dcrat | 22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4.exe
Size

1.3MB
MD5

04a2d3baac9da92eb3a33c9a99be2873
SHA1

73ec9084df7f54092937bf3cb4334b9a967f3e39
SHA256

22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4
SHA512

b8470be43316b5995a490d919377bc25f9dd05a2d8563daa6ee9838c677efe7aa648a03bc6359c27e5f4811e8515d738f962ebe87cada78c317e0f176549c234
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2808	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000e00000001866e-9.dat	dcrat
behavioral1/memory/2704-13-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/3036-150-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/884-327-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/1332-387-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/3004-447-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2336-508-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/1924-568-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2256-747-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
2108	powershell.exe
2628	powershell.exe
2732	powershell.exe
1424	powershell.exe
796	powershell.exe
2660	powershell.exe
1840	powershell.exe
2788	powershell.exe
2676	powershell.exe
1060	powershell.exe
2800	powershell.exe
1916	powershell.exe
2568	powershell.exe
2588	powershell.exe
2548	powershell.exe
2684	powershell.exe
2784	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2704	DllCommonsvc.exe
3036	wininit.exe
2720	wininit.exe
1072	wininit.exe
884	wininit.exe
1332	wininit.exe
3004	wininit.exe
2336	wininit.exe
1924	wininit.exe
808	wininit.exe
1636	wininit.exe
2256	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	cmd.exe
2648	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\it-IT\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\it-IT\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\servicing\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2216	schtasks.exe
1716	schtasks.exe
1476	schtasks.exe
2496	schtasks.exe
1856	schtasks.exe
900	schtasks.exe
1932	schtasks.exe
1176	schtasks.exe
1592	schtasks.exe
1036	schtasks.exe
1216	schtasks.exe
1784	schtasks.exe
2088	schtasks.exe
1096	schtasks.exe
2184	schtasks.exe
1744	schtasks.exe
2560	schtasks.exe
2860	schtasks.exe
2416	schtasks.exe
532	schtasks.exe
2820	schtasks.exe
988	schtasks.exe
2528	schtasks.exe
1936	schtasks.exe
1432	schtasks.exe
2980	schtasks.exe
2384	schtasks.exe
1704	schtasks.exe
588	schtasks.exe
2640	schtasks.exe
648	schtasks.exe
2852	schtasks.exe
3056	schtasks.exe
2988	schtasks.exe
984	schtasks.exe
884	schtasks.exe
1984	schtasks.exe
2992	schtasks.exe
2432	schtasks.exe
1724	schtasks.exe
1988	schtasks.exe
304	schtasks.exe
2776	schtasks.exe
2760	schtasks.exe
2016	schtasks.exe
2056	schtasks.exe
1536	schtasks.exe
2388	schtasks.exe
1668	schtasks.exe
2092	schtasks.exe
2368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2704	DllCommonsvc.exe
1424	powershell.exe
2628	powershell.exe
2676	powershell.exe
2784	powershell.exe
2800	powershell.exe
2792	powershell.exe
2788	powershell.exe
2660	powershell.exe
796	powershell.exe
2732	powershell.exe
2548	powershell.exe
1060	powershell.exe
2108	powershell.exe
1840	powershell.exe
2588	powershell.exe
1916	powershell.exe
2684	powershell.exe
2568	powershell.exe
3036	wininit.exe
2720	wininit.exe
1072	wininit.exe
884	wininit.exe
1332	wininit.exe
3004	wininit.exe
2336	wininit.exe
1924	wininit.exe
808	wininit.exe
1636	wininit.exe
2256	wininit.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	DllCommonsvc.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	3036	wininit.exe
Token: SeDebugPrivilege	2720	wininit.exe
Token: SeDebugPrivilege	1072	wininit.exe
Token: SeDebugPrivilege	884	wininit.exe
Token: SeDebugPrivilege	1332	wininit.exe
Token: SeDebugPrivilege	3004	wininit.exe
Token: SeDebugPrivilege	2336	wininit.exe
Token: SeDebugPrivilege	1924	wininit.exe
Token: SeDebugPrivilege	808	wininit.exe
Token: SeDebugPrivilege	1636	wininit.exe
Token: SeDebugPrivilege	2256	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1060	2460	JaffaCakes118_22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4.exe	31
