dcrat | 3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593

Analysis

max time kernel
148s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593.exe
Size

1.3MB
MD5

d4ec7159dd8ed5d020ad4f526cedfa71
SHA1

6d0c38d6e27c553fa1862ac73144a9051bf87936
SHA256

3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593
SHA512

b72a5cb06c2e512717803d6fda1dc77bb7c592086cfb23dd86d56d8dba5a73cb2684906bf38053a95da8453d6ec017dbb2a54ba836dc44e7a684d3418cfc03cc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	2284	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	2284	schtasks.exe	70

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac2e-281.dat	dcrat
behavioral1/memory/4892-282-0x00000000006C0000-0x00000000007D0000-memory.dmp	dcrat
behavioral1/files/0x000800000001ac2e-280.dat	dcrat
behavioral1/files/0x000600000001ac64-390.dat	dcrat
behavioral1/files/0x000600000001ac64-389.dat	dcrat
behavioral1/files/0x000600000001ac64-946.dat	dcrat
behavioral1/files/0x000600000001ac64-1034.dat	dcrat
behavioral1/files/0x000600000001ac64-1039.dat	dcrat
behavioral1/files/0x000600000001ac64-1044.dat	dcrat
behavioral1/files/0x000600000001ac64-1050.dat	dcrat
behavioral1/files/0x000600000001ac64-1055.dat	dcrat
behavioral1/files/0x000600000001ac64-1061.dat	dcrat
behavioral1/files/0x000600000001ac64-1066.dat	dcrat
behavioral1/files/0x000600000001ac64-1071.dat	dcrat
behavioral1/files/0x000600000001ac64-1077.dat	dcrat
behavioral1/files/0x000600000001ac64-1082.dat	dcrat
behavioral1/files/0x000600000001ac64-1088.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
4892	DllCommonsvc.exe
476	Idle.exe
5864	Idle.exe
5832	Idle.exe
5448	Idle.exe
2700	Idle.exe
3808	Idle.exe
4276	Idle.exe
64	Idle.exe
2508	Idle.exe
4460	Idle.exe
4940	Idle.exe
3772	Idle.exe
5180	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2032	schtasks.exe
908	schtasks.exe
4996	schtasks.exe
2080	schtasks.exe
32	schtasks.exe
204	schtasks.exe
2484	schtasks.exe
2700	schtasks.exe
772	schtasks.exe
4284	schtasks.exe
4468	schtasks.exe
3848	schtasks.exe
4992	schtasks.exe
1364	schtasks.exe
3188	schtasks.exe
4460	schtasks.exe
4400	schtasks.exe
3304	schtasks.exe
1060	schtasks.exe
2312	schtasks.exe
4424	schtasks.exe
2900	schtasks.exe
1292	schtasks.exe
2016	schtasks.exe
1796	schtasks.exe
4928	schtasks.exe
4848	schtasks.exe
4508	schtasks.exe
1872	schtasks.exe
4540	schtasks.exe
4532	schtasks.exe
3660	schtasks.exe
3760	schtasks.exe
776	schtasks.exe
4480	schtasks.exe
4632	schtasks.exe
3156	schtasks.exe
968	schtasks.exe
4528	schtasks.exe
4252	schtasks.exe
2012	schtasks.exe
4636	schtasks.exe
1792	schtasks.exe
3200	schtasks.exe
4492	schtasks.exe
5024	schtasks.exe
3912	schtasks.exe
2440	schtasks.exe
2696	schtasks.exe
660	schtasks.exe
2732	schtasks.exe
1804	schtasks.exe
1064	schtasks.exe
2812	schtasks.exe
3788	schtasks.exe
4232	schtasks.exe
2896	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
4892	DllCommonsvc.exe
3896	powershell.exe
3896	powershell.exe
3684	powershell.exe
3684	powershell.exe
3900	powershell.exe
3900	powershell.exe
3900	powershell.exe
4732	powershell.exe
