dcrat | 9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
Size

1.3MB
MD5

554da9e9950ed9a42772fd70e291a0ba
SHA1

099eaddabec2e6de93d8421363472234ddca8d9e
SHA256

9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403
SHA512

d237de309486d1c259177f057db7395da2a733d2b146b2485e1199d77298aeeec3805b0ae89ef9f1a1f018b522fe9a15f51299c71718ad0e9e21e7150974aafb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2576	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186bf-10.dat	dcrat
behavioral1/memory/2968-13-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/2376-56-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2704-202-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/2348-262-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/3068-441-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2364-501-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/3036-561-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2064	powershell.exe
2980	powershell.exe
2880	powershell.exe
2572	powershell.exe
2736	powershell.exe
2712	powershell.exe
3000	powershell.exe
2828	powershell.exe
2660	powershell.exe
1592	powershell.exe
2700	powershell.exe
2852	powershell.exe
2760	powershell.exe
1632	powershell.exe
2720	powershell.exe
2140	powershell.exe
1916	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2968	DllCommonsvc.exe
2376	sppsvc.exe
2704	sppsvc.exe
2348	sppsvc.exe
1284	sppsvc.exe
2036	sppsvc.exe
3068	sppsvc.exe
2364	sppsvc.exe
3036	sppsvc.exe
2168	sppsvc.exe
1488	sppsvc.exe
1816	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	cmd.exe
2856	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\servicing\Sessions\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\servicing\fr-FR\lsm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2308	schtasks.exe
1964	schtasks.exe
1744	schtasks.exe
860	schtasks.exe
1692	schtasks.exe
2536	schtasks.exe
1028	schtasks.exe
1488	schtasks.exe
2404	schtasks.exe
812	schtasks.exe
2608	schtasks.exe
2476	schtasks.exe
2668	schtasks.exe
1932	schtasks.exe
1036	schtasks.exe
2588	schtasks.exe
1092	schtasks.exe
2344	schtasks.exe
2928	schtasks.exe
2888	schtasks.exe
896	schtasks.exe
1936	schtasks.exe
2336	schtasks.exe
1768	schtasks.exe
2220	schtasks.exe
2072	schtasks.exe
2372	schtasks.exe
2484	schtasks.exe
688	schtasks.exe
892	schtasks.exe
2280	schtasks.exe
2172	schtasks.exe
1044	schtasks.exe
3044	schtasks.exe
2128	schtasks.exe
1968	schtasks.exe
1332	schtasks.exe
1296	schtasks.exe
920	schtasks.exe
2532	schtasks.exe
1788	schtasks.exe
576	schtasks.exe
836	schtasks.exe
2068	schtasks.exe
1100	schtasks.exe
2328	schtasks.exe
2652	schtasks.exe
2456	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
2704	sppsvc.exe
2348	sppsvc.exe
1284	sppsvc.exe
2036	sppsvc.exe
3068	sppsvc.exe
2364	sppsvc.exe
3036	sppsvc.exe
2168	sppsvc.exe
1488	sppsvc.exe
1816	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2968	DllCommonsvc.exe
2968	DllCommonsvc.exe
2968	DllCommonsvc.exe
2968	DllCommonsvc.exe
2968	DllCommonsvc.exe
2760	powershell.exe
2064	powershell.exe
2140	powershell.exe
1632	powershell.exe
1916	powershell.exe
1592	powershell.exe
2828	powershell.exe
3000	powershell.exe
2736	powershell.exe
2660	powershell.exe
2852	powershell.exe
2700	powershell.exe
2880	powershell.exe
2720	powershell.exe
2980	powershell.exe
2572	powershell.exe
2712	powershell.exe
2376	sppsvc.exe
2704	sppsvc.exe
2348	sppsvc.exe
1284	sppsvc.exe
2036	sppsvc.exe
3068	sppsvc.exe
2364	sppsvc.exe
3036	sppsvc.exe
2168	sppsvc.exe
1488	sppsvc.exe
1816	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	DllCommonsvc.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2376	sppsvc.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2704	sppsvc.exe
Token: SeDebugPrivilege	2348	sppsvc.exe
Token: SeDebugPrivilege	1284	sppsvc.exe
Token: SeDebugPrivilege	2036	sppsvc.exe
Token: SeDebugPrivilege	3068	sppsvc.exe
Token: SeDebugPrivilege	2364	sppsvc.exe
Token: SeDebugPrivilege	3036	sppsvc.exe
Token: SeDebugPrivilege	2168	sppsvc.exe
Token: SeDebugPrivilege	1488	sppsvc.exe
Token: SeDebugPrivilege	1816	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3000	2944	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	30
PID 2944 wrote to memory of 3000	2944	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	30
PID 2944 wrote to memory of 3000	2944	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	30
PID 2944 wrote to memory of 3000	2944	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	30
