dcrat | e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90.exe
Size

1.3MB
MD5

06e29f6ee4a90800cc64b72abd346e6f
SHA1

63affed12d8bb96d0ff27af275830c9be2c7abad
SHA256

e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90
SHA512

be7db9020e2f804d1364c36d14daf6cc66eb8162c12835d65793c74869e64e69f03959f9ac48914d9a037209698dda19809ed75abe6fe9d6812f08994ab7a7cf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2600	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016dd9-9.dat	dcrat
behavioral1/memory/2592-13-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/1772-144-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2344-380-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/1244-441-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat
behavioral1/memory/2992-501-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/2904-562-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/960-622-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/1092-682-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2556	powershell.exe
2452	powershell.exe
2684	powershell.exe
2784	powershell.exe
2552	powershell.exe
552	powershell.exe
2696	powershell.exe
2668	powershell.exe
2860	powershell.exe
2216	powershell.exe
932	powershell.exe
2584	powershell.exe
2980	powershell.exe
2608	powershell.exe
2240	powershell.exe
2776	powershell.exe
2900	powershell.exe
880	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2592	DllCommonsvc.exe
1772	explorer.exe
1220	explorer.exe
572	explorer.exe
1632	explorer.exe
2344	explorer.exe
1244	explorer.exe
2992	explorer.exe
2904	explorer.exe
960	explorer.exe
1092	explorer.exe
2768	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	cmd.exe
2832	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
21	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Common Files\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1604	schtasks.exe
1760	schtasks.exe
1692	schtasks.exe
844	schtasks.exe
2136	schtasks.exe
2232	schtasks.exe
1780	schtasks.exe
1588	schtasks.exe
2128	schtasks.exe
2276	schtasks.exe
464	schtasks.exe
1316	schtasks.exe
2308	schtasks.exe
2068	schtasks.exe
1312	schtasks.exe
1636	schtasks.exe
2140	schtasks.exe
2452	schtasks.exe
1764	schtasks.exe
1028	schtasks.exe
1016	schtasks.exe
2148	schtasks.exe
1804	schtasks.exe
764	schtasks.exe
1512	schtasks.exe
992	schtasks.exe
1596	schtasks.exe
2884	schtasks.exe
2304	schtasks.exe
2508	schtasks.exe
2920	schtasks.exe
748	schtasks.exe
2112	schtasks.exe
1236	schtasks.exe
2416	schtasks.exe
1020	schtasks.exe
828	schtasks.exe
1432	schtasks.exe
1532	schtasks.exe
1920	schtasks.exe
1132	schtasks.exe
548	schtasks.exe
1048	schtasks.exe
1244	schtasks.exe
2876	schtasks.exe
2152	schtasks.exe
1468	schtasks.exe
2408	schtasks.exe
2968	schtasks.exe
2196	schtasks.exe
2000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2592	DllCommonsvc.exe
2592	DllCommonsvc.exe
2592	DllCommonsvc.exe
2592	DllCommonsvc.exe
2592	DllCommonsvc.exe
2696	powershell.exe
2684	powershell.exe
2668	powershell.exe
2240	powershell.exe
932	powershell.exe
2584	powershell.exe
2216	powershell.exe
2784	powershell.exe
880	powershell.exe
2860	powershell.exe
2900	powershell.exe
2776	powershell.exe
2452	powershell.exe
2608	powershell.exe
2552	powershell.exe
2556	powershell.exe
2980	powershell.exe
552	powershell.exe
1772	explorer.exe
1220	explorer.exe
572	explorer.exe
1632	explorer.exe
2344	explorer.exe
1244	explorer.exe
2992	explorer.exe
2904	explorer.exe
960	explorer.exe
1092	explorer.exe
2768	explorer.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	DllCommonsvc.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	1772	explorer.exe
Token: SeDebugPrivilege	1220	explorer.exe
Token: SeDebugPrivilege	572	explorer.exe
Token: SeDebugPrivilege	1632	explorer.exe
Token: SeDebugPrivilege	2344	explorer.exe
Token: SeDebugPrivilege	1244	explorer.exe
Token: SeDebugPrivilege	2992	explorer.exe
Token: SeDebugPrivilege	2904	explorer.exe
Token: SeDebugPrivilege	960	explorer.exe
Token: SeDebugPrivilege	1092	explorer.exe
Token: SeDebugPrivilege	2768	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2780	2216	JaffaCakes118_e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90.exe	30
