dcrat | c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74

Analysis

max time kernel
142s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74.exe
Size

1.3MB
MD5

19c408c3d8f0cf4abb3939c310f01ec0
SHA1

146463068ece793aaebf801f387c1f60eee07bab
SHA256

c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74
SHA512

d33967e4b98b8586aa733ea222f2080ca47770df076ade45dd94389f3a6b20b6ec710bee89e9d6c14a91419d94664096a12bba82d7f4435c534ddad4810f41c1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	592	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015e48-10.dat	dcrat
behavioral1/memory/2616-13-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/1932-74-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/1952-282-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/584-579-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2588-698-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2800	powershell.exe
2000	powershell.exe
1204	powershell.exe
912	powershell.exe
2860	powershell.exe
2004	powershell.exe
1836	powershell.exe
2932	powershell.exe
584	powershell.exe
1992	powershell.exe
572	powershell.exe
380	powershell.exe
2480	powershell.exe
1876	powershell.exe
2820	powershell.exe
3024	powershell.exe
2872	powershell.exe
2132	powershell.exe
2528	powershell.exe
2056	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2616	DllCommonsvc.exe
1932	dwm.exe
1112	dwm.exe
1952	dwm.exe
2456	dwm.exe
2704	dwm.exe
2640	dwm.exe
2236	dwm.exe
584	dwm.exe
1880	dwm.exe
2588	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
28	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\Links\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\ModemLogs\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\schemas\TSWorkSpace\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\security\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Links\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\security\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\conhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1232	schtasks.exe
844	schtasks.exe
2464	schtasks.exe
2084	schtasks.exe
2992	schtasks.exe
1792	schtasks.exe
1824	schtasks.exe
1996	schtasks.exe
1112	schtasks.exe
1108	schtasks.exe
1284	schtasks.exe
2436	schtasks.exe
1096	schtasks.exe
2240	schtasks.exe
2784	schtasks.exe
2132	schtasks.exe
2460	schtasks.exe
920	schtasks.exe
2980	schtasks.exe
2928	schtasks.exe
2968	schtasks.exe
1348	schtasks.exe
2584	schtasks.exe
2328	schtasks.exe
1656	schtasks.exe
3056	schtasks.exe
1920	schtasks.exe
112	schtasks.exe
1504	schtasks.exe
868	schtasks.exe
2364	schtasks.exe
1360	schtasks.exe
1076	schtasks.exe
1276	schtasks.exe
2112	schtasks.exe
1660	schtasks.exe
3040	schtasks.exe
1192	schtasks.exe
1724	schtasks.exe
1532	schtasks.exe
2336	schtasks.exe
2556	schtasks.exe
696	schtasks.exe
2140	schtasks.exe
1976	schtasks.exe
904	schtasks.exe
276	schtasks.exe
2788	schtasks.exe
2380	schtasks.exe
2304	schtasks.exe
2412	schtasks.exe
2636	schtasks.exe
1780	schtasks.exe
2680	schtasks.exe
888	schtasks.exe
2776	schtasks.exe
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2616	DllCommonsvc.exe
380	powershell.exe
572	powershell.exe
2820	powershell.exe
2860	powershell.exe
1204	powershell.exe
2932	powershell.exe
2480	powershell.exe
2056	powershell.exe
2872	powershell.exe
1876	powershell.exe
584	powershell.exe
2800	powershell.exe
2132	powershell.exe
912	powershell.exe
2004	powershell.exe
2000	powershell.exe
1836	powershell.exe
3024	powershell.exe
1992	powershell.exe
2528	powershell.exe
1932	dwm.exe
1112	dwm.exe
1952	dwm.exe
2456	dwm.exe
2704	dwm.exe
2640	dwm.exe
2236	dwm.exe
584	dwm.exe
1880	dwm.exe
2588	dwm.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	DllCommonsvc.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1932	dwm.exe
Token: SeDebugPrivilege	1112	dwm.exe
Token: SeDebugPrivilege	1952	dwm.exe
Token: SeDebugPrivilege	2456	dwm.exe
Token: SeDebugPrivilege	2704	dwm.exe
Token: SeDebugPrivilege	2640	dwm.exe
Token: SeDebugPrivilege	2236	dwm.exe
Token: SeDebugPrivilege	584	dwm.exe
Token: SeDebugPrivilege	1880	dwm.exe
Token: SeDebugPrivilege	2588	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2788	2888	JaffaCakes118_c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74.exe	30
PID 2888 wrote to memory of 2788	2888	JaffaCakes118_c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74.exe	30
PID 2888 wrote to memory of 2788	2888	JaffaCakes118_c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74.exe	30
PID 2888 wrote to memory of 2788	2888	JaffaCakes118_c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74.exe	30
PID 2788 wrote to memory of 2732	2788	WScript.exe	31
PID 2788 wrote to memory of 2732	2788	WScript.exe	31