PID 3000 wrote to memory of 2856	3000	WScript.exe	31
PID 3000 wrote to memory of 2856	3000	WScript.exe	31
PID 3000 wrote to memory of 2856	3000	WScript.exe	31
PID 3000 wrote to memory of 2856	3000	WScript.exe	31
PID 2856 wrote to memory of 2968	2856	cmd.exe	33
PID 2856 wrote to memory of 2968	2856	cmd.exe	33
PID 2856 wrote to memory of 2968	2856	cmd.exe	33
PID 2856 wrote to memory of 2968	2856	cmd.exe	33
PID 2968 wrote to memory of 2660	2968	DllCommonsvc.exe	83
PID 2968 wrote to memory of 2660	2968	DllCommonsvc.exe	83
PID 2968 wrote to memory of 2660	2968	DllCommonsvc.exe	83
PID 2968 wrote to memory of 2064	2968	DllCommonsvc.exe	85
PID 2968 wrote to memory of 2064	2968	DllCommonsvc.exe	85
PID 2968 wrote to memory of 2064	2968	DllCommonsvc.exe	85
PID 2968 wrote to memory of 1592	2968	DllCommonsvc.exe	86
PID 2968 wrote to memory of 1592	2968	DllCommonsvc.exe	86
PID 2968 wrote to memory of 1592	2968	DllCommonsvc.exe	86
PID 2968 wrote to memory of 1632	2968	DllCommonsvc.exe	89
PID 2968 wrote to memory of 1632	2968	DllCommonsvc.exe	89
PID 2968 wrote to memory of 1632	2968	DllCommonsvc.exe	89
PID 2968 wrote to memory of 2980	2968	DllCommonsvc.exe	90
PID 2968 wrote to memory of 2980	2968	DllCommonsvc.exe	90
PID 2968 wrote to memory of 2980	2968	DllCommonsvc.exe	90
PID 2968 wrote to memory of 2700	2968	DllCommonsvc.exe	91
PID 2968 wrote to memory of 2700	2968	DllCommonsvc.exe	91
PID 2968 wrote to memory of 2700	2968	DllCommonsvc.exe	91
PID 2968 wrote to memory of 2880	2968	DllCommonsvc.exe	92
PID 2968 wrote to memory of 2880	2968	DllCommonsvc.exe	92
PID 2968 wrote to memory of 2880	2968	DllCommonsvc.exe	92
PID 2968 wrote to memory of 2852	2968	DllCommonsvc.exe	96
PID 2968 wrote to memory of 2852	2968	DllCommonsvc.exe	96
PID 2968 wrote to memory of 2852	2968	DllCommonsvc.exe	96
PID 2968 wrote to memory of 2828	2968	DllCommonsvc.exe	97
PID 2968 wrote to memory of 2828	2968	DllCommonsvc.exe	97
PID 2968 wrote to memory of 2828	2968	DllCommonsvc.exe	97
PID 2968 wrote to memory of 2720	2968	DllCommonsvc.exe	98
PID 2968 wrote to memory of 2720	2968	DllCommonsvc.exe	98
PID 2968 wrote to memory of 2720	2968	DllCommonsvc.exe	98
PID 2968 wrote to memory of 2572	2968	DllCommonsvc.exe	99
PID 2968 wrote to memory of 2572	2968	DllCommonsvc.exe	99
PID 2968 wrote to memory of 2572	2968	DllCommonsvc.exe	99
PID 2968 wrote to memory of 1916	2968	DllCommonsvc.exe	100
PID 2968 wrote to memory of 1916	2968	DllCommonsvc.exe	100
PID 2968 wrote to memory of 1916	2968	DllCommonsvc.exe	100
PID 2968 wrote to memory of 3000	2968	DllCommonsvc.exe	101
PID 2968 wrote to memory of 3000	2968	DllCommonsvc.exe	101
PID 2968 wrote to memory of 3000	2968	DllCommonsvc.exe	101
PID 2968 wrote to memory of 2140	2968	DllCommonsvc.exe	102
PID 2968 wrote to memory of 2140	2968	DllCommonsvc.exe	102
PID 2968 wrote to memory of 2140	2968	DllCommonsvc.exe	102
PID 2968 wrote to memory of 2760	2968	DllCommonsvc.exe	103
PID 2968 wrote to memory of 2760	2968	DllCommonsvc.exe	103
PID 2968 wrote to memory of 2760	2968	DllCommonsvc.exe	103
PID 2968 wrote to memory of 2712	2968	DllCommonsvc.exe	104
PID 2968 wrote to memory of 2712	2968	DllCommonsvc.exe	104
PID 2968 wrote to memory of 2712	2968	DllCommonsvc.exe	104
PID 2968 wrote to memory of 2736	2968	DllCommonsvc.exe	105
PID 2968 wrote to memory of 2736	2968	DllCommonsvc.exe	105
PID 2968 wrote to memory of 2736	2968	DllCommonsvc.exe	105
PID 2968 wrote to memory of 2376	2968	DllCommonsvc.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
        6⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2836
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        8⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2952
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        10⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1368
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        12⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2956
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
        14⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3040
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        16⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2348
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
        18⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3004
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        20⤵
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2124
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
        22⤵
        
