dcrat | ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced.exe
Size

1.3MB
MD5

0d65626f878daca380d99360ca9430ef
SHA1

1657b03645666c04001c5439c94bf6a09b9d4a34
SHA256

ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced
SHA512

75e86108e2e4f135092fb51dd7051e755684762ba39a7d8f51b7d0f3db69ad6c7d196e23e55efba2a975bffe9a9f5cc827c16fd421be55986e669459ee1f517a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2844	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016c4a-9.dat	dcrat
behavioral1/memory/2812-13-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/2676-60-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/764-336-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1496-397-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/2112-457-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/896-517-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/2212-577-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2096-637-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/1656-697-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2948-757-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2728	powershell.exe
2776	powershell.exe
1508	powershell.exe
2276	powershell.exe
2532	powershell.exe
320	powershell.exe
2824	powershell.exe
2832	powershell.exe
2608	powershell.exe
2732	powershell.exe
2840	powershell.exe
2660	powershell.exe
2624	powershell.exe
1776	powershell.exe
2324	powershell.exe
2536	powershell.exe
2716	powershell.exe
2156	powershell.exe
2052	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2812	DllCommonsvc.exe
2676	lsass.exe
2456	lsass.exe
2776	lsass.exe
764	lsass.exe
1496	lsass.exe
2112	lsass.exe
896	lsass.exe
2212	lsass.exe
2096	lsass.exe
1656	lsass.exe
2948	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	cmd.exe
2136	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\it-IT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\it-IT\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Resources\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1520	schtasks.exe
1008	schtasks.exe
924	schtasks.exe
1672	schtasks.exe
1552	schtasks.exe
1100	schtasks.exe
1744	schtasks.exe
1476	schtasks.exe
2520	schtasks.exe
2680	schtasks.exe
1788	schtasks.exe
2500	schtasks.exe
988	schtasks.exe
1960	schtasks.exe
2876	schtasks.exe
2372	schtasks.exe
2468	schtasks.exe
112	schtasks.exe
2784	schtasks.exe
1936	schtasks.exe
2176	schtasks.exe
1396	schtasks.exe
2712	schtasks.exe
2412	schtasks.exe
1316	schtasks.exe
944	schtasks.exe
2428	schtasks.exe
324	schtasks.exe
2080	schtasks.exe
2076	schtasks.exe
2916	schtasks.exe
2056	schtasks.exe
1868	schtasks.exe
1176	schtasks.exe
3008	schtasks.exe
1404	schtasks.exe
2872	schtasks.exe
476	schtasks.exe
2676	schtasks.exe
1904	schtasks.exe
604	schtasks.exe
1224	schtasks.exe
1244	schtasks.exe
2896	schtasks.exe
1348	schtasks.exe
2388	schtasks.exe
1864	schtasks.exe
2040	schtasks.exe
3016	schtasks.exe
2432	schtasks.exe
2144	schtasks.exe
788	schtasks.exe
1640	schtasks.exe
2396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2732	powershell.exe
320	powershell.exe
2776	powershell.exe
2676	lsass.exe
2156	powershell.exe
2276	powershell.exe
2624	powershell.exe
2840	powershell.exe
2728	powershell.exe
2532	powershell.exe
2660	powershell.exe
2608	powershell.exe
2052	powershell.exe
2832	powershell.exe
2824	powershell.exe
2324	powershell.exe
2536	powershell.exe
1776	powershell.exe
1508	powershell.exe
2716	powershell.exe
2456	lsass.exe
2776	lsass.exe
764	lsass.exe
1496	lsass.exe
2112	lsass.exe
896	lsass.exe
2212	lsass.exe
2096	lsass.exe
1656	lsass.exe
2948	lsass.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	DllCommonsvc.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2676	lsass.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2456	lsass.exe
Token: SeDebugPrivilege	2776	lsass.exe
Token: SeDebugPrivilege	764	lsass.exe
Token: SeDebugPrivilege	1496	lsass.exe
Token: SeDebugPrivilege	2112	lsass.exe
Token: SeDebugPrivilege	896	lsass.exe
Token: SeDebugPrivilege	2212	lsass.exe
Token: SeDebugPrivilege	2096	lsass.exe
Token: SeDebugPrivilege	1656	lsass.exe
Token: SeDebugPrivilege	2948	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2068	1696	JaffaCakes118_ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced.exe	30
PID 1696 wrote to memory of 2068	1696	JaffaCakes118_ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced.exe	30
PID 1696 wrote to memory of 2068	1696	JaffaCakes118_ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced.exe	30
PID 1696 wrote to memory of 2068	1696	JaffaCakes118_ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced.exe	30
