dcrat | fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710

Analysis

max time kernel
142s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710.exe
Size

1.3MB
MD5

fcf93022531c0122c72d2846b18287bb
SHA1

a3fdab3b0d931588cfc3fdd3d042af777c77bd42
SHA256

fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710
SHA512

a47053b0746d18606de71650134d3513195b13fac330231cb7a8c1ee03c361690f7049aa12109cf19347dbdace4ae461894aa72cc32a9d092bccddc64a9f2ae0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2912	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2912	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-9.dat	dcrat
behavioral1/memory/2748-13-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/1476-161-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/2628-280-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/804-340-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/2188-638-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1104	powershell.exe
2376	powershell.exe
656	powershell.exe
2708	powershell.exe
2840	powershell.exe
1928	powershell.exe
2788	powershell.exe
2696	powershell.exe
1712	powershell.exe
2676	powershell.exe
1136	powershell.exe
2984	powershell.exe
2380	powershell.exe
2648	powershell.exe
1624	powershell.exe
2604	powershell.exe
2080	powershell.exe
2828	powershell.exe
1948	powershell.exe
2832	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2748	DllCommonsvc.exe
1476	WMIADAP.exe
1284	WMIADAP.exe
2628	WMIADAP.exe
804	WMIADAP.exe
2088	WMIADAP.exe
524	WMIADAP.exe
2412	WMIADAP.exe
2856	WMIADAP.exe
2188	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
2456	cmd.exe
2456	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
24	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\es-ES\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe
3024	schtasks.exe
1616	schtasks.exe
1736	schtasks.exe
1188	schtasks.exe
3004	schtasks.exe
1804	schtasks.exe
1060	schtasks.exe
2124	schtasks.exe
936	schtasks.exe
2452	schtasks.exe
940	schtasks.exe
1016	schtasks.exe
1720	schtasks.exe
2932	schtasks.exe
2052	schtasks.exe
1172	schtasks.exe
2012	schtasks.exe
1620	schtasks.exe
2572	schtasks.exe
3028	schtasks.exe
1528	schtasks.exe
2188	schtasks.exe
1464	schtasks.exe
1888	schtasks.exe
2416	schtasks.exe
2684	schtasks.exe
2252	schtasks.exe
432	schtasks.exe
1516	schtasks.exe
384	schtasks.exe
1268	schtasks.exe
2268	schtasks.exe
2592	schtasks.exe
2576	schtasks.exe
2976	schtasks.exe
3060	schtasks.exe
2888	schtasks.exe
1460	schtasks.exe
676	schtasks.exe
1588	schtasks.exe
2616	schtasks.exe
1204	schtasks.exe
852	schtasks.exe
2924	schtasks.exe
2600	schtasks.exe
2952	schtasks.exe
1740	schtasks.exe
524	schtasks.exe
2788	schtasks.exe
1980	schtasks.exe
2288	schtasks.exe
2044	schtasks.exe
568	schtasks.exe
2648	schtasks.exe
1728	schtasks.exe
1748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2080	powershell.exe
2696	powershell.exe
1104	powershell.exe
2984	powershell.exe
2376	powershell.exe
2708	powershell.exe
2832	powershell.exe
1624	powershell.exe
2788	powershell.exe
2380	powershell.exe
1948	powershell.exe
656	powershell.exe
2604	powershell.exe
2676	powershell.exe
2648	powershell.exe
1136	powershell.exe
2840	powershell.exe
1928	powershell.exe
1712	powershell.exe
2828	powershell.exe
1476	WMIADAP.exe
1284	WMIADAP.exe
2628	WMIADAP.exe
804	WMIADAP.exe
2088	WMIADAP.exe
524	WMIADAP.exe
2412	WMIADAP.exe
2856	WMIADAP.exe
2188	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	DllCommonsvc.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1476	WMIADAP.exe
Token: SeDebugPrivilege	1284	WMIADAP.exe
Token: SeDebugPrivilege	2628	WMIADAP.exe
Token: SeDebugPrivilege	804	WMIADAP.exe
Token: SeDebugPrivilege	2088	WMIADAP.exe
Token: SeDebugPrivilege	524	WMIADAP.exe
Token: SeDebugPrivilege	2412	WMIADAP.exe
Token: SeDebugPrivilege	2856	WMIADAP.exe
Token: SeDebugPrivilege	2188	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2000	2268	JaffaCakes118_fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710.exe	31