        PID:1048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1988
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
        24⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1460
        
        C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce6bf6d9281dee3b9b83957a3e287ebd

SHA1
650c464fdd492620cf9213b1e25f1bf917e8642b

SHA256
3407d9511505557cfdb24c68257a4c84a7a9cd2f9bd752d2b86ea9d80b9d06bb

SHA512
9d893eeba28ded77ee0e0fd5de6052a4627a5bcd6f8619be9039aac4732bf9f837779c7a2381e4daeeca87d2fceb0843d7316150152cd04b0b49f7869ffe3d47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c2e7ceab67e5ba2fd5d0e29c77ecde7

SHA1
71986d9bdf856428b8b4e78cbbd86550d36f9e3d

SHA256
12a595fb81fa74097bfecbf8232416425c1d56bef1ee4ebdd17c5718d959fd55

SHA512
5919b841efce6010c80c57080179e77b3f17b0b948cea0274cc91d3b84eb0def9bb018d11e41a3b837bb7f2fc10fd3daa476a7cecf532f6165ce4125142b9d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a93dfd000f9bb169361072c0c535332

SHA1
ec3d533a3d6a737beba677155bfb06e646cdc965

SHA256
09c6c398c5a38a00aa03af779dce0f866429a1cf2e296ce7625ee5e971e92893

SHA512
5be9bb1f314102992e134a41521fb636d17254c8edda9ee4ee0f7e47772b58c3d9f4ad61eb1701997085e78f3e23b15e60ab8244a1ff61b28a0f1eb3c9bfd80c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6691ade49f200758850566d01a2940e6

SHA1
715132747585919d6437e8ac1db621368fb814d8

SHA256
70111ee30b793b0bca85487e358bfd7cb11f0a028afff3ece2d050be8bcb711d

SHA512
52548f1bbbdd4ad796a80f90f177fc256766786b21c216841f842bac3474e56f074bb13fe19fbea5c79b1ea270ff1879ef0f0b01d30306f58749e0451d7a609c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75f24a7814f8a6a2a6224c1ab8d9e18e

SHA1
54295e5404ad04c7e34175ff5b2de05fbc73f7ca

SHA256
23e5b9e8e18e846ce5bdc261573a68075003d7f772a0142b1debe6d03c8476fd

SHA512
916abcbc723ae63f12f048a22f427125a1b77fe7fee63971546d7dddc8007a0671a2f5670a17b65adc54892779efa063accafc1f15771b32f3c5645580bd665b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f10e432f5750c195ccdef2a61b4f09a8