4732	powershell.exe
1568	powershell.exe
1568	powershell.exe
1976	powershell.exe
1976	powershell.exe
3684	powershell.exe
3896	powershell.exe
64	powershell.exe
64	powershell.exe
3900	powershell.exe
5100	powershell.exe
5100	powershell.exe
1928	powershell.exe
1928	powershell.exe
4180	powershell.exe
4180	powershell.exe
3828	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	DllCommonsvc.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	476	Idle.exe
Token: SeIncreaseQuotaPrivilege	3900	powershell.exe
Token: SeSecurityPrivilege	3900	powershell.exe
Token: SeTakeOwnershipPrivilege	3900	powershell.exe
Token: SeLoadDriverPrivilege	3900	powershell.exe
Token: SeSystemProfilePrivilege	3900	powershell.exe
Token: SeSystemtimePrivilege	3900	powershell.exe
Token: SeProfSingleProcessPrivilege	3900	powershell.exe
Token: SeIncBasePriorityPrivilege	3900	powershell.exe
Token: SeCreatePagefilePrivilege	3900	powershell.exe
Token: SeBackupPrivilege	3900	powershell.exe
Token: SeRestorePrivilege	3900	powershell.exe
Token: SeShutdownPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeSystemEnvironmentPrivilege	3900	powershell.exe
Token: SeRemoteShutdownPrivilege	3900	powershell.exe
Token: SeUndockPrivilege	3900	powershell.exe
Token: SeManageVolumePrivilege	3900	powershell.exe
Token: 33	3900	powershell.exe
Token: 34	3900	powershell.exe
Token: 35	3900	powershell.exe
Token: 36	3900	powershell.exe
Token: SeIncreaseQuotaPrivilege	3684	powershell.exe
Token: SeSecurityPrivilege	3684	powershell.exe
Token: SeTakeOwnershipPrivilege	3684	powershell.exe
Token: SeLoadDriverPrivilege	3684	powershell.exe
Token: SeSystemProfilePrivilege	3684	powershell.exe
Token: SeSystemtimePrivilege	3684	powershell.exe
Token: SeProfSingleProcessPrivilege	3684	powershell.exe
Token: SeIncBasePriorityPrivilege	3684	powershell.exe
Token: SeCreatePagefilePrivilege	3684	powershell.exe
Token: SeBackupPrivilege	3684	powershell.exe
Token: SeRestorePrivilege	3684	powershell.exe
Token: SeShutdownPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeSystemEnvironmentPrivilege	3684	powershell.exe
Token: SeRemoteShutdownPrivilege	3684	powershell.exe
Token: SeUndockPrivilege	3684	powershell.exe
Token: SeManageVolumePrivilege	3684	powershell.exe
Token: 33	3684	powershell.exe
Token: 34	3684	powershell.exe
Token: 35	3684	powershell.exe
Token: 36	3684	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4768	2668	3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593.exe	66
PID 2668 wrote to memory of 4768	2668	3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593.exe	66
PID 2668 wrote to memory of 4768	2668	3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593.exe	66
PID 4768 wrote to memory of 4112	4768	WScript.exe	172
PID 4768 wrote to memory of 4112	4768	WScript.exe	172
PID 4768 wrote to memory of 4112	4768	WScript.exe	172
PID 4112 wrote to memory of 4892	4112	w32tm.exe	69
PID 4112 wrote to memory of 4892	4112	w32tm.exe	69
PID 4892 wrote to memory of 3900	4892	DllCommonsvc.exe	131
PID 4892 wrote to memory of 3900	4892	DllCommonsvc.exe	131