PID 2268 wrote to memory of 2000	2268	JaffaCakes118_fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710.exe	31
PID 2268 wrote to memory of 2000	2268	JaffaCakes118_fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710.exe	31
PID 2268 wrote to memory of 2000	2268	JaffaCakes118_fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710.exe	31
PID 2000 wrote to memory of 2456	2000	WScript.exe	32
PID 2000 wrote to memory of 2456	2000	WScript.exe	32
PID 2000 wrote to memory of 2456	2000	WScript.exe	32
PID 2000 wrote to memory of 2456	2000	WScript.exe	32
PID 2456 wrote to memory of 2748	2456	cmd.exe	34
PID 2456 wrote to memory of 2748	2456	cmd.exe	34
PID 2456 wrote to memory of 2748	2456	cmd.exe	34
PID 2456 wrote to memory of 2748	2456	cmd.exe	34
PID 2748 wrote to memory of 2696	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 2696	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 2696	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 1104	2748	DllCommonsvc.exe	94
PID 2748 wrote to memory of 1104	2748	DllCommonsvc.exe	94
PID 2748 wrote to memory of 1104	2748	DllCommonsvc.exe	94
PID 2748 wrote to memory of 2376	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2376	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2376	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2080	2748	DllCommonsvc.exe	96
PID 2748 wrote to memory of 2080	2748	DllCommonsvc.exe	96
PID 2748 wrote to memory of 2080	2748	DllCommonsvc.exe	96
PID 2748 wrote to memory of 656	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 656	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 656	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 2984	2748	DllCommonsvc.exe	98
PID 2748 wrote to memory of 2984	2748	DllCommonsvc.exe	98
PID 2748 wrote to memory of 2984	2748	DllCommonsvc.exe	98
PID 2748 wrote to memory of 2832	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 2832	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 2832	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 2708	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 2708	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 2708	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 1136	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 1136	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 1136	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 2380	2748	DllCommonsvc.exe	102
PID 2748 wrote to memory of 2380	2748	DllCommonsvc.exe	102
PID 2748 wrote to memory of 2380	2748	DllCommonsvc.exe	102
PID 2748 wrote to memory of 2648	2748	DllCommonsvc.exe	103
PID 2748 wrote to memory of 2648	2748	DllCommonsvc.exe	103
PID 2748 wrote to memory of 2648	2748	DllCommonsvc.exe	103
PID 2748 wrote to memory of 2828	2748	DllCommonsvc.exe	105
PID 2748 wrote to memory of 2828	2748	DllCommonsvc.exe	105
PID 2748 wrote to memory of 2828	2748	DllCommonsvc.exe	105
PID 2748 wrote to memory of 2840	2748	DllCommonsvc.exe	106
PID 2748 wrote to memory of 2840	2748	DllCommonsvc.exe	106
PID 2748 wrote to memory of 2840	2748	DllCommonsvc.exe	106
PID 2748 wrote to memory of 2676	2748	DllCommonsvc.exe	107
PID 2748 wrote to memory of 2676	2748	DllCommonsvc.exe	107
PID 2748 wrote to memory of 2676	2748	DllCommonsvc.exe	107
PID 2748 wrote to memory of 2788	2748	DllCommonsvc.exe	108
PID 2748 wrote to memory of 2788	2748	DllCommonsvc.exe	108
PID 2748 wrote to memory of 2788	2748	DllCommonsvc.exe	108
PID 2748 wrote to memory of 1712	2748	DllCommonsvc.exe	109
PID 2748 wrote to memory of 1712	2748	DllCommonsvc.exe	109
PID 2748 wrote to memory of 1712	2748	DllCommonsvc.exe	109
PID 2748 wrote to memory of 1948	2748	DllCommonsvc.exe	111
PID 2748 wrote to memory of 1948	2748	DllCommonsvc.exe	111
PID 2748 wrote to memory of 1948	2748	DllCommonsvc.exe	111
PID 2748 wrote to memory of 2604	2748	DllCommonsvc.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fc91600ee4330477e13fdb9e7dd1b42ab56675f4459bb6fe3f0565e0a07ea710.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QYS0DFW9kd.bat"
        5⤵
        