PID 2216 wrote to memory of 2780	2216	JaffaCakes118_e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90.exe	30
PID 2216 wrote to memory of 2780	2216	JaffaCakes118_e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90.exe	30
PID 2216 wrote to memory of 2780	2216	JaffaCakes118_e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90.exe	30
PID 2780 wrote to memory of 2832	2780	WScript.exe	31
PID 2780 wrote to memory of 2832	2780	WScript.exe	31
PID 2780 wrote to memory of 2832	2780	WScript.exe	31
PID 2780 wrote to memory of 2832	2780	WScript.exe	31
PID 2832 wrote to memory of 2592	2832	cmd.exe	33
PID 2832 wrote to memory of 2592	2832	cmd.exe	33
PID 2832 wrote to memory of 2592	2832	cmd.exe	33
PID 2832 wrote to memory of 2592	2832	cmd.exe	33
PID 2592 wrote to memory of 2240	2592	DllCommonsvc.exe	86
PID 2592 wrote to memory of 2240	2592	DllCommonsvc.exe	86
PID 2592 wrote to memory of 2240	2592	DllCommonsvc.exe	86
PID 2592 wrote to memory of 2696	2592	DllCommonsvc.exe	87
PID 2592 wrote to memory of 2696	2592	DllCommonsvc.exe	87
PID 2592 wrote to memory of 2696	2592	DllCommonsvc.exe	87
PID 2592 wrote to memory of 2684	2592	DllCommonsvc.exe	88
PID 2592 wrote to memory of 2684	2592	DllCommonsvc.exe	88
PID 2592 wrote to memory of 2684	2592	DllCommonsvc.exe	88
PID 2592 wrote to memory of 2784	2592	DllCommonsvc.exe	89
PID 2592 wrote to memory of 2784	2592	DllCommonsvc.exe	89
PID 2592 wrote to memory of 2784	2592	DllCommonsvc.exe	89
PID 2592 wrote to memory of 2216	2592	DllCommonsvc.exe	92
PID 2592 wrote to memory of 2216	2592	DllCommonsvc.exe	92
PID 2592 wrote to memory of 2216	2592	DllCommonsvc.exe	92
PID 2592 wrote to memory of 2900	2592	DllCommonsvc.exe	94
PID 2592 wrote to memory of 2900	2592	DllCommonsvc.exe	94
PID 2592 wrote to memory of 2900	2592	DllCommonsvc.exe	94
PID 2592 wrote to memory of 2776	2592	DllCommonsvc.exe	95
PID 2592 wrote to memory of 2776	2592	DllCommonsvc.exe	95
PID 2592 wrote to memory of 2776	2592	DllCommonsvc.exe	95
PID 2592 wrote to memory of 2860	2592	DllCommonsvc.exe	98
PID 2592 wrote to memory of 2860	2592	DllCommonsvc.exe	98
PID 2592 wrote to memory of 2860	2592	DllCommonsvc.exe	98
PID 2592 wrote to memory of 2584	2592	DllCommonsvc.exe	99
PID 2592 wrote to memory of 2584	2592	DllCommonsvc.exe	99
PID 2592 wrote to memory of 2584	2592	DllCommonsvc.exe	99
PID 2592 wrote to memory of 2668	2592	DllCommonsvc.exe	100
PID 2592 wrote to memory of 2668	2592	DllCommonsvc.exe	100
PID 2592 wrote to memory of 2668	2592	DllCommonsvc.exe	100
PID 2592 wrote to memory of 2556	2592	DllCommonsvc.exe	101
PID 2592 wrote to memory of 2556	2592	DllCommonsvc.exe	101
PID 2592 wrote to memory of 2556	2592	DllCommonsvc.exe	101
PID 2592 wrote to memory of 2552	2592	DllCommonsvc.exe	102
PID 2592 wrote to memory of 2552	2592	DllCommonsvc.exe	102
PID 2592 wrote to memory of 2552	2592	DllCommonsvc.exe	102
PID 2592 wrote to memory of 2608	2592	DllCommonsvc.exe	104
PID 2592 wrote to memory of 2608	2592	DllCommonsvc.exe	104
PID 2592 wrote to memory of 2608	2592	DllCommonsvc.exe	104
PID 2592 wrote to memory of 2980	2592	DllCommonsvc.exe	105
PID 2592 wrote to memory of 2980	2592	DllCommonsvc.exe	105
PID 2592 wrote to memory of 2980	2592	DllCommonsvc.exe	105
PID 2592 wrote to memory of 932	2592	DllCommonsvc.exe	106
PID 2592 wrote to memory of 932	2592	DllCommonsvc.exe	106
PID 2592 wrote to memory of 932	2592	DllCommonsvc.exe	106
PID 2592 wrote to memory of 880	2592	DllCommonsvc.exe	107
PID 2592 wrote to memory of 880	2592	DllCommonsvc.exe	107
PID 2592 wrote to memory of 880	2592	DllCommonsvc.exe	107
PID 2592 wrote to memory of 552	2592	DllCommonsvc.exe	108
PID 2592 wrote to memory of 552	2592	DllCommonsvc.exe	108
PID 2592 wrote to memory of 552	2592	DllCommonsvc.exe	108
PID 2592 wrote to memory of 2452	2592	DllCommonsvc.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e618e7f1e9b7dc82ab772a08616da3957d0719e93dd030dc6162ebe8878c4f90.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\ja-JP\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDHHHMpGxk.bat"
        5⤵
        