PID 2068 wrote to memory of 2136	2068	WScript.exe	31
PID 2068 wrote to memory of 2136	2068	WScript.exe	31
PID 2068 wrote to memory of 2136	2068	WScript.exe	31
PID 2068 wrote to memory of 2136	2068	WScript.exe	31
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2812 wrote to memory of 2276	2812	DllCommonsvc.exe	89
PID 2812 wrote to memory of 2276	2812	DllCommonsvc.exe	89
PID 2812 wrote to memory of 2276	2812	DllCommonsvc.exe	89
PID 2812 wrote to memory of 2324	2812	DllCommonsvc.exe	90
PID 2812 wrote to memory of 2324	2812	DllCommonsvc.exe	90
PID 2812 wrote to memory of 2324	2812	DllCommonsvc.exe	90
PID 2812 wrote to memory of 2536	2812	DllCommonsvc.exe	91
PID 2812 wrote to memory of 2536	2812	DllCommonsvc.exe	91
PID 2812 wrote to memory of 2536	2812	DllCommonsvc.exe	91
PID 2812 wrote to memory of 2532	2812	DllCommonsvc.exe	92
PID 2812 wrote to memory of 2532	2812	DllCommonsvc.exe	92
PID 2812 wrote to memory of 2532	2812	DllCommonsvc.exe	92
PID 2812 wrote to memory of 320	2812	DllCommonsvc.exe	93
PID 2812 wrote to memory of 320	2812	DllCommonsvc.exe	93
PID 2812 wrote to memory of 320	2812	DllCommonsvc.exe	93
PID 2812 wrote to memory of 2716	2812	DllCommonsvc.exe	94
PID 2812 wrote to memory of 2716	2812	DllCommonsvc.exe	94
PID 2812 wrote to memory of 2716	2812	DllCommonsvc.exe	94
PID 2812 wrote to memory of 2824	2812	DllCommonsvc.exe	95
PID 2812 wrote to memory of 2824	2812	DllCommonsvc.exe	95
PID 2812 wrote to memory of 2824	2812	DllCommonsvc.exe	95
PID 2812 wrote to memory of 2832	2812	DllCommonsvc.exe	96
PID 2812 wrote to memory of 2832	2812	DllCommonsvc.exe	96
PID 2812 wrote to memory of 2832	2812	DllCommonsvc.exe	96
PID 2812 wrote to memory of 2156	2812	DllCommonsvc.exe	97
PID 2812 wrote to memory of 2156	2812	DllCommonsvc.exe	97
PID 2812 wrote to memory of 2156	2812	DllCommonsvc.exe	97
PID 2812 wrote to memory of 2728	2812	DllCommonsvc.exe	98
PID 2812 wrote to memory of 2728	2812	DllCommonsvc.exe	98
PID 2812 wrote to memory of 2728	2812	DllCommonsvc.exe	98
PID 2812 wrote to memory of 2052	2812	DllCommonsvc.exe	99
PID 2812 wrote to memory of 2052	2812	DllCommonsvc.exe	99
PID 2812 wrote to memory of 2052	2812	DllCommonsvc.exe	99
PID 2812 wrote to memory of 2840	2812	DllCommonsvc.exe	100
PID 2812 wrote to memory of 2840	2812	DllCommonsvc.exe	100
PID 2812 wrote to memory of 2840	2812	DllCommonsvc.exe	100
PID 2812 wrote to memory of 2776	2812	DllCommonsvc.exe	101
PID 2812 wrote to memory of 2776	2812	DllCommonsvc.exe	101
PID 2812 wrote to memory of 2776	2812	DllCommonsvc.exe	101
PID 2812 wrote to memory of 2660	2812	DllCommonsvc.exe	102
PID 2812 wrote to memory of 2660	2812	DllCommonsvc.exe	102
PID 2812 wrote to memory of 2660	2812	DllCommonsvc.exe	102
PID 2812 wrote to memory of 2624	2812	DllCommonsvc.exe	103
PID 2812 wrote to memory of 2624	2812	DllCommonsvc.exe	103
PID 2812 wrote to memory of 2624	2812	DllCommonsvc.exe	103
PID 2812 wrote to memory of 2608	2812	DllCommonsvc.exe	104
PID 2812 wrote to memory of 2608	2812	DllCommonsvc.exe	104
PID 2812 wrote to memory of 2608	2812	DllCommonsvc.exe	104
PID 2812 wrote to memory of 2732	2812	DllCommonsvc.exe	105
PID 2812 wrote to memory of 2732	2812	DllCommonsvc.exe	105
PID 2812 wrote to memory of 2732	2812	DllCommonsvc.exe	105
PID 2812 wrote to memory of 1508	2812	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ad0c7a97103898101809cc0ac390ad98f6f31b24b53fb5bd6233a1130d2e0ced.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\de-DE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        6⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1224
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat"
        8⤵
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2904
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"
        10⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1868
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
        12⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1224
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"
        14⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1744
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        16⤵
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1776
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
        18⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1244
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        20⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2216
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        22⤵
        