SHA1
2a77b44e56afa0afd716c640792e305b2d962516

SHA256
04ce4c27e11e5bd1a7e013f8aa46bb628b0baa8722865d01bb3cd72a0aae0e33

SHA512
6340740ad8d326cb2e57acfb8a3569c2e128818500799891825b4fe75b68406e0785e35ed0baa4347b3be41ebd53db394a5acb65a92b13d613d5d0a9c81eb311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bb0a977b926b167f87095776aeb1649

SHA1
fa905917bf9d9758cd825725557f0d4d8abb7a1a

SHA256
9783e1273e7d8a47d8671e888004abb12700cbf10e459f287df7d9601af26029

SHA512
500db00227790a111d0f248c37f66ff37d6f33d1b1e3b621ba171b48dc23f81486d6acd4d589ca5e145d94eb6beb7ca54887b0b1aabd72dbbe8365b05107ec18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c83e3dfb0094848f83294c14848ce41b

SHA1
1c3e28e47a881853c33728a121b1ad3bc721765b

SHA256
eb9d665faeddea49f15defd89f4141d0ce7eb4d239e7512cd6704611b2aaacbe

SHA512
1fe193a4269731347fe1a4413cb372cb87c3fc82bbac8fa3e7d1c5b5f26d6be8caeb80a46982556857ed3c0732aeb554b6175da94918bbc840269ec36d0f580f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eab3d41ac7ed42fcfb2d7f223f346f4b

SHA1
c2f0ecb615648ea7ef95ca493390804027faafb0

SHA256
50613c1a344411ec29ee742c9a1c7659e5b9d9d15ed25883333d96c0cf547a0d

SHA512
7d0b27ed65479284e1d0e99be8cedf439d2ef35adf680d766016ec21d45995100ee5e868594af9a8a1623f9deeab6771a89101328c14ef282694a80371f0d5a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6d874988d1ee7d9c01edb2d76b693b5

SHA1
36d4dfb8fa70a575a789b5cb64d0502499aae5b5

SHA256
8bca591c95210720ea08013faca7cba5264910eb405465c654caf137a0a96e6c

SHA512
f6c34a3e69f499e4ffe65e04295904e00f415c85a1fe207915c54b8b8de87906ad6b71b2903dae662420299cfe7e6222c6f019a76fb448ceeba9e67a5cdd13e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

Filesize
225B

MD5
172eacadeb42f1d92a41d2c13a656d81

SHA1
745c89c1a31f007fa5d3023564e7a7d0b9488633

SHA256
85eee6bf56adf2027f3882e12e3e48d57fbb479c4c5978aaecea7067308e907a

SHA512
30785f9305002a2712eecbced0a737c30b13c1af08dcff7be5471f8bdec40902f6fe543be60889215d8f1d5ff45886c51102463b9c579b3b0df48fed498dc3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
225B

MD5
a55d603d2c14c9a0c7c663541ea7d83b

SHA1
33719c66b0788df05a9f79f8d263e94a11221c2e

SHA256
7fa0c44e4de89d58541c70c50dff86a0acde6376dcf9d3018073cb8d55afe180

SHA512
ba0c5deaeb193814d29744393308fc49c6ffc7b2448d1c800fd1de9887ad1120fbe6f83373cb405a55ddfc8216edbb12c3b26809da9c9c212c034afc57b75625

Download Submit
C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat

Filesize
225B

MD5
b45b4ed3530b2f53b26048444f8d1aee

SHA1
cd893ca17a4faa70a463142271d1e0f3b2c9804d

SHA256
9a391006f8f2ad0b79ecebd0ddae57e4555cc51d24e507613d2acdab932fe38f

SHA512
244ac7757a0cada350574e97cd74f2cc4122327a52a31be1739dce63a2d524df5c22c24af3e3b46f6b73f5fb9b13e10dbcb2ab48e65887f8d22f2ee0c7c570bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E44.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

