dcrat | 9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
Size

1.3MB
MD5

554da9e9950ed9a42772fd70e291a0ba
SHA1

099eaddabec2e6de93d8421363472234ddca8d9e
SHA256

9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403
SHA512

d237de309486d1c259177f057db7395da2a733d2b146b2485e1199d77298aeeec3805b0ae89ef9f1a1f018b522fe9a15f51299c71718ad0e9e21e7150974aafb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	100	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	100	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c8c-10.dat	dcrat
behavioral2/memory/3092-13-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3936	powershell.exe
1184	powershell.exe
4408	powershell.exe
3204	powershell.exe
2500	powershell.exe
1636	powershell.exe
4784	powershell.exe
2924	powershell.exe
3836	powershell.exe
932	powershell.exe
4884	powershell.exe
4140	powershell.exe
4888	powershell.exe
752	powershell.exe
1856	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 14 IoCs

pid	Process
3092	DllCommonsvc.exe
4308	dllhost.exe
4292	dllhost.exe
1868	dllhost.exe
1588	dllhost.exe
4336	dllhost.exe
1416	dllhost.exe
2764	dllhost.exe
1484	dllhost.exe
2792	dllhost.exe
400	dllhost.exe
3908	dllhost.exe
3968	dllhost.exe
1868	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
53	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com
46	raw.githubusercontent.com
39	raw.githubusercontent.com
45	raw.githubusercontent.com
52	raw.githubusercontent.com
25	raw.githubusercontent.com
18	raw.githubusercontent.com
40	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com
17	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\attachments\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\attachments\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\System.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\tracing\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Windows\uk-UA\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Windows\uk-UA\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Windows\Speech\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\ea1d8f6d871115	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1280	schtasks.exe
736	schtasks.exe
828	schtasks.exe
2600	schtasks.exe
4708	schtasks.exe
3472	schtasks.exe
3676	schtasks.exe
2380	schtasks.exe
1240	schtasks.exe
972	schtasks.exe
4792	schtasks.exe
3504	schtasks.exe
4836	schtasks.exe
2252	schtasks.exe
3276	schtasks.exe
3172	schtasks.exe
4700	schtasks.exe
4920	schtasks.exe
3580	schtasks.exe
3452	schtasks.exe
4112	schtasks.exe
4584	schtasks.exe
3964	schtasks.exe
2968	schtasks.exe
1408	schtasks.exe
3872	schtasks.exe
2424	schtasks.exe
4680	schtasks.exe
2828	schtasks.exe
3948	schtasks.exe
1792	schtasks.exe
1332	schtasks.exe
2216	schtasks.exe
400	schtasks.exe
1452	schtasks.exe
3324	schtasks.exe
4924	schtasks.exe
3824	schtasks.exe
4684	schtasks.exe
2016	schtasks.exe
4780	schtasks.exe
1956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	DllCommonsvc.exe
3092	DllCommonsvc.exe
3092	DllCommonsvc.exe
3092	DllCommonsvc.exe
3092	DllCommonsvc.exe
3092	DllCommonsvc.exe
3092	DllCommonsvc.exe
932	powershell.exe
932	powershell.exe
3836	powershell.exe
3836	powershell.exe
4888	powershell.exe
4888	powershell.exe
3936	powershell.exe
3936	powershell.exe
2924	powershell.exe
2924	powershell.exe
4884	powershell.exe
4884	powershell.exe
1856	powershell.exe
1856	powershell.exe
2500	powershell.exe
2500	powershell.exe
3204	powershell.exe
3204	powershell.exe
1636	powershell.exe
1636	powershell.exe
4784	powershell.exe
4784	powershell.exe
1184	powershell.exe
1184	powershell.exe
752	powershell.exe
752	powershell.exe
4408	powershell.exe
4408	powershell.exe
4140	powershell.exe
4140	powershell.exe
3204	powershell.exe
3836	powershell.exe
4308	dllhost.exe
4308	dllhost.exe
2924	powershell.exe
932	powershell.exe
932	powershell.exe
4888	powershell.exe
2500	powershell.exe
4884	powershell.exe
3936	powershell.exe
4784	powershell.exe
752	powershell.exe
1856	powershell.exe
1184	powershell.exe
4140	powershell.exe
1636	powershell.exe
4408	powershell.exe
4292	dllhost.exe
1868	dllhost.exe
1588	dllhost.exe
4336	dllhost.exe
1416	dllhost.exe
2764	dllhost.exe
1484	dllhost.exe
2792	dllhost.exe