PID 4892 wrote to memory of 3896	4892	DllCommonsvc.exe	130
PID 4892 wrote to memory of 3896	4892	DllCommonsvc.exe	130
PID 4892 wrote to memory of 3684	4892	DllCommonsvc.exe	128
PID 4892 wrote to memory of 3684	4892	DllCommonsvc.exe	128
PID 4892 wrote to memory of 1976	4892	DllCommonsvc.exe	126
PID 4892 wrote to memory of 1976	4892	DllCommonsvc.exe	126
PID 4892 wrote to memory of 1568	4892	DllCommonsvc.exe	125
PID 4892 wrote to memory of 1568	4892	DllCommonsvc.exe	125
PID 4892 wrote to memory of 4732	4892	DllCommonsvc.exe	123
PID 4892 wrote to memory of 4732	4892	DllCommonsvc.exe	123
PID 4892 wrote to memory of 64	4892	DllCommonsvc.exe	92
PID 4892 wrote to memory of 64	4892	DllCommonsvc.exe	92
PID 4892 wrote to memory of 5100	4892	DllCommonsvc.exe	120
PID 4892 wrote to memory of 5100	4892	DllCommonsvc.exe	120
PID 4892 wrote to memory of 4180	4892	DllCommonsvc.exe	118
PID 4892 wrote to memory of 4180	4892	DllCommonsvc.exe	118
PID 4892 wrote to memory of 1928	4892	DllCommonsvc.exe	116
PID 4892 wrote to memory of 1928	4892	DllCommonsvc.exe	116
PID 4892 wrote to memory of 3828	4892	DllCommonsvc.exe	93
PID 4892 wrote to memory of 3828	4892	DllCommonsvc.exe	93
PID 4892 wrote to memory of 4692	4892	DllCommonsvc.exe	94
PID 4892 wrote to memory of 4692	4892	DllCommonsvc.exe	94
PID 4892 wrote to memory of 4340	4892	DllCommonsvc.exe	112
PID 4892 wrote to memory of 4340	4892	DllCommonsvc.exe	112
PID 4892 wrote to memory of 4872	4892	DllCommonsvc.exe	95
PID 4892 wrote to memory of 4872	4892	DllCommonsvc.exe	95
PID 4892 wrote to memory of 3388	4892	DllCommonsvc.exe	109
PID 4892 wrote to memory of 3388	4892	DllCommonsvc.exe	109
PID 4892 wrote to memory of 1352	4892	DllCommonsvc.exe	107
PID 4892 wrote to memory of 1352	4892	DllCommonsvc.exe	107
PID 4892 wrote to memory of 3648	4892	DllCommonsvc.exe	105
PID 4892 wrote to memory of 3648	4892	DllCommonsvc.exe	105
PID 4892 wrote to memory of 3352	4892	DllCommonsvc.exe	98
PID 4892 wrote to memory of 3352	4892	DllCommonsvc.exe	98
PID 4892 wrote to memory of 2928	4892	DllCommonsvc.exe	103
PID 4892 wrote to memory of 2928	4892	DllCommonsvc.exe	103
PID 4892 wrote to memory of 3176	4892	DllCommonsvc.exe	99
PID 4892 wrote to memory of 3176	4892	DllCommonsvc.exe	99
PID 4892 wrote to memory of 476	4892	DllCommonsvc.exe	106
PID 4892 wrote to memory of 476	4892	DllCommonsvc.exe	106
PID 476 wrote to memory of 5588	476	Idle.exe	151
PID 476 wrote to memory of 5588	476	Idle.exe	151
PID 5588 wrote to memory of 4112	5588	cmd.exe	172
PID 5588 wrote to memory of 4112	5588	cmd.exe	172
PID 5588 wrote to memory of 5864	5588	cmd.exe	173
PID 5588 wrote to memory of 5864	5588	cmd.exe	173
PID 5864 wrote to memory of 6100	5864	Idle.exe	174
PID 5864 wrote to memory of 6100	5864	Idle.exe	174
PID 6100 wrote to memory of 4496	6100	cmd.exe	176
PID 6100 wrote to memory of 4496	6100	cmd.exe	176
PID 6100 wrote to memory of 5832	6100	cmd.exe	177
PID 6100 wrote to memory of 5832	6100	cmd.exe	177
PID 5832 wrote to memory of 3764	5832	Idle.exe	178
PID 5832 wrote to memory of 3764	5832	Idle.exe	178