Filesize
225B

MD5
cc96ae915cc2070606253caaeb2c8246

SHA1
abb80cf475cabf99b04cdb0534393a29c19abfe3

SHA256
573eaa633309520f9db44e70c34faa256374216cbe79644ec6b2397b78241cb6

SHA512
161020b8f9988db5fcbfc5638d0313deffa8b8d244992e3bd176191dcbee1164dc04f5e66cd81aee89d1330582df1dd41f14b38d0a04098783c34b037524f649

Download Submit
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

Filesize
225B

MD5
e585106fc1f18257ad0f7ac731827c1b

SHA1
54e1b5eba254df046f9835b773594847f3760d77

SHA256
313ee83c0641ace82575090fef8b1795a476fcbaf97b7c473bb41bb196796252

SHA512
429db0503845896aa3d4fac8197099c622bbd95ee43d3278337dae80a1543dbd1a677034f6a502001980fda98949f96ca4a5017af84f3a2ebf4faa01dd202114

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

Filesize
225B

MD5
78036c9ed553d439d4cd6d6039d5e3c4

SHA1
dad484792ebb6a0bf73427e60f590fe70daede89

SHA256
d8144603f84fc358cbebee420181687fc4296861ec8a13ed0475f607ace7067c

SHA512
a850d59db99e3344ad58e0457dadb0aab3924f9140d551fde33b0250926eb48183b1dd430d9bcba78bfa9220bfeec2ea3a815b76647df17dc8d2aac3d1ecc24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
225B

MD5
d3696fb8bf7b363e46f47421e5f736ae

SHA1
8d788ffc481666cb23cb5e7dd3736ed0951d198d

SHA256
ae80832bbb46d681c62e034aa241576b146e5b07329571cd7222c7fcd8c5a976

SHA512
707ec8c4c87be636094c8683873bde17dbcf40971e7de2eedff932d3278a8ed30d070a7e46ac9e885b81f44b35fea6c5d06591fb4c08d2cf79cddc3590939bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E47.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
225B

MD5
66f0f856d2468f3115ac7f045bf41f7f

SHA1
e972da77c7b1dbb28a57798cad61b35aa8b22786

SHA256
53935e5812268f9224f5c318b5fd2c67104414cac39c5b98bcf43ae3073b54d1

SHA512
2a84469cf797ee8a2cae69e3deac95bb50cc2e6011c74cc687e034382579fddb976fb98dee2db21e86b6bdc502cf5a3c7859f2859a5a06cac0d9d72a3f735e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
225B

MD5
f3c6cccf573c284111f62eef013091d3

SHA1
f849c7e947191bcf0721dddfcbbdda83901e8bdd

SHA256
70c3860b8f26514614c1eada668dc5bf10586666a97806c87e81eaac386bcf4b

SHA512
4b7cbba453a2e8e111da414d43b71c55937731016fb36820ce4e34f3dcf6b3aa8f800f1c01005787f9507a9ff38b1b59b782ae9f738c8e71275d392c82514004

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
225B

MD5
a787a17f44955118d1388cef24ee4cac

SHA1
21718e7b5ad2051c956134f3916907bb213a3ee7

SHA256
99820380b346385e184cf08acba4833f6fbbf3bbfa3e4a9bef91a5d5c095109f

SHA512
b768a2b875bc3830be37a4f18e5ff1ca722acab5268f037898d00a43ec506ea85b084870bb5356d8e1a22e9100001aa401889fb3de88df02bdd886222cc53561

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c4d178f11797e87f7a0724a8b726ae20

SHA1
c781ed771450a1aea18170e63c137c38cf79244c

SHA256
632ff881f95960788df45710e111dc6644cfab0eb09d4aa0990dc5ee94e1f2a8

SHA512
c3fe7f7123768bc0f216683e12abab6a82a5b37f1b69f668a1ae501a791f3adfc7435507ff04d1a8b0d873c77a86038dfe27cf140e6b706029a846fb2f26a50d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1632-97-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2036-381-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2348-262-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2364-501-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/2376-138-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/2376-56-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2704-202-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/2760-118-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2968-17-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2968-16-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2968-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2968-14-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2968-13-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/3036-561-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/3068-441-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download