400	dllhost.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	DllCommonsvc.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	4308	dllhost.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4292	dllhost.exe
Token: SeDebugPrivilege	1868	dllhost.exe
Token: SeDebugPrivilege	1588	dllhost.exe
Token: SeDebugPrivilege	4336	dllhost.exe
Token: SeDebugPrivilege	1416	dllhost.exe
Token: SeDebugPrivilege	2764	dllhost.exe
Token: SeDebugPrivilege	1484	dllhost.exe
Token: SeDebugPrivilege	2792	dllhost.exe
Token: SeDebugPrivilege	400	dllhost.exe
Token: SeDebugPrivilege	3908	dllhost.exe
Token: SeDebugPrivilege	3968	dllhost.exe
Token: SeDebugPrivilege	1868	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 4492	2472	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	83
PID 2472 wrote to memory of 4492	2472	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	83
PID 2472 wrote to memory of 4492	2472	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	83
PID 4492 wrote to memory of 1028	4492	WScript.exe	84
PID 4492 wrote to memory of 1028	4492	WScript.exe	84
PID 4492 wrote to memory of 1028	4492	WScript.exe	84
PID 1028 wrote to memory of 3092	1028	cmd.exe	86
PID 1028 wrote to memory of 3092	1028	cmd.exe	86
PID 3092 wrote to memory of 2924	3092	DllCommonsvc.exe	131
PID 3092 wrote to memory of 2924	3092	DllCommonsvc.exe	131
PID 3092 wrote to memory of 3836	3092	DllCommonsvc.exe	132
PID 3092 wrote to memory of 3836	3092	DllCommonsvc.exe	132
PID 3092 wrote to memory of 4140	3092	DllCommonsvc.exe	133
PID 3092 wrote to memory of 4140	3092	DllCommonsvc.exe	133
PID 3092 wrote to memory of 752	3092	DllCommonsvc.exe	134
PID 3092 wrote to memory of 752	3092	DllCommonsvc.exe	134
PID 3092 wrote to memory of 1856	3092	DllCommonsvc.exe	135
PID 3092 wrote to memory of 1856	3092	DllCommonsvc.exe	135
PID 3092 wrote to memory of 932	3092	DllCommonsvc.exe	136
PID 3092 wrote to memory of 932	3092	DllCommonsvc.exe	136
PID 3092 wrote to memory of 3936	3092	DllCommonsvc.exe	137
PID 3092 wrote to memory of 3936	3092	DllCommonsvc.exe	137
PID 3092 wrote to memory of 4888	3092	DllCommonsvc.exe	138
PID 3092 wrote to memory of 4888	3092	DllCommonsvc.exe	138
PID 3092 wrote to memory of 1184	3092	DllCommonsvc.exe	139
PID 3092 wrote to memory of 1184	3092	DllCommonsvc.exe	139
PID 3092 wrote to memory of 4884	3092	DllCommonsvc.exe	140
PID 3092 wrote to memory of 4884	3092	DllCommonsvc.exe	140
PID 3092 wrote to memory of 2500	3092	DllCommonsvc.exe	141
PID 3092 wrote to memory of 2500	3092	DllCommonsvc.exe	141
PID 3092 wrote to memory of 4408	3092	DllCommonsvc.exe	142
PID 3092 wrote to memory of 4408	3092	DllCommonsvc.exe	142
PID 3092 wrote to memory of 3204	3092	DllCommonsvc.exe	143
PID 3092 wrote to memory of 3204	3092	DllCommonsvc.exe	143
PID 3092 wrote to memory of 1636	3092	DllCommonsvc.exe	144
PID 3092 wrote to memory of 1636	3092	DllCommonsvc.exe	144
PID 3092 wrote to memory of 4784	3092	DllCommonsvc.exe	145
PID 3092 wrote to memory of 4784	3092	DllCommonsvc.exe	145
PID 3092 wrote to memory of 4308	3092	DllCommonsvc.exe	160
PID 3092 wrote to memory of 4308	3092	DllCommonsvc.exe	160
PID 4308 wrote to memory of 1860	4308	dllhost.exe	168
PID 4308 wrote to memory of 1860	4308	dllhost.exe	168
PID 1860 wrote to memory of 1416	1860	cmd.exe	170
PID 1860 wrote to memory of 1416	1860	cmd.exe	170
PID 1860 wrote to memory of 4292	1860	cmd.exe	178
PID 1860 wrote to memory of 4292	1860	cmd.exe	178
PID 4292 wrote to memory of 5044	4292	dllhost.exe	180
PID 4292 wrote to memory of 5044	4292	dllhost.exe	180
PID 5044 wrote to memory of 4872	5044	cmd.exe	182
PID 5044 wrote to memory of 4872	5044	cmd.exe	182
PID 5044 wrote to memory of 1868	5044	cmd.exe	187
PID 5044 wrote to memory of 1868	5044	cmd.exe	187
PID 1868 wrote to memory of 1812	1868	dllhost.exe	189
PID 1868 wrote to memory of 1812	1868	dllhost.exe	189
PID 1812 wrote to memory of 676	1812	cmd.exe	191
PID 1812 wrote to memory of 676	1812	cmd.exe	191
PID 1812 wrote to memory of 1588	1812	cmd.exe	193
PID 1812 wrote to memory of 1588	1812	cmd.exe	193
PID 1588 wrote to memory of 4236	1588	dllhost.exe	195
PID 1588 wrote to memory of 4236	1588	dllhost.exe	195
PID 4236 wrote to memory of 2304	4236	cmd.exe	197
PID 4236 wrote to memory of 2304	4236	cmd.exe	197
PID 4236 wrote to memory of 4336	4236	cmd.exe	199
PID 4236 wrote to memory of 4336	4236	cmd.exe	199