C:\Users\Admin\AppData\Local\Temp\3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593.exe
"C:\Users\Admin\AppData\Local\Temp\3f55fbd52e989f52d3e4190a04f83a7c37c02307bc85e8edf380271b7e05a593.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    PID:4112
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\explorer.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\dllhost.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:6100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4496
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        10⤵
        
        PID:3764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1284
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        12⤵
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4724
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        14⤵
        
        PID:588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:5080
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        16⤵
        
        PID:5944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5872
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        18⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5904
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"
        20⤵
        
        PID:32
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
        22⤵
        
        PID:5148
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
        24⤵
        
        PID:5004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3536
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        26⤵
        
        PID:3336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:5008
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
        28⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1728
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        29⤵
        Executes dropped EXE
        
        PID:5180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\db\SearchUI.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\Idle.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.71\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\db\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Wallpaper\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OneDrive\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OneDrive\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\db\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\db\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc40d27f2c43cb370994512964d6f495

SHA1
521be34f97165d28d35262d80e59b5b305e88eb5

SHA256
95b843ba1842b7d1e998faceb00db44c134b3551bb042b9b529f4663a3a674c6

SHA512
667d01776f15877e16af283c4269390e97c8d044b3b65b96b313d67f670ef693e5ec3193a105d6937afd92726fc7af98a304fc7907e367aa151b06ae46eed6ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ac1659abfde413a6b3c04e799758a98

SHA1
7cbc85f9dff3f8f91fe15b221aaa83ebb5ba116d

SHA256
4f9831f338b125d00b4cb3ebd5445c3f9bfa6012eeaaad18ef14eb54405b1400

SHA512
aa8c1a561c8277f75cdf2ef826d099e36815b812c296e27aa40f8d24fc45a4beaff98812ee2bb35cb7881b2af1b86ab737225748cdffb9f9c999035ea66248e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc92a3c7599e3cb5fba0bc508dba328c

SHA1
ca43bfd4bb97c671c29710e22e8118e2be9a6669

SHA256
53e6c531e5e72d4d0e9d9014964392fe7bf33dddd3737c98aec19c462ca04413

SHA512
69121c40450656a02d02bbe08c0913535091a84140ff0c334e3b601d8a9d07c97212ff1ddc334eafb66de26b3a5618f9778670e3b309a62535ce99a379d64915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc92a3c7599e3cb5fba0bc508dba328c

SHA1
ca43bfd4bb97c671c29710e22e8118e2be9a6669

SHA256
53e6c531e5e72d4d0e9d9014964392fe7bf33dddd3737c98aec19c462ca04413

SHA512
69121c40450656a02d02bbe08c0913535091a84140ff0c334e3b601d8a9d07c97212ff1ddc334eafb66de26b3a5618f9778670e3b309a62535ce99a379d64915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e8a404644295ad2b50c2b6b256a0b4c

SHA1
70963406b593b63da1969c1dab41bde200a42b8c

SHA256
f197f93015f7695b006ed3e77f1ac116382be9da02a30e478ea825afc5dc2c03

SHA512
4da9953e32f7f371f3be418353fecd50e88d7bf0ff7251504a6e3a797fbfc54f4832a295e93f33e5c9d16fecb71be3c50fe4a598e064c1736eea031a28a3b132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bdeb280289a291590c596c2cb4deedba

SHA1
32ca32040700732d1918c1d1d5d3fb1cc6f6f02d

SHA256
18b3fd643f208f8d50651d22ec4454dbdf55108c688df3d8a0ad73cd686518a6

SHA512
5f20a4695506bc0bd1a05570aea436395090c96d96841e96977c408c33588f9194404a45d085abc8e3155a6090862a8adcd45b709fcad62150337a0261c42219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c03e2aea0b51f20658d2852277d5f79b

SHA1
fd9f5308b045e0c65cc36f0fce20bd0456dff824

SHA256
664364ac8695f0655b25c11fc3319966a3b3ad407867103e9b1c5d495de6a22f

SHA512
730d9c5e070fb3848230ffac2e175d416008091581c7be81396436d5eedca23dd71adad5cd866c994f4a73bf5e77d4a1dbabe5d3c45e85781980611efb4509fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
023de16bc36e323623f19f5143468888

SHA1
628c9554e3cf4858885a6b195fe39474de54c007

SHA256
91b10fed3920cf8376db3c1ca6461739094cecca7d5be908781cd99be977f8ab

SHA512
1abce8becf30851db935ea76144724c9a092f952e536f5b7b484e807c3c9f69efa8646d34f6335e5a929c7f1e01a4449d963838d294652ee4e52efd5956052f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c5f6566d4e7e8ca4c62f71fd5167fb35