        PID:2184
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1904
      - C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        7⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2248
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
        9⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1692
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
        11⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3040
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
        13⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1772
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
        15⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:872
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        17⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1588
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
        19⤵
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1836
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        21⤵
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1020
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
        23⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2264
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"
        25⤵
        
        PID:1908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1752
        
        C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d464acba789bfb6700cc022644a02097

SHA1
a81adb10c45c210710f034351168d7cb38d7d788

SHA256
110c195a217a5939e9699660e9ea966208659bdc8da39edba4407047cfd49b0a

SHA512
f0fd94f8b051237da7aefe2f3d459f588418bce7472dcbb96077d127e5b3b697c44dd45a50d09f60915abf0f1a1e355d5da317aa7f1edc795351d789ba28140e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8797eb12fc73ef36cb361d2ffc1d3c2d

SHA1
ea7193b7435fe6b48ea62365b65aaf67ee3f3037

SHA256
86a04b748971ec121d355e5826ba224eefedfbec9792cc9fcf033a3928b526d7

SHA512
e78b1a54be33ed13107aa4117e6a6fde30b30d342e859fe21761cb31e190be8e6e492c4576d94172ea9da29fc3eec736efec1fa499b88f7b7d166b9831ebaffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7829071e2fee6091f384426a9ac67c08

SHA1
673f5b006615344376fc22bc9ee43f6ab4b36f56

SHA256
e9b91f9831d6bb8985cfd9d35fc8b47cfe006582b626b125738493d432f5e567

SHA512
94c2d379fe1916b98fefed31b9b6a7ef1c2b1fe5c889722ff8f414ac7c234b8f7509cd4818ca023116f066f1657c85dcf11309c5a2f18779897269b9b998361f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8158ecd190d4dad1200e7706114f1089

SHA1
4c8a9acb20f5905e830c21125524d227d1281181

SHA256
83f4834a3e3946596009a84c07ec29110f4395536f4397e7ceca349be750e83f

SHA512
998719551ef2cc137646411513d02f3696d382d8c0f7fe5cc47714014ccae9f32e3f7e7acd2ed2d82668d9d0aece26ce04ad9afdc85f8453544d424b2510276a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51df2f06903bf784955e37e66d890055

SHA1
20077305d2af887585195ecc817693e1b78b0d72

SHA256
82a4de259050a0407092d527910d6784f9c58a1e39e41476f3cb234706da8062

SHA512
09146d87c5779183c48d5a35b78cf3b5ad00675410dd0a1e575c4ea5a7ac100d1463e890b1655951f426bdfbf1a216f2cc300fb6a2001dc17dbb45e25beea5e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91b55f51d2acb10d546c276f2e7f6dea