        PID:3052
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2004
      - C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
        7⤵
        
        PID:1464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2780
        
        C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
        9⤵
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2020
        
        C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
        11⤵
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1732
        
        C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
        13⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:320
        
        C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        15⤵
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1616
        
        C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        17⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1204
        
        C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
        19⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2888
        
        C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OS3CX563UF.bat"
        21⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1532
        
        C:\Program Files\DVD Maker\es-ES\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\es-ES\WMIADAP.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\es-ES\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\My Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbd28baa3f33a82e1bfd424c014e6186

SHA1
139556224e607134691f8c5de8b736643e0e5afe

SHA256
27b510d0cd319f81ca37b46bc5c67f2f8687e9a1c51995a69bb0088501dc288b

SHA512
820be1ce4efda59892fc862dd57f6a4affa1e090a47217c8bff5305e5c6e8ec3184a91eec0d98503a4784c4bccd3221333c7e774e52180019697fbe232803448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
450495851e7085b33f198b2a43cae065

SHA1
b3b57972a28f87cb9d4297857c4dab4d1efceea6

SHA256
58bec069f159f3f434eb0de67b425270705ff477bb91497469b92058f21ce5df

SHA512
812d3312678d6aa56481cdb5fc59ec5bc84ade7aa4e51c77364fb4c2edf3f6f46fbefe284b642b503d849f33e16fa6979a360782eba51ad1706262633ac32d72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efb7545eb113de1d9f27b01c5318a6b4

SHA1
930c3acd639f7989acf48929dcfa76ec6657155f

SHA256
43fd18fc2a450dd5bdb7e4123397b8efbe047de4b04f4b7c7f75a0e23431f4f2

SHA512
b61b673755b2fdc49cbc2a64029ec3bcce3776068877a36f08c591f2b16b2d6265a2dabb7c9e27bb22d04b8cef0889a726059a10c65f4c7be05ccd73a7f42f32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4d889f89a0c252f468adaef6363f1f4

SHA1
cbe28fae7a74316932a8161f27996e1061091fff

SHA256
9cecba2fcdc6a57bc940125e145caf4f5f943d6f14eb443a529d93d62a116611

SHA512
e01c6bff4824dfa73b428c6296287456941402153f989c261f1dafbdb1b9ee3243c0312a3c97e6b669d7c889c1806351da7139ccd1640d52e1ee030e11d7b7a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83f700b54dcff21fb40305fca4d48131

SHA1
f8e7cd6d2fab5c3d6dcbff310825e857fc03a351

SHA256
3e32948b61de32b9b1abc7b1a8fb2d637d68a8a564aa27a56441b422222e202f

SHA512
ffacf19f7acab8352c10274ab5c383b31e02649ff2bb66246dfbf5f1bae5f9e256bc5c2e4b5944c3a0b40630706f7287d21e8eaf70273f34f57769911ec57e52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a514335e31d9bc8d8d83eede53772866

SHA1
9f24344c63f4983fd5bef09f21c27a422fb11624

SHA256
828a690a4cc4d7a2264d6fde1bf507936384b20f19ca68b02ead728dc7fddb62

SHA512
1c12667fd4bf44cb21c4d3e13bb52d4ce0adc5d2c9d95bd3b75ce8d178f4bd65b3a05fe52b37187200b4712c4ffeeb1cbefc2d75d6dfdc79641a222ca6ade196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98c4b1387c1adeff24df3b11afba8f9c

SHA1
8dbd1f53e6ba1cddb2d2359c46206cf8c034c5ec

SHA256
cb8d3e22cb62549348086cf85ffbbada4071ab8403b6031735e9b4ff5f18ed62

SHA512
d7d5da7b77d7caf19a4715a7a4107f5be906e84e5d4e0e7d6a3e81054aba1b4f993763877085d8fa42955444fe575837ace856d2fe2931e52ada238bab60bada

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
209B

MD5
8c3f6ae056f2b89900b1aea296cd9a56

SHA1
65d66cd4031268c8de916faa91a7b326f247b2aa

SHA256
7f103a485c90bc1b0df5c56f35e484ce50395f6a62aad3955ed8fbf33f374537

SHA512
f13eed1271596919438e108e973a4e6b6dc46d15f6699fa244600407e1da450f3a4aeecdd8e907e701daa11e2f4e1f381de0fe2211be61fdecdf2218ece90324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5469.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

Filesize
209B

MD5
e6ff0707f51e75bbad6c6a15b4bf96d6

SHA1
2a2c99243e065386989964df2928612d6502cc03

SHA256
3ab8a55b415037f5461aa7738e227af23899d1467ebbe15def624a992f00bfba

SHA512
5ee8a75c9d3029872c72d43251053a43c52e8ba0738adbc749e1dfc165bbe8f1ef07099e8ed9f9a7f818342bb2825dc6d63fb7bfc185c89fdc5d85d2daf5ef61

