dcrat | d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961.exe
Size

1.3MB
MD5

c3ed5bafa96695578f87bb61c0e8bb7e
SHA1

4eba84d96826aad528b54ee19dd48c514ddabf4a
SHA256

d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961
SHA512

988e65cb1c5adb72a856f51433748487029d2b47610648bc100cd77202aa91088c8b13957ed43e88493cdd8d4da655d41e5b4b50808e3db5706a8ed77cc526f6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3056	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3056	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001926b-11.dat	dcrat
behavioral1/memory/3044-13-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/2684-157-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/2752-217-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/892-277-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2532-338-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/2216-399-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/928-459-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/2024-519-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/556-580-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/1920-640-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2568	powershell.exe
1108	powershell.exe
2536	powershell.exe
2708	powershell.exe
2828	powershell.exe
2064	powershell.exe
2552	powershell.exe
2668	powershell.exe
2928	powershell.exe
1128	powershell.exe
1552	powershell.exe
336	powershell.exe
2224	powershell.exe
2676	powershell.exe
2588	powershell.exe
2032	powershell.exe
2584	powershell.exe
2616	powershell.exe
2984	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3044	DllCommonsvc.exe
2684	Idle.exe
2752	Idle.exe
892	Idle.exe
2532	Idle.exe
2216	Idle.exe
928	Idle.exe
2024	Idle.exe
556	Idle.exe
1920	Idle.exe
2668	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	cmd.exe
2712	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\it-IT\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Java\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\security\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\security\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
344	schtasks.exe
1116	schtasks.exe
3016	schtasks.exe
1796	schtasks.exe
1608	schtasks.exe
908	schtasks.exe
2380	schtasks.exe
2364	schtasks.exe
340	schtasks.exe
1992	schtasks.exe
404	schtasks.exe
592	schtasks.exe
636	schtasks.exe
1520	schtasks.exe
916	schtasks.exe
3032	schtasks.exe
1328	schtasks.exe
2344	schtasks.exe
2968	schtasks.exe
892	schtasks.exe
492	schtasks.exe
1900	schtasks.exe
1676	schtasks.exe
1936	schtasks.exe
2512	schtasks.exe
2156	schtasks.exe
1492	schtasks.exe
1612	schtasks.exe
2200	schtasks.exe
236	schtasks.exe
2780	schtasks.exe
2744	schtasks.exe
2660	schtasks.exe
920	schtasks.exe
948	schtasks.exe
1524	schtasks.exe
2332	schtasks.exe
1776	schtasks.exe
2692	schtasks.exe
2464	schtasks.exe
2452	schtasks.exe
3000	schtasks.exe
1764	schtasks.exe
2540	schtasks.exe
1948	schtasks.exe
2756	schtasks.exe
1560	schtasks.exe
2508	schtasks.exe
712	schtasks.exe
1648	schtasks.exe
2400	schtasks.exe
2392	schtasks.exe
1484	schtasks.exe
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
2616	powershell.exe
2708	powershell.exe
2984	powershell.exe
2568	powershell.exe
2676	powershell.exe
2928	powershell.exe
1552	powershell.exe
2032	powershell.exe
2552	powershell.exe
2584	powershell.exe
336	powershell.exe
2588	powershell.exe
2224	powershell.exe
2064	powershell.exe
1128	powershell.exe
1108	powershell.exe
2536	powershell.exe
2668	powershell.exe
2828	powershell.exe
2684	Idle.exe
2752	Idle.exe
892	Idle.exe
2532	Idle.exe
2216	Idle.exe
928	Idle.exe
2024	Idle.exe
556	Idle.exe
1920	Idle.exe
2668	Idle.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	DllCommonsvc.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2684	Idle.exe
Token: SeDebugPrivilege	2752	Idle.exe
Token: SeDebugPrivilege	892	Idle.exe
Token: SeDebugPrivilege	2532	Idle.exe
Token: SeDebugPrivilege	2216	Idle.exe
Token: SeDebugPrivilege	928	Idle.exe
Token: SeDebugPrivilege	2024	Idle.exe
Token: SeDebugPrivilege	556	Idle.exe
Token: SeDebugPrivilege	1920	Idle.exe
