dcrat | 9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6.exe
Size

1.3MB
MD5

5465d6551d7cdf65279db7339ef37a5a
SHA1

d655d790ef852b32204c37626e12c2e3ee29185f
SHA256

9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6
SHA512

78b74633d0c9aa44060d973f9e7c6b159be87a4444ecf7430aac7eb4be374e5f7c0959091adf4356bfce838336ff191b1735d89197652d57d7ebf0dae508b289
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1732	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019570-9.dat	dcrat
behavioral1/memory/2664-13-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/1556-147-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/2240-206-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/1436-385-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2692-445-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/276-505-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/284-565-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/2220-625-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2200-686-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe
2712	powershell.exe
2744	powershell.exe
2604	powershell.exe
2828	powershell.exe
2912	powershell.exe
1496	powershell.exe
2724	powershell.exe
2736	powershell.exe
2752	powershell.exe
2648	powershell.exe
1956	powershell.exe
2940	powershell.exe
2324	powershell.exe
2808	powershell.exe
2680	powershell.exe
1908	powershell.exe
2020	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2664	DllCommonsvc.exe
1556	sppsvc.exe
2240	sppsvc.exe
2132	sppsvc.exe
2676	sppsvc.exe
1436	sppsvc.exe
2692	sppsvc.exe
276	sppsvc.exe
284	sppsvc.exe
2220	sppsvc.exe
2200	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2608	cmd.exe
2608	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\servicing\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\IME\IMEJP10\DICTS\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\IME\IMEJP10\DICTS\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2040	schtasks.exe
1456	schtasks.exe
576	schtasks.exe
1704	schtasks.exe
1808	schtasks.exe
2312	schtasks.exe
2568	schtasks.exe
856	schtasks.exe
2168	schtasks.exe
1236	schtasks.exe
1876	schtasks.exe
2392	schtasks.exe
1176	schtasks.exe
2260	schtasks.exe
1548	schtasks.exe
276	schtasks.exe
2372	schtasks.exe
2468	schtasks.exe
2232	schtasks.exe
2476	schtasks.exe
2976	schtasks.exe
1652	schtasks.exe
1904	schtasks.exe
2136	schtasks.exe
304	schtasks.exe
1740	schtasks.exe
912	schtasks.exe
1588	schtasks.exe
2416	schtasks.exe
2340	schtasks.exe
2228	schtasks.exe
3048	schtasks.exe
2784	schtasks.exe
352	schtasks.exe
284	schtasks.exe
1952	schtasks.exe
1644	schtasks.exe
1744	schtasks.exe
2508	schtasks.exe
1996	schtasks.exe
1092	schtasks.exe
1864	schtasks.exe
1660	schtasks.exe
568	schtasks.exe
964	schtasks.exe
2540	schtasks.exe
2112	schtasks.exe
1416	schtasks.exe
2356	schtasks.exe
652	schtasks.exe
1684	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
1556	sppsvc.exe
2240	sppsvc.exe
2132	sppsvc.exe
2676	sppsvc.exe
1436	sppsvc.exe
2692	sppsvc.exe
276	sppsvc.exe
284	sppsvc.exe
2220	sppsvc.exe
2200	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2664	DllCommonsvc.exe
2664	DllCommonsvc.exe
2664	DllCommonsvc.exe
2912	powershell.exe
2752	powershell.exe
2808	powershell.exe
2680	powershell.exe
2828	powershell.exe
2940	powershell.exe
2712	powershell.exe
1956	powershell.exe
2604	powershell.exe
2844	powershell.exe
2648	powershell.exe
2324	powershell.exe
1496	powershell.exe
1908	powershell.exe
2724	powershell.exe
2736	powershell.exe
2020	powershell.exe
2744	powershell.exe
1556	sppsvc.exe
2240	sppsvc.exe
2132	sppsvc.exe
2676	sppsvc.exe
1436	sppsvc.exe
2692	sppsvc.exe
276	sppsvc.exe
284	sppsvc.exe
2220	sppsvc.exe
2200	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	DllCommonsvc.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1556	sppsvc.exe
Token: SeDebugPrivilege	2240	sppsvc.exe
Token: SeDebugPrivilege	2132	sppsvc.exe
Token: SeDebugPrivilege	2676	sppsvc.exe
Token: SeDebugPrivilege	1436	sppsvc.exe
Token: SeDebugPrivilege	2692	sppsvc.exe
Token: SeDebugPrivilege	276	sppsvc.exe
Token: SeDebugPrivilege	284	sppsvc.exe
Token: SeDebugPrivilege	2220	sppsvc.exe