        PID:788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2196
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
        24⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2236
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\debug\WIA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Resources\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\reports\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c228c8d08bce8867cedcc70a7eded92e

SHA1
1fc51830f357b1884f98951f4db8ad4d859b21a4

SHA256
72a8fdf28726f227a45ccf81ded78806e30307cfa120e65496897c25e130a31d

SHA512
39214d8c925bfdd5f6f16879c5dab7332141580161592e294382a679202b890cacd5e74dd983b12107f3bb608779cb22c17d0f930c3febc8b84ffdd6f2a27015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20fd6bdc393f189588af5b47c8af0efe

SHA1
e99ad77f63214b6b718a36239278ae4f76ef4bb7

SHA256
9ee2600938346c0369a1efa057e67b1670ccc54744d7d3e952dfb3b6d88b8c44

SHA512
7071096380c56dfd4c399295c3acf65b02c48a5235121712be8366eb8d0eb8ffb0389110e0d19f5698a98d908fe33561b5539e86a22b10a0c4067bde37a1c5a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b679c6715fd205e9ae3f93cf8d041c6

SHA1
3e79d6187c6e292ec0484792c950fa7226f203fc

SHA256
5c88619538a11e07376d906e14f3c80676fe0038276f5d5359a50340ad24e08a

SHA512
2296884400a4b23c9f6fdca3481868f86a70f87ac4e95c6c4853f41783e09bbfc03af50a0b60c39deef16e51b5f25ffe9d4aacac1ecd8119a79c08c3cc4d90dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d81c26f6a8cb980b4e77e17fd2317c1a

SHA1
ca40416c7322e3708069122e397cbc67f8c91722

SHA256
4dff4ee953e0a01a2c36ad497e5cb9d13ae61fb99be90b3eaefcbe9013971bd6

SHA512
4141db454f6f8f93564c9eb963a3a449b20251efbf688a0073f0daa0bc9a799f6780abd45f518967c59d5d80e97bfd7347167ebc2451d059ec8282bfb39c0fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cee7b0ec0d8b8ce63dc2db7891d6de0

