dcrat | b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe
Size

1.3MB
MD5

4b64d9459b058632c44b201fc49b6279
SHA1

1f8a5288c8a628f817996a8d3dd493241c2c784e
SHA256

b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001
SHA512

b62275fdd2d83a02541b322bd564c3bc56b0ef742c16dd9fc976db18af80e5d2d6d043ac87d73ceec1b36b6ce4b3c9acbbc18d776ba043645454146822fb4b6c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	3200	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	3200	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b86-10.dat	dcrat
behavioral2/memory/4052-13-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
2680	powershell.exe
1724	powershell.exe
3612	powershell.exe
1972	powershell.exe
4288	powershell.exe
964	powershell.exe
408	powershell.exe
3620	powershell.exe
3192	powershell.exe
4228	powershell.exe
1860	powershell.exe
2736	powershell.exe
3060	powershell.exe
3208	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 16 IoCs

pid	Process
4052	DllCommonsvc.exe
2316	explorer.exe
4828	explorer.exe
4072	explorer.exe
3472	explorer.exe
4320	explorer.exe
4128	explorer.exe
2968	explorer.exe
4820	explorer.exe
3036	explorer.exe
464	explorer.exe
4280	explorer.exe
3948	explorer.exe
2104	explorer.exe
1496	explorer.exe
2480	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
55	raw.githubusercontent.com
54	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
46	raw.githubusercontent.com
56	raw.githubusercontent.com
18	raw.githubusercontent.com
24	raw.githubusercontent.com
51	raw.githubusercontent.com
53	raw.githubusercontent.com
19	raw.githubusercontent.com
38	raw.githubusercontent.com
57	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\upfc.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\CHS\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\InputMethod\CHS\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\en-US\System.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3720	schtasks.exe
2912	schtasks.exe
4996	schtasks.exe
3432	schtasks.exe
3028	schtasks.exe
2664	schtasks.exe
4452	schtasks.exe
1948	schtasks.exe
2516	schtasks.exe
3248	schtasks.exe
4700	schtasks.exe
4532	schtasks.exe
1356	schtasks.exe
4180	schtasks.exe
3712	schtasks.exe
3704	schtasks.exe
4536	schtasks.exe
1188	schtasks.exe
3900	schtasks.exe
208	schtasks.exe
4944	schtasks.exe
3624	schtasks.exe
3436	schtasks.exe
1672	schtasks.exe
3804	schtasks.exe
852	schtasks.exe
876	schtasks.exe
4468	schtasks.exe
2724	schtasks.exe
3280	schtasks.exe
2176	schtasks.exe
4852	schtasks.exe
1180	schtasks.exe
1800	schtasks.exe
956	schtasks.exe
2280	schtasks.exe
908	schtasks.exe
1108	schtasks.exe
4232	schtasks.exe
2588	schtasks.exe
5020	schtasks.exe
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	DllCommonsvc.exe
4052	DllCommonsvc.exe
4052	DllCommonsvc.exe
4052	DllCommonsvc.exe
4052	DllCommonsvc.exe
4052	DllCommonsvc.exe
4052	DllCommonsvc.exe
4228	powershell.exe
4228	powershell.exe
2736	powershell.exe
2736	powershell.exe
3060	powershell.exe
3060	powershell.exe
964	powershell.exe
964	powershell.exe
2420	powershell.exe
2420	powershell.exe
4288	powershell.exe
4288	powershell.exe
408	powershell.exe
408	powershell.exe
1860	powershell.exe
1860	powershell.exe
2680	powershell.exe
2680	powershell.exe
3192	powershell.exe
3192	powershell.exe
3208	powershell.exe
3208	powershell.exe
3612	powershell.exe
3612	powershell.exe
1972	powershell.exe
1972	powershell.exe
3620	powershell.exe
3620	powershell.exe
1724	powershell.exe
1724	powershell.exe
3620	powershell.exe
3060	powershell.exe
2736	powershell.exe
4228	powershell.exe
408	powershell.exe
2680	powershell.exe
3192	powershell.exe
2420	powershell.exe
3612	powershell.exe
4288	powershell.exe
1860	powershell.exe
3208	powershell.exe
964	powershell.exe
1972	powershell.exe
1724	powershell.exe
2316	explorer.exe
4828	explorer.exe
4072	explorer.exe
3472	explorer.exe
4320	explorer.exe
4128	explorer.exe
2968	explorer.exe
4820	explorer.exe
3036	explorer.exe
464	explorer.exe
4280	explorer.exe
3948	explorer.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	DllCommonsvc.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2316	explorer.exe
Token: SeDebugPrivilege	4828	explorer.exe
Token: SeDebugPrivilege	4072	explorer.exe