Token: SeDebugPrivilege	2200	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2728	2720	JaffaCakes118_9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6.exe	30
PID 2720 wrote to memory of 2728	2720	JaffaCakes118_9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6.exe	30
PID 2720 wrote to memory of 2728	2720	JaffaCakes118_9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6.exe	30
PID 2720 wrote to memory of 2728	2720	JaffaCakes118_9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6.exe	30
PID 2728 wrote to memory of 2608	2728	WScript.exe	31
PID 2728 wrote to memory of 2608	2728	WScript.exe	31
PID 2728 wrote to memory of 2608	2728	WScript.exe	31
PID 2728 wrote to memory of 2608	2728	WScript.exe	31
PID 2608 wrote to memory of 2664	2608	cmd.exe	33
PID 2608 wrote to memory of 2664	2608	cmd.exe	33
PID 2608 wrote to memory of 2664	2608	cmd.exe	33
PID 2608 wrote to memory of 2664	2608	cmd.exe	33
PID 2664 wrote to memory of 2828	2664	DllCommonsvc.exe	86
PID 2664 wrote to memory of 2828	2664	DllCommonsvc.exe	86
PID 2664 wrote to memory of 2828	2664	DllCommonsvc.exe	86
PID 2664 wrote to memory of 2724	2664	DllCommonsvc.exe	87
PID 2664 wrote to memory of 2724	2664	DllCommonsvc.exe	87
PID 2664 wrote to memory of 2724	2664	DllCommonsvc.exe	87
PID 2664 wrote to memory of 2808	2664	DllCommonsvc.exe	89
PID 2664 wrote to memory of 2808	2664	DllCommonsvc.exe	89
PID 2664 wrote to memory of 2808	2664	DllCommonsvc.exe	89
PID 2664 wrote to memory of 2680	2664	DllCommonsvc.exe	90
PID 2664 wrote to memory of 2680	2664	DllCommonsvc.exe	90
PID 2664 wrote to memory of 2680	2664	DllCommonsvc.exe	90
PID 2664 wrote to memory of 2752	2664	DllCommonsvc.exe	91
PID 2664 wrote to memory of 2752	2664	DllCommonsvc.exe	91
PID 2664 wrote to memory of 2752	2664	DllCommonsvc.exe	91
PID 2664 wrote to memory of 2736	2664	DllCommonsvc.exe	93
PID 2664 wrote to memory of 2736	2664	DllCommonsvc.exe	93
PID 2664 wrote to memory of 2736	2664	DllCommonsvc.exe	93
PID 2664 wrote to memory of 2844	2664	DllCommonsvc.exe	95
PID 2664 wrote to memory of 2844	2664	DllCommonsvc.exe	95
PID 2664 wrote to memory of 2844	2664	DllCommonsvc.exe	95
PID 2664 wrote to memory of 2912	2664	DllCommonsvc.exe	96
PID 2664 wrote to memory of 2912	2664	DllCommonsvc.exe	96
PID 2664 wrote to memory of 2912	2664	DllCommonsvc.exe	96
PID 2664 wrote to memory of 2712	2664	DllCommonsvc.exe	97
PID 2664 wrote to memory of 2712	2664	DllCommonsvc.exe	97
PID 2664 wrote to memory of 2712	2664	DllCommonsvc.exe	97
PID 2664 wrote to memory of 2744	2664	DllCommonsvc.exe	98
PID 2664 wrote to memory of 2744	2664	DllCommonsvc.exe	98
PID 2664 wrote to memory of 2744	2664	DllCommonsvc.exe	98
PID 2664 wrote to memory of 2604	2664	DllCommonsvc.exe	99
PID 2664 wrote to memory of 2604	2664	DllCommonsvc.exe	99
PID 2664 wrote to memory of 2604	2664	DllCommonsvc.exe	99
PID 2664 wrote to memory of 2648	2664	DllCommonsvc.exe	101
PID 2664 wrote to memory of 2648	2664	DllCommonsvc.exe	101
PID 2664 wrote to memory of 2648	2664	DllCommonsvc.exe	101
PID 2664 wrote to memory of 1496	2664	DllCommonsvc.exe	103
PID 2664 wrote to memory of 1496	2664	DllCommonsvc.exe	103
PID 2664 wrote to memory of 1496	2664	DllCommonsvc.exe	103
PID 2664 wrote to memory of 2020	2664	DllCommonsvc.exe	104
PID 2664 wrote to memory of 2020	2664	DllCommonsvc.exe	104
PID 2664 wrote to memory of 2020	2664	DllCommonsvc.exe	104
PID 2664 wrote to memory of 2324	2664	DllCommonsvc.exe	105
PID 2664 wrote to memory of 2324	2664	DllCommonsvc.exe	105
PID 2664 wrote to memory of 2324	2664	DllCommonsvc.exe	105
PID 2664 wrote to memory of 2940	2664	DllCommonsvc.exe	106
PID 2664 wrote to memory of 2940	2664	DllCommonsvc.exe	106
PID 2664 wrote to memory of 2940	2664	DllCommonsvc.exe	106
PID 2664 wrote to memory of 1908	2664	DllCommonsvc.exe	107
PID 2664 wrote to memory of 1908	2664	DllCommonsvc.exe	107
PID 2664 wrote to memory of 1908	2664	DllCommonsvc.exe	107
PID 2664 wrote to memory of 1956	2664	DllCommonsvc.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d5ca71a3a24d9cd93b64c1e87f4419ce2b5d10e0a3d9a24a1f2fb275ecd81d6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMEJP10\DICTS\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GwNSWoPkKG.bat"
        5⤵
        