PID 2788 wrote to memory of 2732	2788	WScript.exe	31
PID 2788 wrote to memory of 2732	2788	WScript.exe	31
PID 2732 wrote to memory of 2616	2732	cmd.exe	33
PID 2732 wrote to memory of 2616	2732	cmd.exe	33
PID 2732 wrote to memory of 2616	2732	cmd.exe	33
PID 2732 wrote to memory of 2616	2732	cmd.exe	33
PID 2616 wrote to memory of 2480	2616	DllCommonsvc.exe	92
PID 2616 wrote to memory of 2480	2616	DllCommonsvc.exe	92
PID 2616 wrote to memory of 2480	2616	DllCommonsvc.exe	92
PID 2616 wrote to memory of 2000	2616	DllCommonsvc.exe	93
PID 2616 wrote to memory of 2000	2616	DllCommonsvc.exe	93
PID 2616 wrote to memory of 2000	2616	DllCommonsvc.exe	93
PID 2616 wrote to memory of 380	2616	DllCommonsvc.exe	94
PID 2616 wrote to memory of 380	2616	DllCommonsvc.exe	94
PID 2616 wrote to memory of 380	2616	DllCommonsvc.exe	94
PID 2616 wrote to memory of 572	2616	DllCommonsvc.exe	95
PID 2616 wrote to memory of 572	2616	DllCommonsvc.exe	95
PID 2616 wrote to memory of 572	2616	DllCommonsvc.exe	95
PID 2616 wrote to memory of 1992	2616	DllCommonsvc.exe	97
PID 2616 wrote to memory of 1992	2616	DllCommonsvc.exe	97
PID 2616 wrote to memory of 1992	2616	DllCommonsvc.exe	97
PID 2616 wrote to memory of 1876	2616	DllCommonsvc.exe	98
PID 2616 wrote to memory of 1876	2616	DllCommonsvc.exe	98
PID 2616 wrote to memory of 1876	2616	DllCommonsvc.exe	98
PID 2616 wrote to memory of 2056	2616	DllCommonsvc.exe	100
PID 2616 wrote to memory of 2056	2616	DllCommonsvc.exe	100
PID 2616 wrote to memory of 2056	2616	DllCommonsvc.exe	100
PID 2616 wrote to memory of 2820	2616	DllCommonsvc.exe	101
PID 2616 wrote to memory of 2820	2616	DllCommonsvc.exe	101
PID 2616 wrote to memory of 2820	2616	DllCommonsvc.exe	101
PID 2616 wrote to memory of 1204	2616	DllCommonsvc.exe	102
PID 2616 wrote to memory of 1204	2616	DllCommonsvc.exe	102
PID 2616 wrote to memory of 1204	2616	DllCommonsvc.exe	102
PID 2616 wrote to memory of 3024	2616	DllCommonsvc.exe	103
PID 2616 wrote to memory of 3024	2616	DllCommonsvc.exe	103
PID 2616 wrote to memory of 3024	2616	DllCommonsvc.exe	103
PID 2616 wrote to memory of 912	2616	DllCommonsvc.exe	104
PID 2616 wrote to memory of 912	2616	DllCommonsvc.exe	104
PID 2616 wrote to memory of 912	2616	DllCommonsvc.exe	104
PID 2616 wrote to memory of 2860	2616	DllCommonsvc.exe	106
PID 2616 wrote to memory of 2860	2616	DllCommonsvc.exe	106
PID 2616 wrote to memory of 2860	2616	DllCommonsvc.exe	106
PID 2616 wrote to memory of 584	2616	DllCommonsvc.exe	107
PID 2616 wrote to memory of 584	2616	DllCommonsvc.exe	107
PID 2616 wrote to memory of 584	2616	DllCommonsvc.exe	107
PID 2616 wrote to memory of 2800	2616	DllCommonsvc.exe	109
PID 2616 wrote to memory of 2800	2616	DllCommonsvc.exe	109
PID 2616 wrote to memory of 2800	2616	DllCommonsvc.exe	109
PID 2616 wrote to memory of 2872	2616	DllCommonsvc.exe	111
PID 2616 wrote to memory of 2872	2616	DllCommonsvc.exe	111
PID 2616 wrote to memory of 2872	2616	DllCommonsvc.exe	111
PID 2616 wrote to memory of 2132	2616	DllCommonsvc.exe	112
PID 2616 wrote to memory of 2132	2616	DllCommonsvc.exe	112
PID 2616 wrote to memory of 2132	2616	DllCommonsvc.exe	112
PID 2616 wrote to memory of 2004	2616	DllCommonsvc.exe	114
PID 2616 wrote to memory of 2004	2616	DllCommonsvc.exe	114
PID 2616 wrote to memory of 2004	2616	DllCommonsvc.exe	114
PID 2616 wrote to memory of 2528	2616	DllCommonsvc.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c943d71adc6a9bf95a819b60f9b2db314cfcc158a44e5e803221017e6b837e74.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Links\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\services_discovery\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
        6⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2584
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        8⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2640
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        10⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2944
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat"
        12⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2492
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
        14⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2240
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
        16⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2636
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        18⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2896
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        20⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3052
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
        22⤵
        
