dcrat | 3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2.exe
Size

1.3MB
MD5

1310bd6d8a83f52f7696658d0abb52ed
SHA1

3f45fcc3c4d24b7c1b0571655835a638996cf108
SHA256

3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2
SHA512

da2d0c7497372c329789a79ac2ef6882c8502deb8b110c9b97ced3bc5bf55e838c20c0d3a93ab6c9030224356193f0b659bedfa9cdd98709739bb21eb51efaf2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2584	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016e1d-9.dat	dcrat
behavioral1/memory/2176-13-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/2752-157-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/1980-216-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/552-276-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/2100-336-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/2192-456-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/560-516-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2848-575-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2920-636-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2172	powershell.exe
2380	powershell.exe
2764	powershell.exe
2560	powershell.exe
2568	powershell.exe
276	powershell.exe
2960	powershell.exe
2964	powershell.exe
2232	powershell.exe
2588	powershell.exe
1592	powershell.exe
2664	powershell.exe
2552	powershell.exe
2548	powershell.exe
2788	powershell.exe
1004	powershell.exe
1308	powershell.exe
1896	powershell.exe
2580	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2176	DllCommonsvc.exe
2752	dllhost.exe
1980	dllhost.exe
552	dllhost.exe
2100	dllhost.exe
2488	dllhost.exe
2192	dllhost.exe
560	dllhost.exe
2848	dllhost.exe
2920	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	cmd.exe
2432	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\smss.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\System.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1364	schtasks.exe
996	schtasks.exe
1088	schtasks.exe
2096	schtasks.exe
1464	schtasks.exe
1712	schtasks.exe
776	schtasks.exe
2504	schtasks.exe
2132	schtasks.exe
1560	schtasks.exe
2488	schtasks.exe
1320	schtasks.exe
648	schtasks.exe
2648	schtasks.exe
2536	schtasks.exe
2120	schtasks.exe
2236	schtasks.exe
1600	schtasks.exe
684	schtasks.exe
2024	schtasks.exe
1080	schtasks.exe
3004	schtasks.exe
2156	schtasks.exe
1604	schtasks.exe
1352	schtasks.exe
1540	schtasks.exe
1304	schtasks.exe
1688	schtasks.exe
2112	schtasks.exe
1780	schtasks.exe
2760	schtasks.exe
2900	schtasks.exe
3068	schtasks.exe
2332	schtasks.exe
1808	schtasks.exe
2644	schtasks.exe
2848	schtasks.exe
1964	schtasks.exe
2200	schtasks.exe
2880	schtasks.exe
2316	schtasks.exe
2276	schtasks.exe
2912	schtasks.exe
1888	schtasks.exe
2304	schtasks.exe
2980	schtasks.exe
1820	schtasks.exe
1732	schtasks.exe
1612	schtasks.exe
1976	schtasks.exe
3064	schtasks.exe
2232	schtasks.exe
2460	schtasks.exe
1924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2176	DllCommonsvc.exe
2176	DllCommonsvc.exe
2176	DllCommonsvc.exe
2764	powershell.exe
2568	powershell.exe
2964	powershell.exe
1592	powershell.exe
2232	powershell.exe
1896	powershell.exe
2788	powershell.exe
2172	powershell.exe
2664	powershell.exe
2560	powershell.exe
2552	powershell.exe
276	powershell.exe
2960	powershell.exe
2548	powershell.exe
2580	powershell.exe
2380	powershell.exe
1004	powershell.exe
1308	powershell.exe
2588	powershell.exe
2752	dllhost.exe
1980	dllhost.exe
552	dllhost.exe
2100	dllhost.exe
2488	dllhost.exe
2192	dllhost.exe
560	dllhost.exe
2848	dllhost.exe
2920	dllhost.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	DllCommonsvc.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2752	dllhost.exe
Token: SeDebugPrivilege	1980	dllhost.exe
Token: SeDebugPrivilege	552	dllhost.exe
Token: SeDebugPrivilege	2100	dllhost.exe
Token: SeDebugPrivilege	2488	dllhost.exe
Token: SeDebugPrivilege	2192	dllhost.exe
Token: SeDebugPrivilege	560	dllhost.exe
Token: SeDebugPrivilege	2848	dllhost.exe
Token: SeDebugPrivilege	2920	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2756	2644	JaffaCakes118_3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2.exe	30