Token: SeDebugPrivilege	3472	explorer.exe
Token: SeDebugPrivilege	4320	explorer.exe
Token: SeDebugPrivilege	4128	explorer.exe
Token: SeDebugPrivilege	2968	explorer.exe
Token: SeDebugPrivilege	4820	explorer.exe
Token: SeDebugPrivilege	3036	explorer.exe
Token: SeDebugPrivilege	464	explorer.exe
Token: SeDebugPrivilege	4280	explorer.exe
Token: SeDebugPrivilege	3948	explorer.exe
Token: SeDebugPrivilege	2104	explorer.exe
Token: SeDebugPrivilege	1496	explorer.exe
Token: SeDebugPrivilege	2480	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3104	2072	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe	83
PID 2072 wrote to memory of 3104	2072	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe	83
PID 2072 wrote to memory of 3104	2072	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe	83
PID 3104 wrote to memory of 2284	3104	WScript.exe	84
PID 3104 wrote to memory of 2284	3104	WScript.exe	84
PID 3104 wrote to memory of 2284	3104	WScript.exe	84
PID 2284 wrote to memory of 4052	2284	cmd.exe	86
PID 2284 wrote to memory of 4052	2284	cmd.exe	86
PID 4052 wrote to memory of 3620	4052	DllCommonsvc.exe	130
PID 4052 wrote to memory of 3620	4052	DllCommonsvc.exe	130
PID 4052 wrote to memory of 3192	4052	DllCommonsvc.exe	131
PID 4052 wrote to memory of 3192	4052	DllCommonsvc.exe	131
PID 4052 wrote to memory of 4228	4052	DllCommonsvc.exe	132
PID 4052 wrote to memory of 4228	4052	DllCommonsvc.exe	132
PID 4052 wrote to memory of 2736	4052	DllCommonsvc.exe	133
PID 4052 wrote to memory of 2736	4052	DllCommonsvc.exe	133
PID 4052 wrote to memory of 3060	4052	DllCommonsvc.exe	134
PID 4052 wrote to memory of 3060	4052	DllCommonsvc.exe	134
PID 4052 wrote to memory of 3612	4052	DllCommonsvc.exe	135
PID 4052 wrote to memory of 3612	4052	DllCommonsvc.exe	135
PID 4052 wrote to memory of 2420	4052	DllCommonsvc.exe	136
PID 4052 wrote to memory of 2420	4052	DllCommonsvc.exe	136
PID 4052 wrote to memory of 2680	4052	DllCommonsvc.exe	137
PID 4052 wrote to memory of 2680	4052	DllCommonsvc.exe	137
PID 4052 wrote to memory of 1724	4052	DllCommonsvc.exe	138
PID 4052 wrote to memory of 1724	4052	DllCommonsvc.exe	138
PID 4052 wrote to memory of 1860	4052	DllCommonsvc.exe	139
PID 4052 wrote to memory of 1860	4052	DllCommonsvc.exe	139
PID 4052 wrote to memory of 1972	4052	DllCommonsvc.exe	140
PID 4052 wrote to memory of 1972	4052	DllCommonsvc.exe	140
PID 4052 wrote to memory of 4288	4052	DllCommonsvc.exe	141
PID 4052 wrote to memory of 4288	4052	DllCommonsvc.exe	141
PID 4052 wrote to memory of 964	4052	DllCommonsvc.exe	142
PID 4052 wrote to memory of 964	4052	DllCommonsvc.exe	142
PID 4052 wrote to memory of 3208	4052	DllCommonsvc.exe	143
PID 4052 wrote to memory of 3208	4052	DllCommonsvc.exe	143
PID 4052 wrote to memory of 408	4052	DllCommonsvc.exe	144
PID 4052 wrote to memory of 408	4052	DllCommonsvc.exe	144
PID 4052 wrote to memory of 2344	4052	DllCommonsvc.exe	160
PID 4052 wrote to memory of 2344	4052	DllCommonsvc.exe	160
PID 2344 wrote to memory of 2176	2344	cmd.exe	162
PID 2344 wrote to memory of 2176	2344	cmd.exe	162
PID 2344 wrote to memory of 2316	2344	cmd.exe	163
PID 2344 wrote to memory of 2316	2344	cmd.exe	163
PID 2316 wrote to memory of 1096	2316	explorer.exe	170
PID 2316 wrote to memory of 1096	2316	explorer.exe	170
PID 1096 wrote to memory of 3772	1096	cmd.exe	172
PID 1096 wrote to memory of 3772	1096	cmd.exe	172
PID 1096 wrote to memory of 4828	1096	cmd.exe	173
PID 1096 wrote to memory of 4828	1096	cmd.exe	173
PID 4828 wrote to memory of 2072	4828	explorer.exe	174
PID 4828 wrote to memory of 2072	4828	explorer.exe	174
PID 2072 wrote to memory of 2324	2072	cmd.exe	177
PID 2072 wrote to memory of 2324	2072	cmd.exe	177
PID 2072 wrote to memory of 4072	2072	cmd.exe	179
PID 2072 wrote to memory of 4072	2072	cmd.exe	179
PID 4072 wrote to memory of 1996	4072	explorer.exe	180
PID 4072 wrote to memory of 1996	4072	explorer.exe	180
PID 1996 wrote to memory of 2948	1996	cmd.exe	182
PID 1996 wrote to memory of 2948	1996	cmd.exe	182
PID 1996 wrote to memory of 3472	1996	cmd.exe	183
PID 1996 wrote to memory of 3472	1996	cmd.exe	183
PID 3472 wrote to memory of 4376	3472	explorer.exe	184
PID 3472 wrote to memory of 4376	3472	explorer.exe	184