        PID:1072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2300
        
        C:\Users\Default\Recent\dwm.exe
        
        "C:\Users\Default\Recent\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\security\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\security\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\security\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\services_discovery\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\services_discovery\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\services_discovery\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ea7b89d1c54a42e73467bec42cea1c0

SHA1
3b55af5c076ab217063a1c343135f04cf0bde2e9

SHA256
2be7296da8f8bdb5070da1a218a1d2b1246fb0e2c76933c0c221b072ac613a80

SHA512
872a3d0285276cad6cc888c822a3e208b8bf2782b3d22062f63cc8c812eb73264d60dabcd944fd0a1e8c5eb8fa037d386b2482e98e61e4c1befe4244198b5737

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5114b8d6dc2a34483b15de911cd76262

SHA1
8f8a1dee4a61ef88a0c27eee9c849329c08d39e7

SHA256
6b382b4aa1b2043f5b12d9dd0f02802760e1bd47f445d6bc0d81974dcea02147

SHA512
0527839962ae3bfdab41a6108b896b2fa8afbbbdd01c05fdd281e7aca460b721e89e79be565ded7c6aabb04e13cedb00239ae18b42767b2e3758ab5ee554d92d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e869c120988bc95c6a186f51112737ab

SHA1
85408495067b8816790fef5664dc7a5ca8a78a2e

SHA256
b0c510c715877c425de81995448336d110de89c7447b04724ecc2c8f2e9e12e2

SHA512
79b3916966d22fe858d8a147e9375f3ce8515d6a77071fef2056b2e9b1a922d70d34167bb730e40c7f7f0a6f712c54e6d89948f49dad4b320e6fc26e45edfc91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d466ff2cf613255c76221a976123d5a0