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
    - - C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1416
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4872
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:676
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2304
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat"
        14⤵
        
        PID:4280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2344
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        16⤵
        
        PID:5024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4884
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        18⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2204
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        20⤵
        
        PID:1856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2500
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        22⤵
        
        PID:1256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2264
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        24⤵
        
        PID:3248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2984
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        26⤵
        
        PID:312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4632
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
        28⤵
        
        PID:4492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3108
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        30⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Speech\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\tracing\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5093cd12c71b9c9717748902bb435968

SHA1
ce6f387c0304271efeb77118ccc35cd240501487

SHA256
a6f047f3b1b9e4d2037e2ce9853a61110355e39fc5c69661f0b7fbca0e78b202

SHA512
53ed1b2b3e32bf7bd768942c6b6a37ea6745ab0352738d6bf32733b05c17e7842d74378f709ba2609a5a888077a118260fba309c493f3edd42a6a9f66aff7142

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
198B

MD5
16149c4f27f1041f74a5c1b5f767ed04

SHA1
53872c282fcf170c370e8b256bbfc0e45300137e

SHA256
2f41c7113e1cc80a794f9c9975e923bff979f468c5f61fb5e6c3788a9a77ec23

SHA512
2e7cbc981c61ec2c0b02558bc9d9fcbf1f38148b4f8aaea2152af79db0c864fa92e1753f016b7f7a221d48d01fa3e6e8d5d5560a1056587d37f85c514ba1f640

