dcrat | ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285.exe
Size

1.3MB
MD5

30c2d5caa661a1886d92d9a3476265f1
SHA1

01b054894e419aa80b839dd1d875ed68125df806
SHA256

ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285
SHA512

6897660f8b49522c6fe2d7a13460dbdc962cb221acd100fefedf6a05586eff75da633bfa5f9f5bb8d65b44ca982985e46db1e3b89a389841c2c081d2894898eb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2616	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2616	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016ca0-9.dat	dcrat
behavioral1/memory/2700-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/2340-136-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/1980-196-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/2788-315-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2776-376-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2532-555-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/1468-615-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/1628-675-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2184-735-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
2996	powershell.exe
1048	powershell.exe
1696	powershell.exe
3008	powershell.exe
1476	powershell.exe
2064	powershell.exe
1772	powershell.exe
876	powershell.exe
1556	powershell.exe
1156	powershell.exe
1636	powershell.exe
2164	powershell.exe
992	powershell.exe
1752	powershell.exe
1588	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2700	DllCommonsvc.exe
2340	sppsvc.exe
1980	sppsvc.exe
2692	sppsvc.exe
2788	sppsvc.exe
2776	sppsvc.exe
2428	sppsvc.exe
2124	sppsvc.exe
2532	sppsvc.exe
1468	sppsvc.exe
1628	sppsvc.exe
2184	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	cmd.exe
2776	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Boot\EFI\en-US\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Windows\SchCache\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2176	schtasks.exe
2052	schtasks.exe
1516	schtasks.exe
2896	schtasks.exe
1792	schtasks.exe
2276	schtasks.exe
1184	schtasks.exe
2680	schtasks.exe
1364	schtasks.exe
1288	schtasks.exe
716	schtasks.exe
1624	schtasks.exe
352	schtasks.exe
1848	schtasks.exe
1348	schtasks.exe
280	schtasks.exe
2104	schtasks.exe
2036	schtasks.exe
1040	schtasks.exe
2376	schtasks.exe
2428	schtasks.exe
1688	schtasks.exe
680	schtasks.exe
2260	schtasks.exe
2216	schtasks.exe
2056	schtasks.exe
2268	schtasks.exe
2264	schtasks.exe
2304	schtasks.exe
2644	schtasks.exe
2572	schtasks.exe
1344	schtasks.exe
2004	schtasks.exe
2444	schtasks.exe
1104	schtasks.exe
2548	schtasks.exe
808	schtasks.exe
2976	schtasks.exe
2532	schtasks.exe
2336	schtasks.exe
1980	schtasks.exe
664	schtasks.exe
1928	schtasks.exe
1680	schtasks.exe
1920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
2700	DllCommonsvc.exe
1636	powershell.exe
992	powershell.exe
2164	powershell.exe
1556	powershell.exe
1156	powershell.exe
1476	powershell.exe
2992	powershell.exe
1752	powershell.exe
876	powershell.exe
2064	powershell.exe
1696	powershell.exe
3008	powershell.exe
1588	powershell.exe
1772	powershell.exe
2996	powershell.exe
1048	powershell.exe
2340	sppsvc.exe
1980	sppsvc.exe
2692	sppsvc.exe
2788	sppsvc.exe
2776	sppsvc.exe
2428	sppsvc.exe
2124	sppsvc.exe
2532	sppsvc.exe
1468	sppsvc.exe
1628	sppsvc.exe
2184	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	DllCommonsvc.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2340	sppsvc.exe
Token: SeDebugPrivilege	1980	sppsvc.exe
Token: SeDebugPrivilege	2692	sppsvc.exe
Token: SeDebugPrivilege	2788	sppsvc.exe
Token: SeDebugPrivilege	2776	sppsvc.exe
Token: SeDebugPrivilege	2428	sppsvc.exe
Token: SeDebugPrivilege	2124	sppsvc.exe
Token: SeDebugPrivilege	2532	sppsvc.exe
Token: SeDebugPrivilege	1468	sppsvc.exe
Token: SeDebugPrivilege	1628	sppsvc.exe
Token: SeDebugPrivilege	2184	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2800	2220	JaffaCakes118_ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285.exe	31
PID 2220 wrote to memory of 2800	2220	JaffaCakes118_ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285.exe	31
PID 2220 wrote to memory of 2800	2220	JaffaCakes118_ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285.exe	31