SHA1
ea251a49d0022ee631e6ecb106fd78ea22424bf1

SHA256
0118b594f952d4fda42779d4c1c432058ad169f497dacc46043eb77b28f43549

SHA512
f2e73e2ddd6be57c4a2b8f157b73e4280742cc7ecedd48a40e04da25d735ef7dfedc9c622500baab590bbb2f3856f44e5973253105fbc23a46ea38af2a5d663b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
686a764f8947444ce4c3342770fa495f

SHA1
8e5140f187f7f23bdc9a6f5cc84ce83af77cd5d1

SHA256
18e361c3b20af54ca63722c861cac3c965a56caabbe03bc3edc0cfec7e252882

SHA512
890c2b1755c06b3545d015ab884a1ad335c441845650d34d3ad086a5c3eece0c6bf37a9f10c1c3360d42a8348921498001e4417e4258fdb4082d996b0220380a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d12aba2737e61b2029d5c97130d7bf5e

SHA1
d7e0cbf0e7b0a50c07f079f674a8987458c597fb

SHA256
81ce98d1dd68af2e39d57823588759a12cdee34a2752fc3f10cb30a6e7f0f7b5

SHA512
a14dc476fc0d2d6b628cd62dc3b11d06701470113b6bf7ad86ddf630ea5f796f3222ee56b581537fd283da4ba776bcd3aafd0ba51c8961b9185bb73ddc026522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f37469c05d6c862852e62ed399b219ef

SHA1
a46df320eef5e2ffd5317c9cb96db5ca891293e2

SHA256
d8d9cd65cabfc8eabf833378d99e106a41823ad601cb9f17358268c74cc72754

SHA512
b6cfd8a679402b503432ebe0056d3fe4073991a2a70e5bc4b4ed5a01d5a8bd1259cd85c99da08f54c00a34500ff25b79fea6b4284b5af9f5cdb9f2352ca7a0bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0deba7f5639f249b5a2b3cb507a61d92

SHA1
7863a6972cab1d0cdf35e6a59fe5f6dd9117cf97

SHA256
eab4c80195eea3b96d88f706accd2215cde70862aefe188fff631aa51f8078ac

SHA512
ac0f005701f9e62bbd52b0d472457bfa230f54f3d25f0eaa9448352c136058ced22bc1dcba7d5482d7ac481ec606dec17689bd97a7509baace6c772da39b138e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat

Filesize
192B

MD5
7f639ad0659e0d44927b9b267582d6bb

SHA1
8801ba1f49bdcf31bfba676ad21eecf421bf781c

SHA256
fb3ef86780fcc3a8adb70e1653a6da86ac460172692a6ade5bd035a002811ad6

SHA512
4b609bacec10c6a9f3646940614a5792a4fa5496d43e44f51ee38476da839ab3225b1abd7edc511825b7c6b6c60beeba9b494b6a63ac49cb3ed1efd7209b6dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCD21.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat

Filesize
192B

MD5
73c877110e667c925ea41a1bea0c28fe

SHA1
90ef28d05388c491244d81485b94bd7206ecf552

SHA256
11c9a401821da124a6dba662f6a94f1af60281d46874da7532132e083400f715

SHA512
8c3e4269818e450b29fc92a8145fa569f2920b740eca71969fe39447d5df0dee7fad41e22cb8f984118e8713d1caf29d161f4e74b8235b39b496ba9d06ae0dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

Filesize
192B

MD5
fd46d3d29f1ed1a31203620c02a94839

SHA1
6db8ecdcb9aaf770ac953da7292f8c746712aa6d

SHA256
a74e247b71ec8290aaebfb5d410a42faca95c8f94527e45425e02c1921278822

SHA512
5982834a47f8f7122b972d7668744d07319fcc55a39e0b31e86a7a9a0c69e26a2dc95d9a7774afe2f9a6de0d18bcd1c289557b8faa5a923279b25a331b3af23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