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
198B

MD5
306d3525361ebbd1675522d9c93b135e

SHA1
d1306dc4c943904f75311c0f1f6d30b84b6be2e9

SHA256
a4c46562cf4d59a93c30a3c8ebcba2b6d7c9f83d53d2e4d400de5513d85886a7

SHA512
53e8c0a70c4820ba88e6afc2734e08c693b69351d0ca169f9aee3994871f02abfc88a2a85977af42c2716a0606ddac818a1cee21ea169a52eb69c3a4fbdc09e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat

Filesize
198B

MD5
e486776512563e8bde619c0df8bd527f

SHA1
0a40b0be06c7f57873a89a18c62d431047b532df

SHA256
ac99dc947df4d3ee8a5d733bf0a7b7bb3b49308160cea662b49b52de72f9145a

SHA512
a1a7a9b94832c6282ea17a59f88455943fa5163284d556e7cb0f409d427c808ce988582913221ec6c642f2d059905548a31c5afeba22db70fa4e2ecc8c48581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

Filesize
198B

MD5
7440198936440214397af41330986a24

SHA1
7b0f0fb8a30a8898ecb4c39fbdf2752a09fae219

SHA256
4bf6ebe1c5d50fd7313f72421ead30d9a31a6978966c3b06986e4fdd25f28fcb

SHA512
84590802a95c362e16fe4e235ef6dd9aa9deafd0f582e9c5a97b47c2de3dc398fd9f88c54d9a842916a9b0689f35ec9b86d040265a7fdd005216aaa06c233173

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

Filesize
198B

MD5
e55cde60b40a8b7ed695e0c4d5f89ac1

SHA1
04e662523511d22e91e9a00e6e16e2c64bd85423

SHA256
4074831f55185992fa9a6be44898964ab21f98fd72c60ce18efcb0a9a945db78

SHA512
271899eff671f107ff174bd7323d85ed0ef0cf0e0b545cf7bc6b73661da4d1472913de11f08e08718319e330b4bb0f268712616f37cb004a7622da529e5fa539

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zilx0lci.ycv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
198B

MD5
748a2246746feb71449846def4eed626

SHA1
05884c50a5c18837b303dc92d1a2b9fdecf785a2

SHA256
095d7004d86ad872a9e4e69e93947ac418bb12a983291acecb44ab39d5d033a7

SHA512
908ed6553cebbc90f8453df07df85d85586d86f3b3aec7ea8febd650e77d97d20d10c09566fdce88349cbe2b0794d5d1f3df8d88f5dc9374288c3793b8c5a3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
198B

MD5
0bd79a663a34fbb46bb4d7e32ca5d3a5

SHA1
3eaa52722e59840391cdd72f0983575ca9ecd121

SHA256
ee08df0748405e49aaf75870eaa78e53a741ae5968c6d6547a4571920c6cc516

SHA512
fefcfe323ea36e85680e1dd582d084690134e605cc9293f329655413c8b86afb13e1e61d7cae405ff15885bbeab7f70a47195ce1957e336b6f0c992893c72354

Download Submit
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

Filesize
198B

MD5
eae17689164f4b10d8cc20e7adec76ec

SHA1
e735502bdbade9c3074d03223c04de69fcdd25f0

SHA256
a9f740757d871fce9d753d13e923219673f2faee970a05a93af42a85d657ca2e

SHA512
61a3033e1dfd4af62b9119934301bd779b8c39dc1b91943854c3357f7a3d5497e842dda69f7211bf9eab264dd58ddbd2b6687250f7d99658ba9eefeac5bc78d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
198B

MD5
921508892bfe268a126bfa696adb5f3b

SHA1
f22be8f333c05ba27952f1a8ed9939ce2c7db651

SHA256
52a72949fdfaa00012fdb2aebe9a69e2a875b12fb37a17039a6887db61dba046

SHA512
c0902f9eb09a23ef2bb699e989511c540774ec537a33d799c8af1c0d9b9fd5a90f7976651c6cecd0853ca0993ed5a2285efdd1a30763e2c50237c6c33f59c906