SHA1
8f7ff399244a33ae7bd5e46786d55a217fc6127d

SHA256
2c350a6bba4f790e2a343ce452900dd1022add0ff5a4513fc105fc0c16e364d6

SHA512
d2cdf3671f6fd3bd996811fa533c076904a8e40ee453ef6e72270d7a8732bcc93680f95485cc51b8c6c52b09bf9d0d0a07aa8a80dcbbd516ad1a4a5881b9196c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64db4081e6f0be2c8bc15d47ef593572

SHA1
14d46546ad8ca88399abf80584a8c4208eabd53c

SHA256
9e271fe06774f7cb5445ce20110862166bc7b4afe3e6da370132754f423086e0

SHA512
f87df7f1e07cca2ef8f370a332332cd7be489c3a11f96755236c0b6013337ae882ca3790899841d004552affd28cc3e9093c0bb23378c8f64360372fb395641e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4acfd3bb0337182c10cd8a27ba733b3

SHA1
1dbe768dd6720f6fdf5f967327a3eacbadd24ed0

SHA256
dd3f27509f81623fe9d760564ebca457e758e9da9f31d0878c840a0cdf5475e0

SHA512
0d5e50ee249a3731013a24aab503e877074185b1764431cb01bfe5e718f39ad742905eb7a54274d078f46479823c1a1aa86a037614c0dcf0d1d830536c59a86e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d36046fd049b043b84f6f5d038685747

SHA1
fac64372334c8a92f95a8456899a58e0b3940dbe

SHA256
18654d3ca0ea66734b826bed7953593fc6d8de9b1f769adb3023bcd566029d36

SHA512
d9e7aee8d8fda466b99f6b01f9df510b58476ca5434ba9d98f9685ff22e6a327bdb41fc049e99560d5e5ab4da75de452078507046f4e6b1ba8a2e32ab145ca20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
165f0a17f18bc46ddbfcd7973d0614f9

SHA1
24de24ca27edb4bbedfb40a03a6a88f4f9cbd895

SHA256
31f92a641fb4c78582864b1f1724535a0afcd48c51a43517c478d4792f27032a

SHA512
f016dd2cc6d1629486fbd5ebf66673a624abcc33f4e7f5c2f47101cfc3d4a8e39339897fe0c24b71befba67f8dba95e3968be121a52b381a37a636b57c8426bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

Filesize
196B

MD5
1c29851b7ae6ce2b582150c55eec0e65

SHA1
623e2fb2b9c3d1f84b5d357454dcb30a7d63945c

SHA256
b7ae274c78ecfb03776d05b24bc72ce697c217d21b38cdc951fa93d3e0ee1a3a

SHA512
ae5c27e177cbcc97a629ad3820874ee124acab8d8ac0423c7ef2b2f26a11c041b6e61c8f60755cea4aa905db9ada92381bf67fb8c5d0536faaf2818f2743c9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
196B

MD5
cdd184f3398302906a2e33fae8388c97

SHA1
3bd84b4f84705b53282d0b2f554710006982267a

SHA256
c0cacdc102429b16805a9d2269140530f40e704e7e1a5e5ec991572cdca1de03

SHA512
2e8d0ae6c4e8166760bf754c3f6ab8463038c7c0467dad2ee363c56823098432d047c7b8ea165b081e4d469d5fcb4465968a0a63ad7450e8306a9ddec57d530d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

Filesize
196B

MD5
2f36f0a0123326f50b0ec6c5e52d5d02

SHA1
02e4a48cc920908e24b35fc82cf5f788a0a2128b

SHA256
89f4029f4f48245bc1a11c034dd82df729194d1875a6fde0e385c5a51ad5446a

SHA512
83a5d31fdf9af3c57ea9f367919114c4109764cd25d9a01786d9bc959528240dac6b2ad0c18d1d685b36984bc24f4da04311a21612927151adb561e900dec558