        PID:860
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2352
      - C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"
        7⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1564
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
        9⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2948
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        11⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:108
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
        13⤵
        
        PID:568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1856
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        15⤵
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2948
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        17⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2968
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        19⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2600
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
        21⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1888
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        23⤵
        
        PID:824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1708
        
        C:\Program Files\Uninstall Information\sppsvc.exe
        
        "C:\Program Files\Uninstall Information\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMEJP10\DICTS\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP10\DICTS\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\IMEJP10\DICTS\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76f04bd258ef51fb5baba81872693ad6

SHA1
f768856ca0727249517e30b981924ee0026ef979

SHA256
4b27352f5a7bc4188f63367bff82108b8b0a6ed354c7c8cdb9c2608c204cf061

SHA512
40cfb4b6846d66ceba35ce35fc85086e1d296c78199b4b942bb41e82805e6c21f81e30480cefee71eeee30a1b20179702c5f561c33d8f8b32122bf612e548a78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2f77793e8c47d0ebabaddd4f4c4a201

SHA1
b54eba5a3fbff6d160426c23d60ec6404710e84f

SHA256
4e5dfdaa669c29677e82a644d95d61467b3a8ef22db6bc3a1aef9ca882cbac51

SHA512
c3e3b535a6350bb2ce1655deb3f398fb0eee70b25023854e54efbe1da911e512499befb5542ec5cc335b5a4d8c9c56877ff4abd4e8c851c599eb6cd3b76299ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
418fc848c504ecafa604a2051dafd14b

SHA1
349e47c5bc7a113c8dc5481bbf9e813fbd9ca42f

SHA256
ea111871d403a990db330bb73f32018fb3bc1dd6848a9364e06e54a7615e7118

SHA512
93299add389444ac7f074383551011bc5138726b937526de86cb24debcbe8bf8bd44e5cf7051e228fdf3ca06efa51bfdca97237f108e2f35ef297caa99196585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1527ddf9cea51a9f30ad363e9aae7d1c