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
198B

MD5
913a985ebc1d48da7938f165f77456e4

SHA1
c5a9bd8b9a04eea175ed3e7f937bc65620bf10b0

SHA256
832c226a5a2bfe4fb300a111c8babff55caee8954e0274131a8f98f40027db9e

SHA512
3183036ba57979e0d2c26e4c5bed1b74bf29e06209f37cd34880a2f7b1eb95b8f49c8e089d09f4d10e9cd73f574c178eaa089aa072998185b096fc08f8d1453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
198B

MD5
be4f8d4f60f33c8b07291bb77528d566

SHA1
1bf1bbed6b5e3da60c1bc424778d5f4993f6f37a

SHA256
517373194f79957337f358671151034be773151e759120486ebc0a118d2145d1

SHA512
8ed9bbc74fc478630ddcf6eb7ab1d31f1838f470ad56f412ee8fac1745c78204d8b855a839c3ff27ab563411941f51d5bd5fed0cde512c597391eaa153defdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

Filesize
198B

MD5
bb668a562423252e09b0ec0a41f5b509

SHA1
128b7dc82894d4d515d8bb37f65e1c89bc6a6bb9

SHA256
1884f7779e2325d936c7c8c9a81b87c6751f95d437db2190df61f86db89e0f67

SHA512
7e06809670ecb1daddcddadb79311806d4d1ba1e87e435acf7d37e83efe268302f080798cf2adf68759635d5aa4b6781f1125fee2b499f2c934b60a07fd8cf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
198B

MD5
8b697091415037a208f427e731de8134

SHA1
325c8f21dee9ff9861c08f10f644e1eae59dbde7

SHA256
3f92c3756721cc4c6871bb479fedc07c261a84b9b74e1e760afdd4ebe7c139f3

SHA512
b714fc10ce61d275d9ab2651097d94f5012219a851df014281566e03d1b61806466c4511eea13c2bf83dcbf3f85f741acb4f1654485e9c4348415124ab9118af

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1416-260-0x000000001C7B0000-0x000000001C851000-memory.dmp

Filesize
644KB

Download
memory/1416-261-0x000000001C860000-0x000000001CA09000-memory.dmp

Filesize
1.7MB

Download
memory/1484-271-0x0000000002D70000-0x0000000002D82000-memory.dmp

Filesize
72KB

Download
memory/1588-245-0x000000001BDC0000-0x000000001BF2A000-memory.dmp

Filesize
1.4MB

Download
memory/1868-238-0x000000001C650000-0x000000001C7BA000-memory.dmp

Filesize
1.4MB

Download
memory/1868-304-0x000000001AFC0000-0x000000001AFD2000-memory.dmp

Filesize
72KB

Download
memory/2764-268-0x000000001BF00000-0x000000001C0A9000-memory.dmp

Filesize
1.7MB

Download
memory/2792-278-0x0000000002E20000-0x0000000002E32000-memory.dmp

Filesize
72KB

Download
memory/2924-62-0x000001F50CA30000-0x000001F50CA52000-memory.dmp

Filesize
136KB

Download
memory/3092-17-0x000000001B680000-0x000000001B68C000-memory.dmp

Filesize
48KB

Download
memory/3092-16-0x000000001B670000-0x000000001B67C000-memory.dmp

Filesize
48KB

Download
memory/3092-15-0x0000000002C70000-0x0000000002C7C000-memory.dmp

Filesize
48KB

Download
memory/3092-14-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/3092-13-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/3092-12-0x00007FFF607F3000-0x00007FFF607F5000-memory.dmp

Filesize
8KB

Download
memory/3908-291-0x000000001B610000-0x000000001B622000-memory.dmp

Filesize
72KB

Download
memory/4292-227-0x0000000001880000-0x0000000001892000-memory.dmp

Filesize
72KB

Download
memory/4308-163-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/4336-253-0x000000001C350000-0x000000001C4BA000-memory.dmp

Filesize
1.4MB

Download
memory/4336-248-0x0000000001010000-0x0000000001022000-memory.dmp

Filesize
72KB

Download