PID 2460 wrote to memory of 1060	2460	JaffaCakes118_22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4.exe	31
PID 2460 wrote to memory of 1060	2460	JaffaCakes118_22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4.exe	31
PID 2460 wrote to memory of 1060	2460	JaffaCakes118_22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4.exe	31
PID 1060 wrote to memory of 2648	1060	WScript.exe	32
PID 1060 wrote to memory of 2648	1060	WScript.exe	32
PID 1060 wrote to memory of 2648	1060	WScript.exe	32
PID 1060 wrote to memory of 2648	1060	WScript.exe	32
PID 2648 wrote to memory of 2704	2648	cmd.exe	34
PID 2648 wrote to memory of 2704	2648	cmd.exe	34
PID 2648 wrote to memory of 2704	2648	cmd.exe	34
PID 2648 wrote to memory of 2704	2648	cmd.exe	34
PID 2704 wrote to memory of 1916	2704	DllCommonsvc.exe	87
PID 2704 wrote to memory of 1916	2704	DllCommonsvc.exe	87
PID 2704 wrote to memory of 1916	2704	DllCommonsvc.exe	87
PID 2704 wrote to memory of 2660	2704	DllCommonsvc.exe	88
PID 2704 wrote to memory of 2660	2704	DllCommonsvc.exe	88
PID 2704 wrote to memory of 2660	2704	DllCommonsvc.exe	88
PID 2704 wrote to memory of 2800	2704	DllCommonsvc.exe	89
PID 2704 wrote to memory of 2800	2704	DllCommonsvc.exe	89
PID 2704 wrote to memory of 2800	2704	DllCommonsvc.exe	89
PID 2704 wrote to memory of 796	2704	DllCommonsvc.exe	90
PID 2704 wrote to memory of 796	2704	DllCommonsvc.exe	90
PID 2704 wrote to memory of 796	2704	DllCommonsvc.exe	90
PID 2704 wrote to memory of 1424	2704	DllCommonsvc.exe	91
PID 2704 wrote to memory of 1424	2704	DllCommonsvc.exe	91
PID 2704 wrote to memory of 1424	2704	DllCommonsvc.exe	91
PID 2704 wrote to memory of 2628	2704	DllCommonsvc.exe	92
PID 2704 wrote to memory of 2628	2704	DllCommonsvc.exe	92
PID 2704 wrote to memory of 2628	2704	DllCommonsvc.exe	92
PID 2704 wrote to memory of 1060	2704	DllCommonsvc.exe	93
PID 2704 wrote to memory of 1060	2704	DllCommonsvc.exe	93
PID 2704 wrote to memory of 1060	2704	DllCommonsvc.exe	93
PID 2704 wrote to memory of 2732	2704	DllCommonsvc.exe	95
PID 2704 wrote to memory of 2732	2704	DllCommonsvc.exe	95
PID 2704 wrote to memory of 2732	2704	DllCommonsvc.exe	95
PID 2704 wrote to memory of 2676	2704	DllCommonsvc.exe	96
PID 2704 wrote to memory of 2676	2704	DllCommonsvc.exe	96
PID 2704 wrote to memory of 2676	2704	DllCommonsvc.exe	96
PID 2704 wrote to memory of 2108	2704	DllCommonsvc.exe	97
PID 2704 wrote to memory of 2108	2704	DllCommonsvc.exe	97
PID 2704 wrote to memory of 2108	2704	DllCommonsvc.exe	97
PID 2704 wrote to memory of 2792	2704	DllCommonsvc.exe	98
PID 2704 wrote to memory of 2792	2704	DllCommonsvc.exe	98
PID 2704 wrote to memory of 2792	2704	DllCommonsvc.exe	98
PID 2704 wrote to memory of 2784	2704	DllCommonsvc.exe	99
PID 2704 wrote to memory of 2784	2704	DllCommonsvc.exe	99
PID 2704 wrote to memory of 2784	2704	DllCommonsvc.exe	99
PID 2704 wrote to memory of 2788	2704	DllCommonsvc.exe	100
PID 2704 wrote to memory of 2788	2704	DllCommonsvc.exe	100
PID 2704 wrote to memory of 2788	2704	DllCommonsvc.exe	100
PID 2704 wrote to memory of 2684	2704	DllCommonsvc.exe	101
PID 2704 wrote to memory of 2684	2704	DllCommonsvc.exe	101
PID 2704 wrote to memory of 2684	2704	DllCommonsvc.exe	101
PID 2704 wrote to memory of 1840	2704	DllCommonsvc.exe	102
PID 2704 wrote to memory of 1840	2704	DllCommonsvc.exe	102
PID 2704 wrote to memory of 1840	2704	DllCommonsvc.exe	102
PID 2704 wrote to memory of 2548	2704	DllCommonsvc.exe	103
PID 2704 wrote to memory of 2548	2704	DllCommonsvc.exe	103
PID 2704 wrote to memory of 2548	2704	DllCommonsvc.exe	103
PID 2704 wrote to memory of 2588	2704	DllCommonsvc.exe	104
PID 2704 wrote to memory of 2588	2704	DllCommonsvc.exe	104
PID 2704 wrote to memory of 2588	2704	DllCommonsvc.exe	104
PID 2704 wrote to memory of 2568	2704	DllCommonsvc.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22fcdb01b7cdab439cdc2474a34dc6b3a5f00f8487cd849069da4cf55b09b6f4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Media Center Programs\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\logMsSBVvy.bat"
        5⤵
        