SHA1
f203469f907574a9453385e1bde9d7d0db42e5f0

SHA256
d7028c9506a7a215a25ad702e58a3f0cfc3a1121ac3541587814f1a08a03e282

SHA512
c37c674d027be917aa3f37da5051e98f2510b8ca21d21d3fca717f6c740775b5deb2a002400194519f98497f0747e2a82ab1886b328c696f5f007bd3bc3762be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7a0f99fcc3e2fe5080511968a365077

SHA1
0ceda8d2b2551f8afef1b678b8a9f5c1083f50cc

SHA256
7249884ef6a4108e491b0f251f45efc49174ed17fd5d46f00499187372265bae

SHA512
f6d05c5c6c4065433d3db71457201ee30cac596985869fec20f6fa9fcd03b7eb6c0162ed58a3634c89aadbff2e06e43abae92ec42e12bfb944c6cf251518c207

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bad089f8675e32919a01e0c05842826

SHA1
a5b9cacaf0501d6f92748d7decba0ed587362b45

SHA256
0ff09ee0902cb3654ef95976b17116b0248d2e4a238cde71418f5732897ae1ad

SHA512
330278aa92bab2ddb84162d283cad1324480bbb5aaefac18348554eb5d6a37e4a81c05f74ea9293ebc5fb2a1f6decc300863c4d8421a16588c0946164e4ed17b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ba2472c8f9ab05a312c061b0e83ca6e

SHA1
5ec75b8aacf3d08e7caee7e57824487514968abc

SHA256
c9c0fd91953b22f0237b71f387ab89ef58488e7f5cfe8f45a5f154c05af93bba

SHA512
9e29f308a7f57f96cc6bae8dfb177d9aa154a849338d339fb1a164d3be79f735ccdc16ced85824e63f7e390babc8f04fdfce949ec46cdc664bd86993bf83154b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

Filesize
223B

MD5
be809a08cbe3decc5d35262a5c350a82

SHA1
667740cc2a327a86feb128b78c122e0e4954cafd

SHA256
5b5199723e5454d3f932831c27852482229cfeac8a571fce874a5b92f7be7eed

SHA512
a49217ec8e05cb926aac3d066d91777b813c5a30cfb234ae0468d2338c2852c7e815f2ab2326233e213681f0104650af6291470ce433d2fc65b7b80b4d6e3c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

Filesize
223B

MD5
917f6cc9ec4a62b14099ea7bc5d59063

SHA1
69cb238b1734ef783b00e6734e8693df49205da4

SHA256
60831e69262eff3da4e4994cc04baeecc0e3a854c129a9df19261cbe9e606cfa

SHA512
a904f869e012ca02426f297d6804adb4bf67f0ce3404c9b26bebdb7217cc8fc8da114b9ce3179023253e125f6e04763900ace9c7c980c92a33d53b39789c510b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

Filesize
223B

MD5
536ec7568a424f228ea0746a4ca72765

SHA1
de40ffe381f7ad76e33f3fffcb36f4673722560f

SHA256
16eb7a142782b00d744391ebdcc7f5817686225d314ef950e86946b207669aa6

SHA512
25eff939d4c76039c8fb472a2781043ba1e05958bed9b0264a9452a995f2451c319a9189d2663db3273583f1718b011216c959a09f83684062a52827b73a0cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
223B

MD5
10fc122f9f887c225bf52201d1e87355

SHA1
7b3637ddf95dd5c16c662b3506f54d8768e8170a

SHA256
9148c0902946906cdc57785871238d1735cac9df5cfa71303103fd146b265e3c

SHA512
e153f599bc7397b7474aa95e6f0950b97be76d056e65074b279516ac32e2c8e2be78c8053e9469fa70afb054c7e3dd5b66fb0c3a995e8c3b0ae4a6085fc27720

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDDA4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat

Filesize
223B

MD5
b60627245d87b48cf05dab8daa0bd442

SHA1
832f1635489e2647ac8cdeeb3f3092a45a3d7174

SHA256
827d360618d222c3a0362d8c0ff4537ea629d2c8bf0a8781bdc0273cc7ce1624

SHA512
16db031586a3adcec55bc0a22846f601981f6858801cf02436cefa08bda5e63b889aa71c066fc25962b38bc3338b5ac2fc200c64a43366bcf78163a8927d7e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat

Filesize
223B

MD5
ec74e2400c783779cec371d12086c4b9

SHA1
399228dc9f02f9fbef80d3406904e31ecec8b81f

SHA256
a2a4ba0c5ac2e502007a9dabe854c82dc49c391be5a2803e9ba8ce90ba6e361e

SHA512
f139218632157f70a1992bbc83609c9eb8f121a54b1e743aa1a6c13fbf5a355fc5f9e3a33c5469dbc7bd3cdc755e1739ae222fda02ff3dcae00a13e353cc42a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDHHHMpGxk.bat

Filesize
223B

MD5
afdb0ebc504d333a292ab56e89d71164

SHA1
b57879c25ce9a795b92eeeaba787f276edd39d7b

SHA256
8284201c8ecf712d7740f02bd5295db377fd2fce23cf809f802207ec053f3893

SHA512
9cecacdffc2c7ee34cf74c30c138d4d004794f75b31805b39525fe0291a440b4cc82ffb6d4d69b266d84f569a1342bf9a768e6763706cb51357b2a8b4f83dd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
223B

MD5
58a509a471df26cab19c89866c023de1

SHA1
a923cdf812662a42aa7050b5fb5c8397ecdf8f46

SHA256
67b63d8e7b2683af8f413cd195f48d8b3126d22ae1628258f21afbe6bf0be471

SHA512
2f645a14728ee1afef4286e47a9378f102c666f77c9bef60afb61087144e419f08989bbb876567d3932dff8df329dbd25c3558d743181036efefc4ee87995f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
223B

MD5
805bca01696fa9ee460866e413d8810e

SHA1
f11877e459e0d27512524b70bcaaf4fe56894e14

SHA256
6f186bd7f5724567ed7d8f350997c88a7c1e020e8b21765c5925047700b42b27

SHA512
a52fd6b7b76bdbef1a23f1648214aa814bbd0ffbf399f8771754bd805b8d0e66595e74995e43100d1081b3d34946759718b61cd51c6c76cf6dddb5d9fe1aafb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDDA7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

Filesize
223B

MD5
0bd030c1b34dc83dfbe37a1d4e635162

SHA1
aa2a0a9996709ed58dc760f6136ceb61f5a17d4c

SHA256
9f27cd5a9216b544c848bd27e8195edb69bce1d799a39ba0ce606386237a075f

SHA512
e723a37423a6f04bc26b238ca232e486a32b54003cf2df1ab1e17b262a0450a10401c437ec0d6b9f7799dc161dfc12ba52730df84d256c3ebd9d99f2f333a5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
223B

MD5
fce249fccea56b3f7920803d52d88fc3

SHA1
75627d28060aa8ee6e48d6558f2d008a625e605d

SHA256
bc73e62f602979e1a3bb37f6773001c3e144de16c145a53b5e03e5251b130bf2

SHA512
76ac400cb4bb58e73f85afd9206021d3f3697c4295666fc45ce33cd86ee3104a83717f1fce551821e7ae6f11d47d1b1830941248061144afa129c7d97641f84f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9fd8413e8628330f061b9160823d13ef

SHA1
2098a2c7b369a761eb3f3e47d7fadb9933f43db0

SHA256
b983777cf9359357a1d9ced7abab1ff0e4fbc99a26d8b20bb9a8be7fdcc51753

SHA512
c460d308ca3a1fc7be7a84966c76893299a80cf3f349d6b1fbb6f47c21623ae6301289a082d80273d9793c574860358ddf7682ba754c0e5606e8e968e410c7de

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/960-622-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/1092-682-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/1244-441-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/1772-144-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2344-381-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2344-380-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2592-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2592-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2592-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2592-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2592-13-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2684-69-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2696-73-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2904-562-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2992-502-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2992-501-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download