Token: SeDebugPrivilege	2668	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2788	2660	JaffaCakes118_d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961.exe	30
PID 2660 wrote to memory of 2788	2660	JaffaCakes118_d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961.exe	30
PID 2660 wrote to memory of 2788	2660	JaffaCakes118_d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961.exe	30
PID 2660 wrote to memory of 2788	2660	JaffaCakes118_d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961.exe	30
PID 2788 wrote to memory of 2712	2788	WScript.exe	31
PID 2788 wrote to memory of 2712	2788	WScript.exe	31
PID 2788 wrote to memory of 2712	2788	WScript.exe	31
PID 2788 wrote to memory of 2712	2788	WScript.exe	31
PID 2712 wrote to memory of 3044	2712	cmd.exe	33
PID 2712 wrote to memory of 3044	2712	cmd.exe	33
PID 2712 wrote to memory of 3044	2712	cmd.exe	33
PID 2712 wrote to memory of 3044	2712	cmd.exe	33
PID 3044 wrote to memory of 2668	3044	DllCommonsvc.exe	89
PID 3044 wrote to memory of 2668	3044	DllCommonsvc.exe	89
PID 3044 wrote to memory of 2668	3044	DllCommonsvc.exe	89
PID 3044 wrote to memory of 2224	3044	DllCommonsvc.exe	90
PID 3044 wrote to memory of 2224	3044	DllCommonsvc.exe	90
PID 3044 wrote to memory of 2224	3044	DllCommonsvc.exe	90
PID 3044 wrote to memory of 2676	3044	DllCommonsvc.exe	91
PID 3044 wrote to memory of 2676	3044	DllCommonsvc.exe	91
PID 3044 wrote to memory of 2676	3044	DllCommonsvc.exe	91
PID 3044 wrote to memory of 2708	3044	DllCommonsvc.exe	92
PID 3044 wrote to memory of 2708	3044	DllCommonsvc.exe	92
PID 3044 wrote to memory of 2708	3044	DllCommonsvc.exe	92
PID 3044 wrote to memory of 2828	3044	DllCommonsvc.exe	93
PID 3044 wrote to memory of 2828	3044	DllCommonsvc.exe	93
PID 3044 wrote to memory of 2828	3044	DllCommonsvc.exe	93
PID 3044 wrote to memory of 2588	3044	DllCommonsvc.exe	94
PID 3044 wrote to memory of 2588	3044	DllCommonsvc.exe	94
PID 3044 wrote to memory of 2588	3044	DllCommonsvc.exe	94
PID 3044 wrote to memory of 2928	3044	DllCommonsvc.exe	95
PID 3044 wrote to memory of 2928	3044	DllCommonsvc.exe	95
PID 3044 wrote to memory of 2928	3044	DllCommonsvc.exe	95
PID 3044 wrote to memory of 2064	3044	DllCommonsvc.exe	96
PID 3044 wrote to memory of 2064	3044	DllCommonsvc.exe	96
PID 3044 wrote to memory of 2064	3044	DllCommonsvc.exe	96
PID 3044 wrote to memory of 2552	3044	DllCommonsvc.exe	97
PID 3044 wrote to memory of 2552	3044	DllCommonsvc.exe	97
PID 3044 wrote to memory of 2552	3044	DllCommonsvc.exe	97
PID 3044 wrote to memory of 2568	3044	DllCommonsvc.exe	98
PID 3044 wrote to memory of 2568	3044	DllCommonsvc.exe	98
PID 3044 wrote to memory of 2568	3044	DllCommonsvc.exe	98
PID 3044 wrote to memory of 2584	3044	DllCommonsvc.exe	99
PID 3044 wrote to memory of 2584	3044	DllCommonsvc.exe	99
PID 3044 wrote to memory of 2584	3044	DllCommonsvc.exe	99
PID 3044 wrote to memory of 2616	3044	DllCommonsvc.exe	100
PID 3044 wrote to memory of 2616	3044	DllCommonsvc.exe	100
PID 3044 wrote to memory of 2616	3044	DllCommonsvc.exe	100
PID 3044 wrote to memory of 1108	3044	DllCommonsvc.exe	101
PID 3044 wrote to memory of 1108	3044	DllCommonsvc.exe	101
PID 3044 wrote to memory of 1108	3044	DllCommonsvc.exe	101
PID 3044 wrote to memory of 1128	3044	DllCommonsvc.exe	102
PID 3044 wrote to memory of 1128	3044	DllCommonsvc.exe	102
PID 3044 wrote to memory of 1128	3044	DllCommonsvc.exe	102
PID 3044 wrote to memory of 2032	3044	DllCommonsvc.exe	103
PID 3044 wrote to memory of 2032	3044	DllCommonsvc.exe	103
PID 3044 wrote to memory of 2032	3044	DllCommonsvc.exe	103
PID 3044 wrote to memory of 1552	3044	DllCommonsvc.exe	104
PID 3044 wrote to memory of 1552	3044	DllCommonsvc.exe	104
PID 3044 wrote to memory of 1552	3044	DllCommonsvc.exe	104
PID 3044 wrote to memory of 2536	3044	DllCommonsvc.exe	105
PID 3044 wrote to memory of 2536	3044	DllCommonsvc.exe	105
PID 3044 wrote to memory of 2536	3044	DllCommonsvc.exe	105
PID 3044 wrote to memory of 2984	3044	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d96bfb8d0ca27b7d251d29343175d137c985c23268440672050ee0af2a0c6961.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Downloads\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PctZQq6COn.bat"
        5⤵
        