        PID:1372
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2816
      - C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        7⤵
        
        PID:2036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:348
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        9⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2688
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"
        11⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1732
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
        13⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2520
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
        15⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1260
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        17⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1488
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        19⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:580
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
        21⤵
        
        PID:2036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1440
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
        23⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2888
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
        25⤵
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:900
        
        C:\Users\Public\Downloads\wininit.exe
        
        "C:\Users\Public\Downloads\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d75b6f099e266134b0569bc9282a6a1

SHA1
07789d4cab4f3f89630bcc8cb05234c7186ce7b8

SHA256
306c978f28d43ab0747346cd2e2e53d84cb4f0a09d9305bb70c263cbc018bc20

SHA512
27b0fb0831b614430f3e4f595009a3b463ca245556d955fd822fca6d3c2414d8a547e1d6daf9a9a310b3c62002b12acb86e71b9d287e2085d685a2521ef33548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b19b1eb6234fc18802c33a607329d2b

SHA1
96a0215ae8e91a2c69ad019f58bf95dddb2a9eae

SHA256
fb01c1deab65fcb22a7b570f1477c08e2a00a4b46a7eb29b9f7b7451c06a882a

SHA512
ccf3d9fe08342ae483e13302ad97e9be0a4847d0ff4bb0f17659872b26183ed34f4d4ed427f36b975c577c3299189d7d85831f69c97b359fe882bfbb5e3ec4ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f6d72034b1682917a8e7b36a3baa997

SHA1
38d0f0ea773c9370159ddf208d30a1dfcd3ca409

SHA256
9f0a042b4da33aab6a1707ac07729fa2bcbd31ed054eb07b1e5fb871ce5c5c52

SHA512
d45841202619298409d5ab6bb9cd76f7a5f18b3e2edd0edf1b7c2922b9f98228299823945f2092626c2ec691013335eab4d1566025c6feb83a8b303fd5c70fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de1dde13ed1c69aa70d6e83446d3d7e2

SHA1
42c302e6df6f310b95091849b2c594186e27b0c9

SHA256
7900e16b0b0b1a6496c5eead518ff333dc14c7f7ebbced566c41a7c9f3ddf9d1

SHA512
d4a077836f37db2e56cc7534672ebfa82ea6e0cf8922c9f60aa6fea2709a04eede2b2621f495620283b60728ee5d578e04480de877d9588fcc3ffc208e58e361

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c92883a9ac2a7919f3446e19a09457b6

SHA1
56847e8ef03869f503dea29942effd991d1c3650

SHA256
1257064525b85fa325c5f73dd0e00ec84f20a03080e7a24066a9d99b332bbec1

SHA512
f5c3a615c3c1f5d12340ad91cd302590f9075423a9e018d925c47f785b2a366ef1f2de3e2754c660a0a2e0c96d2d845f6c7462c131ef5ce28a8a933c6d2e8c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb905a2c912e6396474a3e98794d8ca4