Download Submit
C:\Users\Admin\AppData\Local\Temp\OS3CX563UF.bat

Filesize
209B

MD5
356b278e29cd0555d4144bb46e3ef8cd

SHA1
c14d4de4d98ed1c3898eca23d31e3b74b685bc05

SHA256
eef277488d061567a082e825bd47b8512f6d4312f170673ad20673d5cb9e9229

SHA512
43f7c8bb0c30b9d553f2b76c1876ec2d843c6057c20a10a0232cc84fa3515ecf4e47d9f824eb2d2509794b95821bc99c58af6509448ecfa346b0e10771c8cfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYS0DFW9kd.bat

Filesize
209B

MD5
c93e6c1a46e1597c09ce7e8899fc3f4a

SHA1
1cec9c388f8d198b27d309dfbd22d37fc86acc5f

SHA256
06daefd2f1d080613a8d59b8e576088c4d5cc4dfb2ed5e365dfc9ba2eb4f9c3b

SHA512
c3fba97af5d620d8c74262ffcbac2b5771f0f32cfe4fad6eb1d8697ab2a2210424b03a0bfe7c994f8a5d9377eca042e375595b82b6c327ce0c19660173df7578

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

Filesize
209B

MD5
c8240be4036288f131714d1877e36ef9

SHA1
f8f66fcf993d3e1fb900d66ca39115e01f6f22ce

SHA256
65c1cae483e94b688055959a1360d7a6955d4a818906c61e8f3e3c220ce4a094

SHA512
fc68929380f813217ade49712c02e3542458bdd9169a26aa21290bc13d71887b56ae805e6d9396d9e6ff26cbcae75a0904d2a5374a1533208077cc7dd91b60f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5594.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
209B

MD5
06d3ad6312966bbfab5c27168e13df29

SHA1
540efc380c13c60378b8282669b09a597d37b764

SHA256
8472bef67745fd8e39477b83c80b32c31667d8e6107c2e746cd6e3ed52d7afd4

SHA512
f1623af622a2f70ce0c2c98b3c0c6d9c02ade7b1fd1ebffeab7ee9c4727ea018c37384777d4c1897ccf3b6f59d0c7f4e36d0ce2279a8377fbdbae0be8200057b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

Filesize
209B

MD5
0cb8970de12ff2443127148f7b9dd6ec

SHA1
d045e57559234af4001bbaa6114c91ce80ab99d9

SHA256
09d1f4f04913c538c77cef8b5bc1c09cc53b6cbcb76b6e6c725c723cc4153e79

SHA512
0414d3ae9d5b722e101c2c1b1afed8882ef3d2a311ff7fed901a07fafe5c9ebe4b9d23634556be2925f3a56638334a0db23dde112c685ad0dca31ea545c8984c

Download Submit
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

Filesize
209B

MD5
c034587c3a0078ec5278f066e8da9744

SHA1
a9535fb667f65860610df53fe0e57faaa8c4ca3c

SHA256
9a261a2c5ac34a8cfa2c59de870eba57fa36951a0414c900c5bae430bd091599

SHA512
f201d942c8e77ae5446a065f91593fb6902efe96d0e60589ef5ac25b5a75a73c6b3cd1beb66bbbd9afab40bd82cb4eaba8cddc77f0b9155383b769d587bea016

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat

Filesize
209B

MD5
efda4c0b6668d7c0fc4f6175df66cfde

SHA1
e30b919542550a2014b49352b220f73d3be3d294

SHA256
3b6a58770aac48931f0dea1914202ca5f8d738d14276fd020b2609b1b048c74c

SHA512
99fc944e20c19d164fc566b275c1f26dedb8beaeb47ef6984737f37d37ec3aed55cd4651f4cc2efb3d2fcd6b5fdc3245d86d142ef87c59b75af2960db0aff832

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A3P8C7U09A194T4EUVQH.temp

Filesize
7KB

MD5
884fe51097a8b5db81f16855b9a7addd

SHA1
d9e1cac498f38f37d3865493420ba268f81ef9c3

SHA256
15a9f9676696ee6dd023b2e2596a3abdd35de4d671a2ed0600297654ca10355d

SHA512
4376239492aa3124271aa472d9a1c5f2ee61f45eff818d3675f8f6860fccbe4cbed856a16d45d824ae4e8d43e113469e001869ed9e4bf9d658ffca52f251492a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/524-460-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/804-340-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/1284-220-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1476-161-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/2080-72-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2080-71-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2088-400-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2188-639-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2188-638-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/2628-280-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/2748-17-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2748-13-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2748-14-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2748-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2748-16-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download