        PID:600
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:948
      - C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"
        7⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:292
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
        9⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:876
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        11⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2664
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        13⤵
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1516
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        15⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2096
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
        17⤵
        
        PID:1392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3028
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"
        19⤵
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2832
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"
        21⤵
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2764
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"
        23⤵
        
        PID:2704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2960
        
        C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\security\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\security\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\security\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dac9643dd6fe481a70df2570ee3e6a0

SHA1
4c55de9d9e1888068a707db9f97e1634ddffc3ef

SHA256
60857792345ba348b90f6e12ac1ae624403eff021988f5e608f0342a753f3dcd

SHA512
494763f68658283d82fe22c476e5d20e8a75daf6a7799bcff58420d8128bea1961fa7308e762ba0c5a7efc686c5d76f4db07309544bf82a21d2d3ce2e46b08a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c7a944e150127cd496c6633aadae788

SHA1
563861984af62df4620e084eb0c842945845ac05

SHA256
fab22bbcd0e3682046528bab3b4f879894d5104690747cfd26db82b6fe9954c6

SHA512
68e1762977ef3036f8824e151c5a0c33c51eb892245f2c4eee81e3a057a38e28804d7c657eefee591248b6c4289aaac65a1c3123780e6dc26485a37f4f8a4036

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b4f2b6220673744b4c4d1c3232fa239

SHA1
0aef026b4c57897648bdf137270ac4d8c31173af

SHA256
6434a73ea00c0109ecb423e2de67c889e5a3a6d53b255d5959bedcb6c0a38545

SHA512
d7b2982246876be51a768cd3cf3e1465226990471dcdd06c53c786676923b6b3d91046fdf770aef3a4a77cdf57396a68bfa77fc8e835c3c547358f6da43fef22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
008029f3dc4f06e4ad99a252630b36bc

SHA1
5190948c96e1098a4a008a7c53ca1c5fd3f3ebf1

SHA256
480ba0bf2312f49ff4b5115c1651afcf87809eae2a724c5b0d007448816bb76a

SHA512
2bd15eb22daaa2fbfc35537a93658fb5d0d8542de6b31db5be98e970c79bdbec2e54e854464fcee49386be31c0f99cbaa1ecf53c4469c73fc3e063b812cf4b94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3047cb4fb2e1e504a27d8e534783fae