PID 2220 wrote to memory of 2800	2220	JaffaCakes118_ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285.exe	31
PID 2800 wrote to memory of 2776	2800	WScript.exe	32
PID 2800 wrote to memory of 2776	2800	WScript.exe	32
PID 2800 wrote to memory of 2776	2800	WScript.exe	32
PID 2800 wrote to memory of 2776	2800	WScript.exe	32
PID 2776 wrote to memory of 2700	2776	cmd.exe	34
PID 2776 wrote to memory of 2700	2776	cmd.exe	34
PID 2776 wrote to memory of 2700	2776	cmd.exe	34
PID 2776 wrote to memory of 2700	2776	cmd.exe	34
PID 2700 wrote to memory of 2164	2700	DllCommonsvc.exe	81
PID 2700 wrote to memory of 2164	2700	DllCommonsvc.exe	81
PID 2700 wrote to memory of 2164	2700	DllCommonsvc.exe	81
PID 2700 wrote to memory of 2992	2700	DllCommonsvc.exe	82
PID 2700 wrote to memory of 2992	2700	DllCommonsvc.exe	82
PID 2700 wrote to memory of 2992	2700	DllCommonsvc.exe	82
PID 2700 wrote to memory of 1476	2700	DllCommonsvc.exe	83
PID 2700 wrote to memory of 1476	2700	DllCommonsvc.exe	83
PID 2700 wrote to memory of 1476	2700	DllCommonsvc.exe	83
PID 2700 wrote to memory of 992	2700	DllCommonsvc.exe	85
PID 2700 wrote to memory of 992	2700	DllCommonsvc.exe	85
PID 2700 wrote to memory of 992	2700	DllCommonsvc.exe	85
PID 2700 wrote to memory of 1636	2700	DllCommonsvc.exe	86
PID 2700 wrote to memory of 1636	2700	DllCommonsvc.exe	86
PID 2700 wrote to memory of 1636	2700	DllCommonsvc.exe	86
PID 2700 wrote to memory of 876	2700	DllCommonsvc.exe	88
PID 2700 wrote to memory of 876	2700	DllCommonsvc.exe	88
PID 2700 wrote to memory of 876	2700	DllCommonsvc.exe	88
PID 2700 wrote to memory of 1772	2700	DllCommonsvc.exe	90
PID 2700 wrote to memory of 1772	2700	DllCommonsvc.exe	90
PID 2700 wrote to memory of 1772	2700	DllCommonsvc.exe	90
PID 2700 wrote to memory of 1156	2700	DllCommonsvc.exe	91
PID 2700 wrote to memory of 1156	2700	DllCommonsvc.exe	91
PID 2700 wrote to memory of 1156	2700	DllCommonsvc.exe	91
PID 2700 wrote to memory of 2064	2700	DllCommonsvc.exe	92
PID 2700 wrote to memory of 2064	2700	DllCommonsvc.exe	92
PID 2700 wrote to memory of 2064	2700	DllCommonsvc.exe	92
PID 2700 wrote to memory of 3008	2700	DllCommonsvc.exe	93
PID 2700 wrote to memory of 3008	2700	DllCommonsvc.exe	93
PID 2700 wrote to memory of 3008	2700	DllCommonsvc.exe	93
PID 2700 wrote to memory of 1696	2700	DllCommonsvc.exe	94
PID 2700 wrote to memory of 1696	2700	DllCommonsvc.exe	94
PID 2700 wrote to memory of 1696	2700	DllCommonsvc.exe	94
PID 2700 wrote to memory of 1048	2700	DllCommonsvc.exe	95
PID 2700 wrote to memory of 1048	2700	DllCommonsvc.exe	95
PID 2700 wrote to memory of 1048	2700	DllCommonsvc.exe	95
PID 2700 wrote to memory of 2996	2700	DllCommonsvc.exe	96
PID 2700 wrote to memory of 2996	2700	DllCommonsvc.exe	96
PID 2700 wrote to memory of 2996	2700	DllCommonsvc.exe	96
PID 2700 wrote to memory of 1556	2700	DllCommonsvc.exe	97
PID 2700 wrote to memory of 1556	2700	DllCommonsvc.exe	97
PID 2700 wrote to memory of 1556	2700	DllCommonsvc.exe	97
PID 2700 wrote to memory of 1588	2700	DllCommonsvc.exe	98
PID 2700 wrote to memory of 1588	2700	DllCommonsvc.exe	98
PID 2700 wrote to memory of 1588	2700	DllCommonsvc.exe	98
PID 2700 wrote to memory of 1752	2700	DllCommonsvc.exe	99
PID 2700 wrote to memory of 1752	2700	DllCommonsvc.exe	99
PID 2700 wrote to memory of 1752	2700	DllCommonsvc.exe	99
PID 2700 wrote to memory of 1176	2700	DllCommonsvc.exe	112
PID 2700 wrote to memory of 1176	2700	DllCommonsvc.exe	112
PID 2700 wrote to memory of 1176	2700	DllCommonsvc.exe	112
PID 1176 wrote to memory of 292	1176	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ffb00277ed283d8d0004ad8c42b001570dfb7456c1cb604e025ce8a988741285.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4jUwetVEPL.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:292
      - C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        7⤵
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1556
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"
        9⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1452
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
        11⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2772
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
        13⤵
        