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\CHS\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQMxqegX1j.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2176
      - C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3772
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2324
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2948
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
        13⤵
        
        PID:4376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3664
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        15⤵
        
        PID:1436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3492
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
        17⤵
        
        PID:676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1316
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
        19⤵
        
        PID:4776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4464
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        21⤵
        
        PID:1372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1908
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        23⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:660
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        25⤵
        
        PID:4764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4576
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        27⤵
        
        PID:396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3300
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        29⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1968
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        31⤵
        
        PID:4204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2564
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        33⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2348
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\CHS\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHS\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\CHS\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Crashpad\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

Filesize
195B

MD5
053c91ab87855f37cae5a45d331eaa81

SHA1
78dcf687ecd28b3bffd580eafc85447a4f960e6a

SHA256
d6c61d1dd7f540ced39c22fd0052240fc181f66ee4b71418d0a80bf96db8d330

SHA512
fda580aebf41decb304dfa3016e3e2e9f3139344f6aba5bc72b93d46765908f6281164a860aaf2654ea811cd649bf943d1b30c3c7479577dd11f420d67538f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
195B

MD5
6521fd913f8b2bdc8279848023d8302c

SHA1
ca3df14323d93b0633c5662b11965d5396c61f75

SHA256
818ddffb31f9663e283cb28919a97aa21539605119f0f33d44d32bf6570bfa2b

SHA512
4a0b498bce8580b077d85ba9547506efd85b48ad51d1635f23db3ce49b83932a2936bd5b226cdcc12cacb66c57279b3164c6e1a7db4e6be9e221200d38f603d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
195B

MD5
ac1cdad73a2622670e6af9cbb97b304a

SHA1
0d036328af755ce25fe41639b6ae298ecf46ff20

SHA256
bad18be2683acef80aa1c48955b3f14fe7fd477b9b710c47896bedb6af8bfbc8

SHA512
241b9d1cee307b6b7ba2c7e5ac71d8cebe899b6df8a714e487ce72bcfe79ff8ff579848248791913303c7e50e8aac64d64c3a05afa41c9c4caf8cd2822111768

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
195B

MD5
f27548495877bd05f225aaa31545a459

SHA1
0e49435929d75c3d30d9e20cc679b87da49364d3

SHA256
fa875aee5294692ee9eb613c8cf2f848f3b7e53e25fa208b3ef7332c879846cc

SHA512
004b8db22b36c6b92fd5cfc6bff0f19c7e852f33b8c1252e3009eeb008756d182f1d9608ac0b91dc317d32b46eefe84aa3e5079ce5bae11233f2ad1c25031781

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
195B

MD5
78fe845f6de13beaabeee65f7cc7c397

SHA1
0ba2279121106cf2edd8f44ee4cb0ea459b11c58

SHA256
e2dc61f951c2356a8d84aa482c61b28c230b9eea74edb280e1cb9e9ef0700089

SHA512
cbe43ea42a21eca47e242a1d8b4857509797a3e74420e35c4422091dd85870bac357938987cc35f6417d727a709d904079ec3e261439e7e0c97d5bb9086f8414