SHA1
a04b271e2d5ca75bf189839491dc6bdf854ba25e

SHA256
baf2f7d880a1278dc6eefd6b6fa323e3c274a0a730587946b92aba28c1b637bd

SHA512
c59dd78320018e31cc2a9021122d87386bec14471241aed4ddb6971801fe041d834b191e6d5f919e4739ffebd2a5d06f40ea26a9ae851e9e2225ad613792357f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08cfeabe59d75536bdf7063a5700ebc8

SHA1
e2594ff7ba668e0aa82a0a48b0499af7fa6d4b1b

SHA256
12177e6b0fa4733f78e7d2d05e3bdee07f3951a7712d31bfaeac867b59876f8e

SHA512
5a4922ec362005ad15988097253c791e116af72c759d9b99c27f5fd15887f5d53f27345eb90c98e2101b77a3eb725eaaff9107c8627af9d5977bcf147d5405d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
856e85ee548d1e030404a33fe2f211f5

SHA1
e107f248b0afac8501571ceef8f026c9a821379a

SHA256
96bdbbbfae2fdd77bbb07d14ec412c3dc1fcf7b96d98d6e6317dc1461fcd9f60

SHA512
cefda47b7b44f60e71dc4a8eeb556a7526fdb997ae4cb4be9fc8eada7a06be4e0c767efa46bf57af97a0af14df39d94e913894f3aa8ac8e7dbc848b941ffac15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe41b9a4f51ac7c0b5f57f5b0d29b818

SHA1
8c90a8d06aed2a135191c3e594f618e38548e89f

SHA256
d7a4083717155d9603144c68c07b3565a9989351f58fd5d2c09ae82d2f9cdaa1

SHA512
62c3121386568041a4d9bf58c416084ed9c938513b3bfddca576d9348e01d2556fe2d75383d727e2c722b8a72cdaa4518eb1abd3cdb038c574bdffcf170a53ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat

Filesize
215B

MD5
71c25d547329939ec36cdb1278b2d980

SHA1
699b16a500afb9d4994c7c54f95dea658d558396

SHA256
bad73564c463e7f3931e32330ca45e2b886545dfcc2533da8dee228024a8a208

SHA512
0b7b1f8c52d5759414cec0ae2e48b92a4a40cd69ee4af0253471c1395d14a1b1fbdfad0ef0e437b45f8a0e9f220c71fac1ada0449c7fbcd313eb58e6effd2818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

Filesize
215B

MD5
aa0074f008df7d8cf909ee67bb23aa6c

SHA1
3b57799598f942d63de0d6ea2d57c61dba8d0649

SHA256
82544677fe9288ced438791437d0f9f764b3e8d6504f9daa0f302951e434ed57

SHA512
72e787e1ba57ec33f221dfabc6564bc4c2c1409c18d4a9e9404fccd8cef681b8e58d45400d9eccdf6a4e541fcbd18fe218e64afbf6b29ae94d9d61e620faf6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8DD0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat

Filesize
215B

MD5
0460600f5120c79c340cfdd3f42ce661

SHA1
abf2a2e573f3ecb2aa19d9afc888accf77ed908f

SHA256
64f22fdd291bb3ca548262a6721abd30baf4c9589fd84511610abe709ec64558

SHA512
c580ba013fb599e855745194532f8c0bc90916216b3b5f7f34a44156ed6010efea13039835385bbba97c15482496464e00a3c2b9d2b23db9404ba9fb49da7812

Download Submit
C:\Users\Admin\AppData\Local\Temp\PctZQq6COn.bat

Filesize
215B

MD5
26de3ba4cc3276d5fb5db91e11f8ff44

SHA1
b0fd53717998ba5ee0b14ced768be0da3988922d

SHA256
fb09d3a70442d4c5c7b238bf08c8e221d32246236d9c5c6d98650564a285d47c

SHA512
cc498c384988d42501c9a2e515559147d8a0d50e0b8a6bc3a2fa98abcab857eaba957f9d8cab6658d5798cb8fd8d0524f5991db1bfab76b8ee96babfe0f88943