        PID:1356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2676
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
        15⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1340
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
        17⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2036
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        19⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1524
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        21⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:840
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
        23⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1756
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        25⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2172
        
        C:\Users\All Users\Favorites\sppsvc.exe
        
        "C:\Users\All Users\Favorites\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        27⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69d9d67659b8bbda7647e03f6a5997e4

SHA1
64851dcddc9fad7ae0873ecfceb49aa5491e0d62

SHA256
f5b26f10a2f85e5ae0c76a081fee35454bec092559ba8a239a5b1d1b9062b222

SHA512
7357e17d89eaae23fae2966c561d89a33de7f74e043c7793578b606d67abe21f3ad050f73acd9070eefbff8d1350673ee52bc02504eb37c418b11aef13a4ff48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
869921682aba1756ae512c8c36f548f8

SHA1
d5ee22bab737e7566e166e4a19cab46cf670caf1

SHA256
44e05fd6e2c0704e83e06a30fed6ab8fc42c682b9fc44a7f1a16472a6b0d64c0

SHA512
4c1d16fbffc09359508e5c327509449b8a135a34d043cc8ee8b277cabe21e7a8b70c902aedd7592af9514a4e8592e022d7c2d8570926c3a99b62418e01fb1a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd3e6f1039f67831311df4248aef5373

SHA1
70b53242ed14b1d362da0789b7f9cf83249b1e53

SHA256
41b2c8b6149bf08ee93bb67767a0692baf4434be9ac94c690818ee8a4878124a

SHA512
8d0a2d4b0c949a8ec4bb1cc97fb5eced721986c19574d94a25b929d675a4c610f14898965fee8c522e544526e7bb051befec63ddb5201e54eebf281bbfc3b189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a4e60e6234b2389c8d6137b12ad61d7

SHA1
60de8ed20ba79e0a1ec5eabdad33a6ca624ddc49

SHA256
b33e4e610e036606b79189ef87f7e2603915316bc61985ddc1848eec87bcd5ba

SHA512
1d0001dee410695f07b39d4b03b512e02fa5d3e381410a1022c5b6cbe854bef721a33de007d437ebda116ebd25fddaf33b29418f6165326c3d6e3cfa9724e64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7e0f3c9650085f0927fd8e8fc2a3c1e

SHA1
8d45d9e5e17a5ab9fe9a77d5746eb3b32887602d

SHA256
20d8d006a4d432ff00fabdfd4014e47be550888eec931fd14e9d7dec244889cf

SHA512
24e6d7a54586afe667763ef805da0195f8ea5fd72f92161904686b91eff6675951c9845c3b0a58b39018cdb8ca9b1d4389364d00c4c1fe71bf5e162d6a7dcdbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf7eb4994cc50992ba654f696bf316d4

SHA1
07ed49c4715eda34bd61b5cb7be7fba9b21d386a

SHA256
77ee9c6e1bdcecabd424bba12a56580e54c2cddae2599c2266417c1963961352

SHA512
b4c59ddf771474ce4d5b5b2f453b0edf474fb6d7d950612e7808df867b5e33f648901bbfb1f8e49c419951f24cff145386f06d42f82856d7bff674a90a197372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9ed8f309feb6416e071d48f80240e55