SHA1
8f869ec5f8feb65bc62bf1e3431dd4020bdcc1b3

SHA256
cc24c4af80bee6da7934efe6f770d342f4afb065a05e4247db399473380fcc6e

SHA512
2b78c3fe7cf7bb0d6b88e984cc7094e89a8017a4a2815bd6f37f65358a1ab23e0bc1a954d33ad913c17e59513138117422aad678500d9c9570e6497ec1237f3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6fc396f4ca4dd991099956d5280b361

SHA1
a6b0bc001f9e5dc82a7f7f2c61c68b2f7ed9d3f0

SHA256
72b097e93d92f3406b17eae57f7468da4a6a0a84612c31f4e9d34c465a170156

SHA512
137bd0bbc9fe9e8d66e23a66b4ad75454c6ab4ee819e7eb6ec0551381ae94032aef61005f86501b016d49ce15a667ce532d2bf69c5cb9908f137f04a7573f212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d360453232bb37e7d9d7392ba627bce

SHA1
cd35ea1bf5fb934618dd47e96fb93af0f5e493f3

SHA256
09b9b1fcd260c9868c55696815911add2bfd395f4e01e2f6753b520f639d3caf

SHA512
87e661402c7a530788b59d857024660fb646f7aa47302e9fd4bd3c5e615791f6bb698d105335fa48b5fa9b5c33f7c323addd658c69437c47bdcfc6153637b273

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91e530391902c69f5b15fee0b3adb045

SHA1
aceece13941b4053121b144b513f14003ba54ab9

SHA256
72e038932b941bdc9485d3c7d9e6cd49eb2e5ade70f3fce6ecc1e27be848718a

SHA512
8a941ee292c3b180270d1633ea2180d702198c59b8bd2c313f564cc97af0311e87c379c55a6c0dc6fe6839fd7050b38784f189a0ff692e40da8a2c6fa4bf5b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3D31.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat

Filesize
202B

MD5
07b06ff90a0325dc4b3afd813f666c87

SHA1
29624e8e952085e84c330b6fb2e077f7bd6c9d6b

SHA256
471024f8636dfe4b5fda7c1e23dfe2d03bb97c71c52066a8088efcd90e766b48

SHA512
3394cf4511a7cd49553df8f3b3eb415b9a8f4f549a5a924c98155cb5e7fa155da5b303a6dff5ac2fad2ed9a55ebe39fd76f202785c3cdfeb98a98e44b9139b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

Filesize
202B

MD5
1856f34adae246bb3427b330fd98694a

SHA1
c88fcd1cff22affd7339afc29db6214d1fb7d9a3

SHA256
5b62435ec3157c58f2b38e15687da5754a53caf038f53c9c4ec7eb544fcacdb2

SHA512
1fc10240daaf1d07b1548851a299b99285a200f8e44de2ea06cf1bc8f6d83cbb067c2f9595b59627eda52d21e7275b993236726bade3be0ef3c7db687664f007

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat

Filesize
202B

MD5
5f5ebc74172b31584c5baa4087e988f4

SHA1
83600f7674c578ed3640fc9f02b32cd917b871ed

SHA256
1c1ddd6ba65f391401fc4112609ccde44dce61bd7580ce61fe89af75b11632f1

SHA512
0fa741044f87196adfff2e62934ec66827ff8e341f5f75b7ce964618c7c266231758145645d56ef605b124e931c9997ded4fe763567db4ede548b42f77cea7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat

Filesize
202B

MD5
d1837d1adce4658568b84033d051ebea

SHA1
a04887d2de9a816149567e3d8926a85d35aa6136

SHA256
0b16640fe516acc10e19762e20bc0168d306bcbcce32648797e9e5e0b2e23f0c

SHA512
d1cec11eebaddb8a903645a9726adf07962f046e2e16259421b6a985da5445089edc20c5d8a0f478ef85747453a36f052f0ff639822d30c10d66323d0a61eac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
202B