Filesize
192B

MD5
049d3a5ed72d56f19d76ba7c0b778ec7

SHA1
d957df54ca0da2aa03d9eb300591f946c5777392

SHA256
8e65e31308b57f8ea508fdb1562b82db4356269f7de8e90ef3c149f2559f51de

SHA512
d8b2369f91793c80369c1610cc25d766d6190c975653670bc350395db6dcd286d6117ad4141dec80f0fc9a5c52bafb2a0d54a0ac42918e2b4411d5e1a61e8845

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat

Filesize
192B

MD5
d792d814d732cdca7b70146b59d8a78b

SHA1
6cbc28c2f269171d114c6929bc53e08d168843cd

SHA256
2f641ea8db9020e9f799184f5f533b2f4799568fe6580669906e9aefda918359

SHA512
c60f6974fb87eaa8c61358a8cc5549b3ac11ec6d8929fff73d481487ac88182feb8c4e6145e5fb525e956336dedb4faf9251e2abc119f5d977159e307907c50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD33.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
192B

MD5
aa5719d0ad2ee905072c9548310fd4f2

SHA1
172bb35f5edd6e047ee63be6f1edda27087a8400

SHA256
ec7094d26cadafa1c313da0be60b458e37650e5f80ef11f1585b4a5075a2fad9

SHA512
78c6ff56dbd98f3fd66862be8d1f729efa2179e3c9daebac9fa444444d916b660222fbf771a282e0bc484b237a6aa3b3625f56d604308f581387066905b1e702

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
192B

MD5
bfa018aab2b75b154bfdd372e94a963b

SHA1
5d935879efb672e6ec6408be08816b7aae5dcb73

SHA256
e9e80b7d79d1bb2fca019b5d9f1d72ae7f4c56d8499e0b7ada58ca041bf8564a

SHA512
b3f24eaa6ea4da4d95905c7e120daeda3dd20a53fe89a838866499cc4459b8671e3dc55d49d2401ee48f26474dfa990fecbbcc3e6ccdf5fe6e285d6bc1101cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
192B

MD5
69ace0de647eb04ceb7e23a630f08c04

SHA1
796f06444ed3aee94b9bc3862083c19137cd6aaf

SHA256
75287a48ce8ad2ee9240f36fdd8470c94f660f2e13c04ddfe1e3d9a6e8595b82

SHA512
5d4f8d2d0e94facdaa759bfa124a2e9ebcfe167646239acfc6acc20689a68d378ae4f0031becb0021b7bedf5dc17aa2ab325717b3219e0a6501a512cc9bbb3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
192B

MD5
8b0af136a94be7511ed9238ed3bbf2be

SHA1
e028325e0e55eb267ecacc45fb29e3cdb2a6ac87

SHA256
f38c3e85a810f66e747afa763d9cd23af519d55a05534bddf20e1fe7787a91b5

SHA512
eea27422cd26cdd5733f4ed0ffcada1dcc16c8e57f38382162f04efea5728a5964060538061724d9b22701a9afdaea4e40dbf06eb6ab2f2e9722bafa0cf35acf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c5b9ace46ea95a4f97f5f97967556a9

SHA1
e2aa81c22385fea6666fcc1ce078380bd54fdfce

SHA256
99ed9faff3513f8a0000a2cfe4783e48c9f73521076723c3f0de6d6847d0a822

SHA512
efd93a07be60bb150c8e1a49772b6176ac9f095e77682a85b7190042de5d7e572a22ec2ed1e204e25a78a3921f39ba5a82c287fbad6b85a8e16b95dc8ebb58c7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/320-86-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/764-337-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/764-336-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/896-517-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/1496-397-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/1656-697-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2096-637-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2112-457-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2212-577-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2676-60-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-80-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2812-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2812-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2812-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2812-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2812-13-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/2824-158-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2832-159-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2948-757-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download