76327238ce224096588ae0706c9c1aa9102e1822d7b647fb8b5d819d62c216cae428953c30aa0a646f86498088968123de42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cea3d92bd137e43754751843843bdb87

SHA1
124a6fafc9ee6610c6257b00993d5d51393cdd60

SHA256
c1b1e5859576b7631477fe8feb80e13c98b57b09268d9480df7b7f10940eedd1

SHA512
fc4272bddcf4ac2bb9f8c658f3bec6d8d1e00ec9ab0077d8fd5c1b541ddbfb05a663e010a8392caac4d34c5ce18e6215baef062dec9c3804ee8936b91ae4bee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b17dd8c2020afb506605105ffc6fa41

SHA1
4739ecc0f5b2d521609ce46f7f8d3111d20fbb8f

SHA256
d9134a3fde3fae424bfa54b67b78e80de8ae4d9ea8e7e5c5873c9c330e88cac4

SHA512
830bda775b1510e1a338f1bc69de351aad0c6f7df141a1ac3b8c6b832fa2e368a041aa92e38f531dd8e1b115ed3a363c51962ad64c0dbc491904f05215d6e81d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74a2bfd4822b7d3b0f6a1b4fedbaaf3b

SHA1
4ea9e9c327209293dc5d82a73583cbb9a622d0b1

SHA256
a7c6c9fda146461c0ffc6133db35c1945d40e2d81403e1788a69823e91b18f79

SHA512
3ceb6834b859dffaca9ca66545b5082d53687ef2a74aac4713ef8bb32b504843c66f9638dbf71deadbbc89f25eb0404e9ecff23a15b17102ba713e446253ba87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b870d089b76e788e851bdca7c16faffa

SHA1
b946e3d1c05b2274e380bb1c3a52c3348bc731da

SHA256
ddbd6b8cffe09ee420159b59dd6522bd97a6401f2373eb884922a39007a0af65

SHA512
45cf5d6b7a2d17bc6d8ef54c03119a6ede8f8151cff0761daf83d0d8b7491193d8416fe1f0fb434c6454d1ff13495bb81cab294adb8dd4ea5885a6ab0d965722

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE10.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE32.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
207B

MD5
519021802321a5af5d62f1b110eb7bda

SHA1
382132fbe994a46c097669f0a68c1ee8c124f4ff

SHA256
eea949b659dfceb9c87e406bff89a41ef96a1e9666a31978c1e56e4b0d4e08c6

SHA512
55fc58a27ba6dce54220863b88439856ce40587883c0b29deb65efca4320d4441e259b6c70966ce2cda18e83d92ac2ddc2f6480aab214cc7f91ec904bea92bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

Filesize
207B

MD5
0b474026f6a4ce83b7f62f221f153188

SHA1
d197f215bc5febf514b0e0de7b3c60d53daa9225

SHA256
922f65c31b8d4b50cc28867cd125c137793f54b83199b07fee2ae32bb904e4a1

SHA512
e85068e0f27c3e99c24368bf39f64591cefa87f0831327f1978e2258d14c187fc9e762213b33338be5e52f788adcd3a2948e41a09dd6ca39fbcd45a546ea7126

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
207B

MD5
0e936636183c36fa2dd2137309fc7aba

SHA1
73fb6d8fa7be9047199c28e18fcb6187998a6b8c

SHA256
bf8a5bd6e1cfab838ff9a319b21b621ddbc890782e80f4a9e923e8f77b6d48cd

SHA512
3824c5bb63b15aabef086e41fff4973122a2b8db94dda692ddf3161a415367445171b16ab5fd078d46f4f181bb2d795bb4d6c7ba0d6dd3d8ee6797171d3534cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat

Filesize
207B

MD5
55c67f80be37fb9aaabdbb94a527a4bd

SHA1
982aac07b4bc830a8be44db4322e0515c4554c00

SHA256
ed596b6ae526588a726077d267de3ac397d4d0473dfb085452b74d9d549a7208

SHA512
628533150cc333a9ed2c18f96299c73de23ac496909b2b16232eb803f1e21e111c2f4a13c1d0be09ccc3f0600caa6bc9184070e52f2b9c6fe0cc02bcdb557683

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

Filesize
207B

MD5
7fdfd52241d111dd34c2a11f95b62260

SHA1
68cdc70a67d79049dd5302862376c1123fa42161

SHA256
d8e157d23afa316627fffbcb62f761d0a1a95637dbe2f3ad61b4966c1b2283ae

SHA512
d984a338b818f61aee203158b2bde97500e436e28245b904737169e13429e9e3bc9f334c8155fbb4fa40720a1288b3a6e7f299aa8b75c1bac6399541b618df29

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat

Filesize
207B

MD5
a110b1303bee6607581919bbb8d71f23

SHA1
d26a22a2e0cda1b33d5453a5b262d979b0f9a311

SHA256
0e90bf047d151b7527afa2f1ed01b4eb494b379eabc41fbb95b097c06e1187c5

SHA512
4ea17f7ae3ab58fafc28bd3f8fc26bd1c11694570eb7b472add2f61923e792835ab12dce5fb27ee2d45965268a16a67b8dfba29e9a3f0395e6be8b97c5ca0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

Filesize
207B

MD5
7cc04e1ad771c8039a9e5185cf1f76f2

SHA1
78468a4f56d69da127f5dbfe1106c21edaee6633

SHA256
bbfe9f2158b72bdb7b8c74cda4e8d12fb6b9075f0c2206e8c03f6aa18085a3cd

SHA512
06f96a5b87d980002cf58c9bb8c9bcf14171038e049f24e86c377e089bc7f45b652b18ef296f7129cd27a9268f53ca0656cc109fe397fa662c3a6f05a1a536bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
207B

MD5
5858503536233cc3c32c297983ec8e98

SHA1
2d8ffff8789b03148ba0575a44f9fcf3e78cb22a

SHA256
568e99c9b0d302d041869da721eeb5ba429ae7811642e8512e48110a9299c00d

SHA512
cf3c834023f9e76e102d2294905433f0989717f1b6dd2173b1f271049a79d5b571462ecc64f66f991916493681de665c9323a0c650a837a917c0ca836e497e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQUlHHMhir.bat

Filesize
207B

MD5
1057b6dc03554192646e9fe9a73f9e15

SHA1
b05327d619c830126123c09f94597a64325798d8

SHA256
3aa2fd9a655ce32df5ccc6e57ded408296e1f7a4065836fca23500a9f92d637e

SHA512
8d62e9032301d54b42594b0902960455879561496bfbc3235d832ae33ba2b3c428ca8f5237f1d96d5b21ca579c4acf142ede35afaf291a55f8c0c84380842fa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a37c577e5942246c9b5a9942ca112e7

SHA1
8b3d5f19b959a47078e809b8d0ee598e3f41cb1e

SHA256
ae9b81eea5bfe2cab93cfcac5ce5db5430359e6fe9cba83e37d1973260ae6490

SHA512
fd6dbf4790d2a2c7a263963f09dd61630374835db0a7c9654ed718eaeae3ca8856b3e41184edd74f6c1dc43370c861d6ce615abc49f180bd541e6e11d03ccf56

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/396-283-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/396-284-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1824-639-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2116-223-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2316-15-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2316-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2316-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2316-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2316-13-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2532-164-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-110-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2732-109-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download