SHA1
69fb910cb9b46aaa1f305748b8df341199a9bbea

SHA256
94e0eef9c560bf78aa974fc3869996ac4edb95b7c228753261599aa4a091ee7e

SHA512
7236248c91dc50453836af85d335878e29abdcce6a3e59afadd93ce1d761b1e683565400446713d30d2c5ca1c0f14a9d26056546803c6ae5141c6f3ccc43b74b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d65bf91895324f61fcca5c51e602a3e

SHA1
9afdb2cd0771161ad945ffb7856283b5f1c82b58

SHA256
05631ca9acbc8098f7f04b44d210adf285122858806c2d1d155a7b4194b9a1f0

SHA512
65d8cabfae273c68724545cc49bd6c32df17fb1b0555d07834efa673dd5c3cea354f5c90c0781a5a1db7a632a1d87f8fbb79a8ea7baa86b54fc9cd73b031b4d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51c70c4af0344393f0416fa250630838

SHA1
d6f4750ae7ed35cdbff12c58a7ce820102a6fb3f

SHA256
c529aa56688b4279e4fc16d339a2571922073ef2f95ed89474fbd8e5cf279e4a

SHA512
a5b4a8cee979aad6e5589cce980ad37dab384a44893f287a35acf156ae01a4051d46021385def0f37eeaab4f6a525a27b3627df1389d53b893566016c4b245d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b36018f17ec1b6fe887314e2b4fd024b

SHA1
3008e945318db4d9ca4c4e784e9fd7b5eed3f0ed

SHA256
8c671ba4e37f11f23f13753b4ff9f89cb3097978f0b4f00a67d46b1c548d6b6a

SHA512
a7591740ecd6127ff2c204e4741ae9955b112645b4083dcf01e97091d50a608f5dd40fd466d34f5d1c745021bc76f0440c03ba11b9949c17af2e6576176503a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f6fad9327aa58e1edbd829615654d04

SHA1
13e4a495b4aba08860ff1afba04515cbc46c2296

SHA256
3f3fb967c3fcf64c975a3d70ee1068ec9604a86e6226a6abd21125197b0acc3a

SHA512
6fd7be9002b611f8fc13e29b0bbc6ef2cc1c7eb69b57c4b2865812321363520107e0388928ce945c8b9e812e1bfe251c3ee7a0f6103f79e34f290b60b61fb5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
214B

MD5
8d5e9f032c04c5c50ae45a30d429bf2a

SHA1
a1924dbca36d04a63b3957bdaf6d72e6f79c3f1b

SHA256
23354a9bfed0c94be342ec78592f2f80685ad42e38ab78b279b6d53c67f1263c

SHA512
6cd085ae7e299bcfdeb9f8a17fbafd75eec39faad11423dfc69258cbbb77922786b5425a7c7f1472257acce2914b1dc5a1f71b956cde8b3d6a7c4c6f23d48a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

Filesize
214B

MD5
716e23bb6e0a3839f9043410b8cb52e4

SHA1
3f8fecc267a1c6668bd87170061dead7d6fb4404

SHA256
1c08f4b6441154b4c730c75481e170dc3984426b460f9f128515066b65cefa1c

SHA512
c4479a0b971e5073f2ac36d72a2f5dd8ce2ae3254864d198a328cad6037e8fb65db47a08230e80fe00aefbda93cd64fcc1da672b95bd71cdda409cd061fb5aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat

Filesize
214B

MD5
ba49b30b91b8dc578357a53ff3359490

SHA1
b90ff0768add94cb79da3ba8633bd9ce6aeae710

SHA256
48a5cf5c008fb4c60f7227fa73cdace73bcdea4f8f27659f87903839b6e77a6d

SHA512
d1882ca2b464832f821c76c939494c09885cda2d008199a0b3da4703db71134cf61a70b31e15dc8201da3b730621ab0f0c8a85575edf3a42058f84e4378f40f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB369.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
214B

MD5
fdea14b5a19a67b3f4571c7f4cedf146

SHA1
2cb5a2a5f96a449c30b23abba1b17edf44b5964d

SHA256
b3bfc96383448994f9e987cd3ccffd94f9c90dc0a22c13c7936f89f29971224d

SHA512
bb4b8a04481cb90921b4e4ba5e08b794c6f51fdc240f00f3ddc68d31d2f897744a5a7e5ec59608acdd1eccd649c653b3a2d1bc320d25471b92a8f2655ef7303e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwNSWoPkKG.bat