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat

Filesize
196B

MD5
8e6134c79098467eb2ae308d24e8ea55

SHA1
7214baf86427ff9062d7429ad69be03264d1673b

SHA256
bdd1cdb62d7e8cc0a15286aaf27afde95a36bebd2793d7c5d1485ce3e59d4fc1

SHA512
7157664754901881333e5c36df1403f2f2af921e114c75dbbf1c7f45423123e2b327bc94fbde60bb6512eb3efb7842f091d2e37f637846cf95cfeeb521ab150b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9713.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
196B

MD5
e9c3fbd956b7e972264aeafa357875d8

SHA1
9df3e99e327929d13ff69b73ffe8af3ccebcd165

SHA256
833617e24e5faa164b9c1b96dfde32ee6e9ea6c385ce152676473014058f0414

SHA512
c14776812dd581405ee09546806622463856c3a83e9c2342ce3b224301271172fe5cea8c2ed69215a4f7452fc42b5941b95c528d1fb2f4e693b51b2af404d6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
196B

MD5
ab87ac58d87c4efc3d8fd7e29c920959

SHA1
fbecd70b7cc842ae872a746ace19a6a7c3f81f14

SHA256
22b37c8b157ffbc37dae2999045db19b1ca4a0bfeffa5871bc55d7df45ae83ed

SHA512
41f9a8d857b6c94082eaa3748e63ec44430a271afc2a1b1450298eadee4ea7d45371d0ca64d0c1ad5f7274adf965d08ef9fad90771433be7cc57c4e3b72ea732

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9726.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
196B

MD5
d7dd89b9559a906ddd9402d9b919a3ef

SHA1
7325d4d13215ffa173a02628205d78f89a8c0d63

SHA256
b1bae6cc74be6e193764b722cd07c79cbbaf60a85186eef843afa60aacc5cb41

SHA512
c56fa27f61c264f20292429f5d6aea97edc157e8555db28033d624705564925e8ab900cfc00563ca2574eed91a93a012972d94d0a31722fce31981c8937e2b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
196B

MD5
0ed6c5c1ff0e82d034e76a00b1be7e8e

SHA1
9697f3828c856e1127195626b9f5d9cc26f2db3e

SHA256
a59f49ebda4bae65362f7d371db3467dca0eefa351bbb22ab5a9efaec7cfb9e8

SHA512
761283886edf8ff5156c988aa25f088985ab2c4d598619bf8773040a864f8b188d3028d9488d3a2fb57db7d0137deea1fb85fd76c86be4c7582f95874ec44637

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

Filesize
196B

MD5
01cda0f94b9f7bfa7a88f0d3d73f8675

SHA1
38049bebab49df7568cbbb30c0e3d19fc9b4cbbf

SHA256
2e9c865794a9df60a78a41c96166556bd33e487f13991883ca55906b1a3681b7

SHA512
256b81e7ffcc4a0c9bdd0683f197bb578d1d6c41fb9d1071663eef6a9c97e0c4bfab939f41174e0d6e56b305c376918f15bb2dee0f15cd4563b149be0d2294a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7dcac42149ca64e07c4e9fd2db042967

SHA1
cb1a1698d5a48daff8fb57bb37c04d4db47c5b60

SHA256
9bbe7da2754b1d5bacf09ba99a981756b3ba40f578a020c3ff60ae2c61875e4c

SHA512
c1f76cd06c62431f4e453a6411487bd8ab7a72c7f874e16357d9a0c4fafe1f4f12d5a912f382a41926303f5737eab2ad8da9c896d4b7d8aba329d6274ff98d24

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/380-64-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/380-66-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/584-579-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/1112-222-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1932-74-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/1952-282-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2236-519-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2588-698-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2616-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2616-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2616-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2616-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2616-13-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download