PID 2644 wrote to memory of 2756	2644	JaffaCakes118_3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2.exe	30
PID 2644 wrote to memory of 2756	2644	JaffaCakes118_3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2.exe	30
PID 2644 wrote to memory of 2756	2644	JaffaCakes118_3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2.exe	30
PID 2756 wrote to memory of 2432	2756	WScript.exe	31
PID 2756 wrote to memory of 2432	2756	WScript.exe	31
PID 2756 wrote to memory of 2432	2756	WScript.exe	31
PID 2756 wrote to memory of 2432	2756	WScript.exe	31
PID 2432 wrote to memory of 2176	2432	cmd.exe	33
PID 2432 wrote to memory of 2176	2432	cmd.exe	33
PID 2432 wrote to memory of 2176	2432	cmd.exe	33
PID 2432 wrote to memory of 2176	2432	cmd.exe	33
PID 2176 wrote to memory of 2764	2176	DllCommonsvc.exe	89
PID 2176 wrote to memory of 2764	2176	DllCommonsvc.exe	89
PID 2176 wrote to memory of 2764	2176	DllCommonsvc.exe	89
PID 2176 wrote to memory of 2560	2176	DllCommonsvc.exe	90
PID 2176 wrote to memory of 2560	2176	DllCommonsvc.exe	90
PID 2176 wrote to memory of 2560	2176	DllCommonsvc.exe	90
PID 2176 wrote to memory of 2588	2176	DllCommonsvc.exe	91
PID 2176 wrote to memory of 2588	2176	DllCommonsvc.exe	91
PID 2176 wrote to memory of 2588	2176	DllCommonsvc.exe	91
PID 2176 wrote to memory of 2580	2176	DllCommonsvc.exe	92
PID 2176 wrote to memory of 2580	2176	DllCommonsvc.exe	92
PID 2176 wrote to memory of 2580	2176	DllCommonsvc.exe	92
PID 2176 wrote to memory of 2172	2176	DllCommonsvc.exe	93
PID 2176 wrote to memory of 2172	2176	DllCommonsvc.exe	93
PID 2176 wrote to memory of 2172	2176	DllCommonsvc.exe	93
PID 2176 wrote to memory of 2664	2176	DllCommonsvc.exe	94
PID 2176 wrote to memory of 2664	2176	DllCommonsvc.exe	94
PID 2176 wrote to memory of 2664	2176	DllCommonsvc.exe	94
PID 2176 wrote to memory of 2552	2176	DllCommonsvc.exe	95
PID 2176 wrote to memory of 2552	2176	DllCommonsvc.exe	95
PID 2176 wrote to memory of 2552	2176	DllCommonsvc.exe	95
PID 2176 wrote to memory of 2548	2176	DllCommonsvc.exe	96
PID 2176 wrote to memory of 2548	2176	DllCommonsvc.exe	96
PID 2176 wrote to memory of 2548	2176	DllCommonsvc.exe	96
PID 2176 wrote to memory of 2568	2176	DllCommonsvc.exe	97
PID 2176 wrote to memory of 2568	2176	DllCommonsvc.exe	97
PID 2176 wrote to memory of 2568	2176	DllCommonsvc.exe	97
PID 2176 wrote to memory of 2788	2176	DllCommonsvc.exe	98
PID 2176 wrote to memory of 2788	2176	DllCommonsvc.exe	98
PID 2176 wrote to memory of 2788	2176	DllCommonsvc.exe	98
PID 2176 wrote to memory of 276	2176	DllCommonsvc.exe	99
PID 2176 wrote to memory of 276	2176	DllCommonsvc.exe	99
PID 2176 wrote to memory of 276	2176	DllCommonsvc.exe	99
PID 2176 wrote to memory of 2960	2176	DllCommonsvc.exe	100
PID 2176 wrote to memory of 2960	2176	DllCommonsvc.exe	100
PID 2176 wrote to memory of 2960	2176	DllCommonsvc.exe	100
PID 2176 wrote to memory of 2964	2176	DllCommonsvc.exe	101
PID 2176 wrote to memory of 2964	2176	DllCommonsvc.exe	101
PID 2176 wrote to memory of 2964	2176	DllCommonsvc.exe	101
PID 2176 wrote to memory of 1592	2176	DllCommonsvc.exe	102
PID 2176 wrote to memory of 1592	2176	DllCommonsvc.exe	102
PID 2176 wrote to memory of 1592	2176	DllCommonsvc.exe	102
PID 2176 wrote to memory of 1308	2176	DllCommonsvc.exe	103
PID 2176 wrote to memory of 1308	2176	DllCommonsvc.exe	103
PID 2176 wrote to memory of 1308	2176	DllCommonsvc.exe	103
PID 2176 wrote to memory of 1004	2176	DllCommonsvc.exe	104
PID 2176 wrote to memory of 1004	2176	DllCommonsvc.exe	104
PID 2176 wrote to memory of 1004	2176	DllCommonsvc.exe	104
PID 2176 wrote to memory of 2380	2176	DllCommonsvc.exe	106
PID 2176 wrote to memory of 2380	2176	DllCommonsvc.exe	106
PID 2176 wrote to memory of 2380	2176	DllCommonsvc.exe	106
PID 2176 wrote to memory of 1896	2176	DllCommonsvc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cc6fccbaa9e4208cee3f47cdec3a23bdeb7bc261929fd1468483eac3cb246e2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Chess\en-US\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MbdPeCpK9s.bat"
        5⤵
        