Filesize
214B

MD5
d53bb348ae46a9d292067eb425706cff

SHA1
a5c0dcc86bc98e8d1cfd06de92e89ef22b14bac4

SHA256
54e08af59cdc6db3ffa2af52ce52d025c3eb8333f66be54149a931ce2a6d86fa

SHA512
e50f1528295010f3232953989f45bd076febb92fb9889c26f382e055841e05b7162bd2e4b1cca8bec9ba1590fe0a30f828548347dd0fcfcdb974b1990d53f640

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

Filesize
214B

MD5
9992e193d09e38a07e5b2a03b7df89b5

SHA1
d8003acb0f41fc805d49ae2b78fd043ea2fc40ff

SHA256
13e9e4047313f1cf654ae107707de568ce055d22a6a58775b1ae5c0f7f9750b5

SHA512
a8ed5337f9c622a2d40a1e4a9b961ef28a6c58fbd3746a2e8e9f4f771fdec9f61e045c6e895b0659a7a4d1bbd11cc01a856c0d0ad53434df86b0e6f5c2681806

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
214B

MD5
701f64278c0f7f398273107ceefb54e4

SHA1
6b55bd97a17a04f1b3f5d0e1cf00adc500042d79

SHA256
c1d76c84cfef09171c68209804208abcc90accc3b4bd0294445917a63f4cf1db

SHA512
bf5e1c3799393034a4a3f68df9facb36ee92e96a2d732a5a6ca67638e54f0a2d460e8e625cb11f693ab8c5d612b6dd3e90dc0c2773a35cfcbaf8175d591716e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
214B

MD5
6c241835a1a7cdb7f0f688b19e556aa6

SHA1
daebbbd9b0b6e48786afd12df0ac2648e1bf42a2

SHA256
d676ef75b122afd36fa6721dc7dcf90aa71e8446085ca9c3b2490b9279d2f78f

SHA512
37784650976402d92b65ab0676d2672226832281e50b2245c3cb0b161d0e07a24d9ba31ebd2278e4261dea5f05c6d1f219563fb516dd07184ef78f3110e5ee51

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB37C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
214B

MD5
796f98f80e53d2a018dfff1ccbda8b2c

SHA1
d590ac982025422208dd8211a5fb6c4c6a0f9a51

SHA256
7b48c5f3fe27cf8500b1d1811fb5ea60f40799e932de57d8f2f9d8adb6b330fc

SHA512
6954a9254d55555a10d00f886f79ab20559652bc06221fc32401a3b065b9bd2b2b89e2b7ac3d5c4e6bc510f2f83d191816929a1823f682ad67b4618d6768585c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

Filesize
214B

MD5
f42254880f53632aaa9267b81e474e70

SHA1
fca5a14bf9265ad29d3b5e9c2214a5a72c0e1a6f

SHA256
fd0ed7892515856bc376c16507d3d9b75f94626657f7ca31d1476d12eb2b89a9

SHA512
583bfe505fdfd532aa6550af204ce7b31535215a16f715406f01a29e6b3b98ebbc055edb204c738fb0cc2ca6d115ca932176756024556f2764436ad6403963cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a0432eb3f4c9a57178007f7040f4e428

SHA1
fbe2002a06b9d4e2d35c040f0cb9b6e7ba157579

SHA256
6cbaf1c59262bd371304c6a0fac2765e4541b23777d8f7ec927c496b525ea24f

SHA512
6bffc97331a0878c11e91f4e7c735c9005ce0e35f5664bbd1b06541c700f31c35c69be1106e59dc9155e61bcc3ced9dfe427f7bacb68b8172829708266da2edc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/276-505-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/284-565-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/1436-385-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/1556-147-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/2200-686-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2220-626-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/2220-625-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2240-206-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2664-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2664-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2664-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2664-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2664-13-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/2676-325-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2692-445-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/2752-76-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2808-75-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download