SHA1
deabf7540ac4b403fdc55f9812e85687f5df2980

SHA256
05a1f39301d75cd8f3850fea7d6a8626cb45e7376c47fc243af9ed65de3b9ecf

SHA512
c647c063124d9db8108d81dc87f62cc307a1ad7529b16b4cf65ace209af5a3c1e8a6b6663db9c939e1104ed9865d52368d381caad5c9f2c6ca3a52a456b07ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3712d226613c698dc0d4a24c456f3a82

SHA1
30ac62997bca118f7a7aa043bb553795647c4c5c

SHA256
65a227b02c58ffe9f3bb3ff877b2e04b7dfd576859bebeb1e9a275a4fbdd1eef

SHA512
75c10f7dccdb32149b721fc18f7011ba3dfdc502e2b64b82ce448976643e73775f76d588d92e1698e45ede73940c36aef68cfc8e7cd223a6d61f8f1100a15e22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d91bd560f89e12a0b8e1ac93ad1e6b2f

SHA1
27dadcfcc7ca2e85926577abe1a2d962c2a5eb5d

SHA256
64e97a0094d51308e6f51ad7ad2c40002fbf2bd430d0ae1a5455f9db4ffe0238

SHA512
aafa02d05e301f8a415f9b6c3fa26dd3e415df55a34b8d23295e1dece78cdc77f7f8119a7802e0bdbcb2f0a5700e13b92f575caf262b3b4ba08a43c17c6c9d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5762cf8554cc64a6a0286bfec99c67f6

SHA1
56b361d12a3408f7e8681fbdc8bbea3a8c0ab2e9

SHA256
bb222958532d7118af3897f19a204b5b8467537fcdc672b60d09fa0263084453

SHA512
58a0bff9b6cfed302353225f95e6cc47ebc82def6ce3ef1193b6f04fee82c225034bb6024a258b5017a66afbd059a10345c41fb8ba6e03b5c6913ee695078045

Download Submit
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

Filesize
204B

MD5
6ffeec33c3f45125cf0f8ce72a3d3b61

SHA1
ac39c28c14b7647fbca812115a58db7ed2a65db8

SHA256
3331f4e650bf18efdcb29180e4d47b332390583cdb47f6d93a2d330688e923ce

SHA512
4f7ff2380a17aa8b857b277e099b31879bcb73702b7e2ff268af983562833b5b5f8647e8dfe6d341e47c3e99f25a08fd62a5d25787dec6115d9ea0d0d5bd8f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\4jUwetVEPL.bat

Filesize
204B

MD5
61a9c178aea80cd851e32fb3440fecce

SHA1
bec4e2a4847d26087b9a9a4d5765508c21c7ce7b

SHA256
5498de6192e13b768038c644860b585785cd25c5faefaeea2bddb3030d75279f

SHA512
5e70aa3d6903aa46eda14c88f92a8c78eb21d376f2d0b1468bfa7b31690086722226cd758f43e5aead8bddcc105490594939ec708b594ffdf2341ce3666acb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

Filesize
204B

MD5
c39ed4d694cf14383cf32351d24afa62

SHA1
8abaa9ae77e6b207c951faea299617b965691593

SHA256
52ea4e64005c9f2f18a70ad420fdf3015f3c33de2640785bcb301379cbc89fa4

SHA512
823fe3908f0b413143ca3a87dfc0102d03b2ca2e7ea564db4b511e31d84c08b8d78631dbe7ca8a3638a187b1761fe5f23d3550a0ce27ad964b7a9cb6bb9b4549

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
204B

MD5
570dcc094a3a451456ee24620264072b

SHA1
17de36a016e76b3c5859d91b8b66f54b17c6211f

SHA256
b3cc538e089fa7c5ec05fbd9e2736a320e7c7a49a99c00d24cedba13c2839512

SHA512
a70777c35f7b702ab9a298f9f436c91130063d70530f63b43df73493aec9e599aaa65c0957af94d76bfc82df61f72a0109c59a741e78860a8e5e9a737fd15c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

Filesize
204B

MD5
67a20490033467ff8ab572c5e9f31680

SHA1
c8ab669607c01411dc2e500efe4a11c097eb17b9

SHA256
e94300ce4165bc72b32e08b9ef82b57940d0afd67a26d60d6b234b1550d794ef

SHA512
6d001ef41ce3307cc178a174253c0a46469ddd5bbe9acb216b1f2ba00289f10fddff0a67834b8d1a04edf92e097eeede87b4ea295c2dd19a3768ed3df0f66c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6AC6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
204B