        PID:2916
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:352
      - C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
        7⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1152
        
        C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        9⤵
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1376
        
        C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        11⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2644
        
        C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat"
        13⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2112
        
        C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        15⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1980
        
        C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat"
        17⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:960
        
        C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"
        19⤵
        
        PID:1352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:996
        
        C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
        21⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2560
        
        C:\Users\Default\My Documents\dllhost.exe
        
        "C:\Users\Default\My Documents\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
        23⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2890041ae5bc37a19f2ebd623db4944

SHA1
6f94a89290b7934343c2372b2dd3d11da6a980d0

SHA256
c555290124bc6631b55f8ba29d1b7957ec6c76126591962b83d67d3722db5bb4

SHA512
fe900fbf32f61e2d31cd33f1b9deee38d34f514c4b4290a2f0252ce38b3cb6cdec6d274cd36c6b4a10c1c508385b3b649648d7473f38f47e5ad0b0387fcc0f1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ab8ba86d0f2e793e9b66d1cf484aaf2

SHA1
9549700ff9858eaae49ff3f90417055bd619ef46

SHA256
562bd92210058170ac117e3f85350e4c9ec0ba547d34ae12452fef6b2952fc34

SHA512
cb4f9f6bb3addfb7348c671665d7701143f7d1545f50e7c80759ecce383da7c7fd7bd7f8dde20257edb56a3b4e7d0713475e5d706ecc6b11f9f9ec4eece9cc4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8823527a1e542cc1fed35bd7c60de3de

SHA1
fd06692aa315e787c43c9ff47f73019907bd0c7b

SHA256
b2eb3bc3aa46b959514824823a4e4f8cadb553d353b4621f3964e34b191e9838

SHA512
f9715eb60b4d0adca46a71521e131ef5d1983416d612f4aaf3c6e129299e532fb096ac8ce0ebca2767cec36c8142796058b8c043995c643c6f91dca2d4a0d022