MD5
d03e80bf867d48cc378ff8b2b3a7ca2f

SHA1
94fcc1a93647a420c001b548e32267b8a265da3d

SHA256
a64c8d9c25fab427d21a2cfa8b7f8495ffd9c677b5bf935f6cd97b6d3863a40a

SHA512
7853c6ddd42821502c69e23fcc6d71d3119d096cea5ff8ffd919097a4ed1904d492fb8c882da1f19a248a7b9a5ad6847b055f11eadd8be3860b19b93c05ddb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D53.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
202B

MD5
4db1328c8187db1389bc7d21ef8d78a9

SHA1
719d35a82fa2461c66090eb56a8f0d750dfb47f1

SHA256
ed12d41dacac0aee5b26eaf53b1acdc5c43cc9c6f29c2d64e9b1c03f6fa9fd86

SHA512
7b4d03fdf75deffcb244553e76b2c31fed68b6fbe8575f2f3a4171786222656bcbcaafe90ce9a25e36f12b54838d46d1163b5426027b5f8e897ae0b127c06029

Download Submit
C:\Users\Admin\AppData\Local\Temp\logMsSBVvy.bat

Filesize
202B

MD5
aeed1899171a88adcf94cabd7da41a89

SHA1
1ccf338cd8de078a8c7d816e2208a374f9ff7d2b

SHA256
499cc1514bd7728fe0c459dad95f5479e8493a1ad3b41d98ae72e07cff3b2e89

SHA512
1cd1f7c2284147cb170983e2604ecea89f30cdb6a4fab6823ff62015699f45b371fee8cdce79a34cbc771f19e6258dbed1b645ee1d678c242ebdd3ae397136aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

Filesize
202B

MD5
28d40bc578517da93c80052501cf2ecf

SHA1
4a5d4706ddeb90ae5718dc7facea30ebea265ace

SHA256
531dc8e84c8b086f823f4b433a1915e17e0b97e801305f0def052964be3c575f

SHA512
ea86977ceb632c1af3f5b0a0eb75cbcc850d8b4c0c21d6a9e69512928b2269e12f1e1f7a3654426051f55d58487db3d6a0228b4e11b3a2170671f9ded88be8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
202B

MD5
b5b7389a7e0b010fa83a8069e21462c1

SHA1
c2a2d07e2a31ad1bb0f01cef41344b6d52b52381

SHA256
eec80af481d9810e49e8ca1617cce59bc58b6f0b06877be7bb30530aeb529bc9

SHA512
727a7ae85fc9ab66450551acfb1b938aa54a4d2f243e9770ac65c6287665dfe4c3feb66ec58caa7360a74d886d4ff79d8bc5733fdf2fae835072d95b189587d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
202B

MD5
a6086e2bfba3ae6600323e442cb4a197

SHA1
4f6df7d12a0a0bb731dc0e3ce33013b634f247be

SHA256
5880a4d9fc6393c800e4a2e548725d36742da9285ee8833c9eba1435fb0c16dc

SHA512
cff6be57f1dab05d718aae1f919735a79a5b029d9476a5a4e90eeba19aae5805c91b97f994e833a5a081f7ce5cded5d0b462c32493a4dba548b3bcd053e3b59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

Filesize
202B

MD5
f2c4092fbf811f06f3a8ca3949e0d432

SHA1
31e714374db1640649577c38769d258828001f9b

SHA256
330c72469dbc74fd40a0cd2fa06faf5ebd6640bc6f84e569a3434b174ec3ea41

SHA512
fce56a0b32095f121c859716934712fa7055810ce9701facf5894e870c1b16bf7f2e0c88dabfa9f80faf92d04ea26d756f96187227c356cfe05cd20f36ba864c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
282241a8a4f88647d2193027ef7807f0

SHA1
46e4daea228999e01da7a5c23786995fcbb945f8

SHA256
08697f8d61837ee108be5d1f0f7a2a8d19ab3e8e81f8623461865488197ae2e5

SHA512
bc5fe192ffbb1f7b3746d29724b510123a705cb87c611dc05a22a93d83f1c47997922f1db27ceef4b99a1ae8024896d80be06c504a30eb6b4b534113b3bdc2b0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/884-327-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/1332-387-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/1424-61-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1424-60-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1636-687-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1924-568-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2256-747-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/2336-508-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/2704-17-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2704-16-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2704-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2704-14-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2704-13-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/3004-448-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/3004-447-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/3036-150-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download