MD5
2e2791260faa0c33658f48fded8748b3

SHA1
d195c43a52331766bc147f39ea53fc610b241978

SHA256
526b660f960ae0de88cf717175165b6235b28447ae557fa7bf8552804bebfa61

SHA512
0d7185207462f790c3257d660fb06a4a2976eacc7521bf0253b64e3df93683f4a3adc0977874b7cb0c84da85375e50e09befd6fe31c9ae2e5f9ad17ba4d8fc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6AD9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
204B

MD5
6340bb9039309bf0c38ed7ebc3ad3619

SHA1
50298a40e4509d3e4e03a50de0923c82d57b4545

SHA256
89e253cfb891e092ab33f0127de33c1925436a35239cd0bf333a9db8980e89ab

SHA512
013ba114e7d9a29e6f65011d334fe3d2f99552b417360aee16da446cc3c35f3168dc0b6133f8c87853631ab71c49a1c0b316b08ae6987eba304506a8a89779b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
204B

MD5
4591448253901c32885b360911e784ac

SHA1
ff1b04c521d44264b90231d0a0f2f21f6ef516e4

SHA256
d7f6df81fde895c755a508b17f46f2f9ac211fc672eafac093d9ad19f9c1833e

SHA512
b690ffc885203b88417beab58bc379d655b6250aa914f793e687a50ad71eaf37f8e40d2922bcc2db7ba934355efe72e9833721686833e68f27442a1b49fffc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
204B

MD5
04c361bf1e48b1854a34888bd47775e9

SHA1
7d5e99b4e9ca29c3f8fec81eb558b904c9ea3a90

SHA256
b793955ba155710a528193d428235379fa3e1dc85afd7aa2951e1a2afdf43464

SHA512
9b4a3621a0087e7a0dfa4204db1a0265fa83a1e3ba83f55bfb02c5638583c60b30fac38737f4711d379ada891cec854c254f3a81b92e5b1d489bc881408649aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat

Filesize
204B

MD5
146fe3d57b0267473760ed97ccee1f70

SHA1
3e8adf493e79ec9fa968375e429f287f3e1b5c2b

SHA256
4ae6f828e3a9656696906ca647cc9b10b43ffd88ea5a991b9d67b7db242e54f7

SHA512
03b59aab6a77733120d711a15ddc76289ee641ffcf1203ac70801fb127715b5c47ab7af0f32c8d489db10025c03ea70752fbff0a4cb655bd7e703d81f34f909a

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat

Filesize
204B

MD5
eed030a90632d5df0c9436a7fc5cba1f

SHA1
e84e6d2a73378db11d2d17fd99e822dc49f0227c

SHA256
48ebdd7d1e6f713b5cd977cd9bd4c7e40669668f53270ac22a5a7bedde6dc461

SHA512
da31f30bfb8dc38f47f569da45d6b802081caa19698fb8121db65266373f85c6e1979e54c80646fe52250a8caa786ea015c18fbad193d8efc4c0277efb84ffbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

Filesize
204B

MD5
c80e1dfa10acbfd1457cad6fea507f89

SHA1
4be840d3305007a79f8019b181fc61639afdb00f

SHA256
119ae699e5b353fc773d6553c69190507c2094791837000b04f9654158af07a4

SHA512
816e97d0991542b475535118188d31ebde8f66596b31dc095fedc91741b88af1e5e0eeac2ddf928c17476eb87438aeba973415d81fad5193422b9b5d4f797cb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
59d52feed169a4202947ddae188f9e28

SHA1
e4612a670e31eb05d66b7063994def48ef4546f8

SHA256
8f56a7a08dcebd6f987d24b16bfb57eb8eb0efd4a3b42c4bf23f061cd736e530

SHA512
ccd9a2a9b9bdd7a518cd59e844eb1e48e6d20f1a606f02ecd94bddcad3bb918563d1a128f61707f78d0f8ea74b5fccd7a03e95b75daeee8cfb694a7d75d8d9bd

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1468-615-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1628-675-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/1636-66-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1636-67-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1980-196-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/2124-495-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2184-736-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2184-735-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2340-136-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2340-137-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2532-555-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2700-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2700-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2700-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2700-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2700-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/2776-376-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2788-316-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2788-315-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download