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f734c7aeba73eb1761610ce788c5d98c

SHA1
70f5970890afefd91a61ce252e3802927176bf52

SHA256
9a7349b347ea72bf9673aca711db11dd8b9a5bf7146b6c14ced76607dd848a82

SHA512
7b94913fdbd5b3c36be0cd9b4e7e5f3769366555c6e18fdae0a3641c34625bc6aaeeae48f86a889ab3ca51ce7e80e868aa591009e9509d495615917640c1de55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
065392b7a1de1043c6598b8a7d2ca2c9

SHA1
4aa9474810d36c1ef6f33545ab3b14974208e8a4

SHA256
87f999e496fa3badb8ebaf0244bff14ce7c9f9a4d5e9736dcf9a70e6fb61fa88

SHA512
bf856b30e3d8659ac2708fb009666d444ecb2ba9f5cf5dc9d3f9a37b18fde22b89f53e7a55e50234283f4c03c7ff5fd82f9924fa79c7db80459f7ec15aa660b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbf36e93811a70b59b7964ca16794125

SHA1
a0e36f54a24f9b1cb7f807274b3d886895f08c96

SHA256
9db313c2617df4668ca05e09bf31c0b11af9b0f9ee05951c1ad007acac69ef8d

SHA512
af490d38ab872eb2ca50b13a4eeb580a1cb0e0c25ea919a8202638e5339c5af0573ac2855ba1d0b519921399f3ff419121e4685ccafaf9053f34dec769a8c186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7646e464696a82d5133deea0842a324

SHA1
7694e601c013118bea99d2afd3374332a11b7640

SHA256
a405558e142f7e79ac506ed626a825f9b714e8a378bc94f90a068a4ad1c71554

SHA512
7a79d4c47861888d6546f50078388ff4be01301d4a2d5998f429a6b60afed55201ad84789e6961e3b9e41d29bcf806e526b74a2a54640be257329eb2ddba0c89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed57b2ce24cf92650c0a55cadc1ae3ee

SHA1
48bb8916fa6df6ebc489b3934fff15b8d761adfb

SHA256
4121f726ecce97183967a4cfd8eafed2ffb8de52d03d64db9e3cac57e4b237b3

SHA512
f8abfdfb01e9d0755a67152529216c4269921b29aefbfe03827546a0007586874a5334ead0afab2287f252fe61b06a5c6cdd1a96c1524f7d262ed17a18a44340

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
206B

MD5
ca898128053db906d775f435ddd07d61

SHA1
0efc5483f3db5c6ed258edcc0707db9c407bc16a

SHA256
6746569557d4866be3bd8987d06fc904c95ff771af3e01a078998a0ae22e968a

SHA512
cc7d26806d9de2c85bda1aa8a252103b8e64dfac9592a75953b9cbc369f40f35c3dbad9f8df31d53f6103772b0b21c063f82d1e68cd2730f200bed7e769890e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat

Filesize
206B

MD5
d4dda7daddbe821a71eb2cc041d9a24b

SHA1
e1be3f16ebb9da6353faa0dde55432f5a32cf456

SHA256
a35c6dbb17694070f36840759ff3f7c3d8436d800e8a62e93383838f5a595b89

SHA512
a3bda7e5e383b7be7a8c63bc09cd103e7229d487fa7edd2612d9910cb02e912ab5391f49b19359004564b0edc646d54866ee49b51ec9f74c530f62c4e018a6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9FE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MbdPeCpK9s.bat

Filesize
206B

MD5
d46901009634e62d034f25f70b14c220

SHA1
4660c855e2ae5cee8f6252903afb3bebdc91650c

SHA256
f346753f31bbd4b9a5888b5444d91ea3d07b2058f8dcb611d9da5da7a790e252

SHA512
14596306938f2d5c05c9ac157cf61baada70921be86c67c3c30ef8291971ee7827dc1866f39ce91775af479a863538c9594e75a2d5e19f67225270a990cf8ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA11.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