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8DE3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat

Filesize
215B

MD5
213f8b12c99ba3af2c6a1a118d9e253c

SHA1
bd4fbc9c2bd767afd60c7153a3ef0b7ead6cfe89

SHA256
edd1d0b8dc638f8acea433bf6362f41b236e901a0c86f0981aaed77e693bcefc

SHA512
3900b7582e4e30fdcbe489b48dee68a79dcc7e3af300802bcc425a81442ab4606ce64aa1fcd0a8d866203b45466a5539a7d810edbc3e4b91f1ad023197ee3c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

Filesize
215B

MD5
98cd22a54770f1c08b7670454f4b8091

SHA1
ddcdfe58942df0307062984ead8bf2858a50bb37

SHA256
483278216bfe2c31cf8f8d5345b4f57afc83cdbef5a1524547dd7f8784246f72

SHA512
6334111f3bae9f8032b3bd2cf0f3316a8f8e949b7747bbd56884ac7d6ed3cb2f8e5964cb968010db05533aaa433a63c89369d42df5f2a141eaa30d6730824f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat

Filesize
215B

MD5
274c0fcb283efd3950024019fd148cb7

SHA1
b1a8ed802e3ed99ff7fe7083bfb4f8323de53399

SHA256
ef116c6280ee3325c7e94e6cd94c545f1e8c2223c72410c7fe6a085608cacafb

SHA512
7bacdd110e226e739b490ed8b2db1f846b2ac42c64fabc0bbb0455fa63ba7eaa9ecb2132858e95ff195b61d4c1fea666eb8c9dfc2df846fd781aac1eb12caf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
215B

MD5
bdc41ee588a0505a11aee873e95b5122

SHA1
47f5c316f24a948df88425fd0928d21b4fa775d9

SHA256
ebb9564f45435ad8111b75fec5abe53809ec848f920095a0bafcb27084848351

SHA512
7bf5fb1475fc66043697ded6c6d05fd5ffd07a026df86581a8a65a98094cfb8772e141395b4de61b4c06a696f5bfefe1036f7b978a7fbc2b5564a1d76b40a85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
215B

MD5
fb0eca3546c2e63816deb615c1557dbd

SHA1
5905226cdd93a9fc686ff2fe0313ab4bf55d201f

SHA256
0eec29f21619efa6970d48040c1646e83fe12458e520f8476dbc44557f80e1db

SHA512
c0ec7bdd9f276b4c200997fa06a1eb8ee67488ee0f52fef08b2554b73b66779667abbde09e09e64afa395e8d7d99369e61ff174caf38a94cacfafb603fa744ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
215B

MD5
5a06569d61b4080637424b705f981ba0

SHA1
20907505e0e97f16cd8d8c4aa702c5d6b89d820f

SHA256
288a8030736649f3a42aa168af2d62a94e50e41c4106ffca08b44fd27d2c7e43

SHA512
7246bba4fe36fce873f0ad6e69d85fb5657a2674c278c26e6b13ad0bacaf6678762476e292c04db190e0919df3a1529c66b5fcc160caec6df38c9e27f5130cf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2086867070fe4d8b92c28c8dae38d0b4

SHA1
5caa8ab9ee25f73e1b040ea32cc38904a054edc0

SHA256
24625e6216cc68e5376fd5ffd244ccaab63db7b21294b95143b0da27ab9c0f13

SHA512
6c26163f65fa9221c4eb9e9049f84649a2a071cdb0283294d919027997eede6834d9185c8353fbfd168bf0b6958aeb7a9fda2c2a90264d5c4627174902129042

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/556-580-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/892-277-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/892-278-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/928-459-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/1920-640-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2024-520-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2024-519-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2216-399-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2532-339-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2532-338-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/2616-63-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2616-73-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2684-158-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2684-157-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2752-217-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/3044-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/3044-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/3044-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/3044-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/3044-13-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download