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat

Filesize
195B

MD5
865d6cd6a52fec78235c419a5c27e7b6

SHA1
81d1e2e1f9b3fc023ecd596fac734c2d1f84af0d

SHA256
8db8d372fc663a3c5aea2554ce97fbb204cb3a4fb84e45efd7c265c5a9581912

SHA512
433fa2bf5b5925f08350ad24cd180e9ee105e04e3abd1280474a4ff1bb52fc919bbd40968cab9b774c8e03363f04b599f4ff99b0f373cb043676a828468ad615

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shlt1qux.mhj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
195B

MD5
6c0d2dc6934ad87039b632d71ee0f03a

SHA1
938e5e6fd6b3f42f9278fd04c3d3df01ea70747b

SHA256
46230a2f5bf9e5d4e0df71fe3befec98dfbd85f651837d1a07688690f9bacb9b

SHA512
c9a550892e0db404f0a24754b5982ca57cadbfcc10c2fea9ddf5521d5d1adc07c8bfe155f81fa8fe153c279dbdab9cbb562099f43222a2ddc8074b24f3263a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQMxqegX1j.bat

Filesize
195B

MD5
67a190a7e50aa74dd7b2b3abcc025110

SHA1
71e6f9be8635265ecd5234e120d559256ac3d771

SHA256
86130b5b4dba442c2e7828d1ebd28cd6a298ddd7bc7a5ae0d10effb00a5b0313

SHA512
1e23861cd328e9faad5fea5d3232b4c95ab242c83da6c81eaa3fe83251cfcf46e5742b62811ec58fc45ca1402675d461480ffc7b50dce5d4c0acfb5b993e84b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

Filesize
195B

MD5
fdc56562f16d67028039fd775143d0d6

SHA1
ad5112c51069ee43f1ef31fb788df94f9266cdf1

SHA256
fa69be0a37f921f99c4638ba22eb79bf55f92f0d472b53399311c6da20f93720

SHA512
7792949d2adba479291bff4b9412a7d3fb691a435ddcebef0c36a26ee1b1ebf77ba6919e8f6d396616586ca1f4859c1d341102db26e1179ae6fe1ada0282c807

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

Filesize
195B

MD5
c4fbc2280b783c581b6e1374d8fa1f99

SHA1
f6c647dc82cf28c8b6de74e922c9850cba23fd51

SHA256
34c95c1d117b715715864ca1502e05aeeb8c243feca955c3f7356fa769b5a8d8

SHA512
9f7b53ec1495d77ffc255d98ee5d04bb93c74acb2ae71886fb856a9b518ab138d57ee17798b4697b4d33b613c80ccb63eda4e42861ba567427a0d4b97ebfb0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
195B

MD5
8d7fd92689104dc29ac115f12cbbc53f

SHA1
1e289d0cc71ce015b34d0c178e575a365f291119

SHA256
fb364c425aa2aff92d814cc2454352acc21171babbbee870ead1ab4a3d65adf6

SHA512
0b118afe72c6dcfa90ce5098e9c17506930eb5dd4135b1261c62687c55ba74e06c70b3224d6e9ac3ed865698ba719d36ae96f5cb2e792336e842382f86599f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
195B

MD5
3f7eef40a524cb2bac7864721eaaf59b

SHA1
e9848574067a77fd5f11e2ee33c7f3afc0289276

SHA256
be55f94407bc790fbcbc391440126bbcd0cee4590765287810eba5b38e959769

SHA512
eaf076ea405a71e0cd1ce854c6856085414b2385811d7452a4b7e99990a63e87030847dd430a124cb8497fcc8b594341ea88dd01782ca1e49a2d9ff3f476a8aa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/408-51-0x0000020CCA280000-0x0000020CCA2A2000-memory.dmp

Filesize
136KB

Download
memory/1496-305-0x000000001B820000-0x000000001B832000-memory.dmp

Filesize
72KB

Download
memory/2104-298-0x0000000001250000-0x0000000001262000-memory.dmp

Filesize
72KB

Download
memory/3036-273-0x0000000001760000-0x0000000001772000-memory.dmp

Filesize
72KB

Download
memory/4052-14-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/4052-12-0x00007FFB5E3A3000-0x00007FFB5E3A5000-memory.dmp

Filesize
8KB

Download
memory/4052-13-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/4052-15-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/4052-16-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/4052-17-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/4072-235-0x00000000011C0000-0x00000000011D2000-memory.dmp

Filesize
72KB

Download
memory/4320-248-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/4828-228-0x0000000002E90000-0x0000000002EA2000-memory.dmp

Filesize
72KB

Download