Filesize
206B

MD5
8a77e2fd87da1fd16199c610a6d57d14

SHA1
8a8e8dc663aeea4415f5e6b387d47f249959c23a

SHA256
9adb1648850b802367a61f95ed7843ac08c0dc8078329ba1b8b697d73ef75036

SHA512
d1c3cd4180a1adc889ebb44cd291f979ae5b5e1228f5dc6291fef63b2d684a4dd0a0de75d52645e0a373b2ec3cfd7e9c0274b88a83ef22875c6df14f78fe398d

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

Filesize
206B

MD5
0da62e92d2040a91a273392c48f28d2f

SHA1
d157c2e95c1b377bffb43476e0ef3e3e0cbd4b41

SHA256
f9ee5d5ce1c0d264c4674be3f407c5d8741382ff0fdd4ee400bdc399f1b869e7

SHA512
6540cfd886d8f7e23d164da0c1579c2bb300ba45e648f14e519749b5d743821de9f2f20e2152c6d1f07c81655eec29ee72c31b6207c670fee2e1d1070b66f87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat

Filesize
206B

MD5
608eaecc523f4c39012aa50f872e4d96

SHA1
8b80e02b16d3bd5ed1d32c1ddb0508f32fd41b74

SHA256
a57b5b0a840ac59472d7a26fe4e4f34429f5d2deb535b78e513b95575f6adfe7

SHA512
386541056fe1dccc033dded539222c7d1b7519fe74482d3ec32da81100f82465387cfd7786bfd0d230f7abced28b93e69e5d207c871992566562f27b020ec566

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
206B

MD5
170996cbc1689819696fff0fe8540e74

SHA1
5b751a6240c5eb440de89349ca98336285cc95f5

SHA256
19b35d0642ed999271100b2f8622121d5a0b9d14af9ee5e8b94b8c286f9a2632

SHA512
5691ca38e917754f5bc6a52aa3ed64650581a908420faf942e4bc5c6c0b0797dc0687fccd5b40de01fdec575b33e7679b51254a4e30f2c0d0251b041b04ad8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
206B

MD5
f04a7b81826387a14e5761148324a366

SHA1
6c8cdae3eef0ad17178b97a2d11e7bfa50101d24

SHA256
75a7dc69d32f4a034e24030f5d756db5ef1013e8df618264cd5062504ad6db74

SHA512
1cce42cc54cd5b6d89d0238d862d4410f015268b4bf2e3977e878650e0c19e1f4869ddf52860077f3792c571662e5e31359ce06fffc5702f39cb1708e57aa6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

Filesize
206B

MD5
18a27cfa90501380370ef596f6f2ae21

SHA1
8cbe02cce96b4619f798772113984f1c54ce4221

SHA256
eac9cf08a1821d1379062f170752af0a59c9a8c0a8b3e7fac5d9042727a871e1

SHA512
959882280b5d466abbe6321e60183726e97045194e3ce89a1d874a5d8f030ec468ccf80b8647eb1fb33af1d6e91fffbc3d2a428f2f3cf782aacecb88d248a4bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cf4fe3b5be82dbe75410ade762e7530e

SHA1
9a35e45c8f865077d9f31e0fbe51b11a98b8ec4a

SHA256
d63541b70ed7286873c0c8306959d008c4d48b05e5151f825a91ae29ae46d8e1

SHA512
e89775f560a0161dc2d998a1c6d41716f0cab28639f3b46750c247187f7a562807ed3f7df30d93e454221846dc46266276f14b20c3917e3a7e54d8ad6d247da1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/552-276-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/560-516-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/1980-216-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2100-337-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2100-336-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/2176-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2176-13-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2176-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2176-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2176-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2192-456-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2752-157-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2764-62-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2764-64-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2848-576-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2848-575-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2920-636-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download