SHA1
ca995e9f49672d438755ac0c7a425e5f500bb612

SHA256
6c00fca3b6bfa1b3fed0cdaf26f28ecc3070418d30c5f76904e0b352be464f63

SHA512
2d87e92d97e1437ab0acee829361007ff59cbf5d17c14ae2f2920268c03a6929fe3fd08f6c44f276da8ac8220246a1c709adce7850cfdd2a286d7ed83ac27f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c5f6566d4e7e8ca4c62f71fd5167fb35

SHA1
ca995e9f49672d438755ac0c7a425e5f500bb612

SHA256
6c00fca3b6bfa1b3fed0cdaf26f28ecc3070418d30c5f76904e0b352be464f63

SHA512
2d87e92d97e1437ab0acee829361007ff59cbf5d17c14ae2f2920268c03a6929fe3fd08f6c44f276da8ac8220246a1c709adce7850cfdd2a286d7ed83ac27f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
543e72aecf1398b4cd8899ef1a99cfdc

SHA1
699b4e31a7423d51745d5f91fc1c08c079728849

SHA256
e961442ccb52bc18cb1ac6dad7def6ef63273aa7cb7f9a83e5122d7985504971

SHA512
d7c35425e17d5b63da561ac630912c3fa451bdfbeffcc420eab2c0221c910a9333e409dadb62c9f0e39e261261f42f0b4c9fdb2a34bdd2b73787e46084c7e337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ba2ae27c8c6effc894682bb63e2925c

SHA1
8be61a16afa0e5080f6c70867da5f93d33a6e730

SHA256
b0d25fae954108a93e943e90df2fa5d2263f43e41b184beabc38bbdb0bb72632

SHA512
056b3af94badf7a37b234952cfcafd21ab159128a9d16b18e4ccd59b53bdd4b96ef79a9b43dcdf75d5bbe1b8591f394e7aa71d1b1a2df4c530e193979f3c900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ba2ae27c8c6effc894682bb63e2925c

SHA1
8be61a16afa0e5080f6c70867da5f93d33a6e730

SHA256
b0d25fae954108a93e943e90df2fa5d2263f43e41b184beabc38bbdb0bb72632

SHA512
056b3af94badf7a37b234952cfcafd21ab159128a9d16b18e4ccd59b53bdd4b96ef79a9b43dcdf75d5bbe1b8591f394e7aa71d1b1a2df4c530e193979f3c900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9f548029e27bf3782f018342cd11d67

SHA1
0c227b18b355e92bf584d8fed19f314492f3b536

SHA256
5088530c1454ca60381406ecd2f136bcc78b1b60e032d83e81e2fcb36e4eeb8e

SHA512
e356a17478f2d2a91a585ac315d361e3c3ac398e7d918c2193609e6ca607de8d2771672f127d971173b9e6089deb4c1867f252c927e4205d1291ace5a303f71c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d441fcb24c4ee977662d9647b94f8ad6

SHA1
1d5546db62dddd29bda99f0b97af3a66d843d3f8

SHA256
885c8a65715e5c4a9460033f1a22715411e4108cd229b7a66119ed5af1d2be16

SHA512
60d786617f0b94c9889ea5c70c2885d51d419f316aa270a81b75f9feb8db6a16018f910164b7b5d17c545b6316ef5500fd9402f827adb30df35a25a413505c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2178e9dda87d5e19bfe7ec52bf6b3707

SHA1
8751d1f4f977be65ff80c7fb377dc01c48337fb7

SHA256
8096298ce67f6931f16bde36756e84f04a561703c7175b1a7f264e5a8c7da84c

SHA512
3f54d5c034d405b070f0a46a129f933c6771875a3e4eed0f680c3d3d117c67638fcf6b691f68e11a6b2544cc5ec1f0d17988bf37bdb6eac5e126d8cf8b14f56e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2178e9dda87d5e19bfe7ec52bf6b3707

SHA1
8751d1f4f977be65ff80c7fb377dc01c48337fb7

SHA256
8096298ce67f6931f16bde36756e84f04a561703c7175b1a7f264e5a8c7da84c

SHA512
3f54d5c034d405b070f0a46a129f933c6771875a3e4eed0f680c3d3d117c67638fcf6b691f68e11a6b2544cc5ec1f0d17988bf37bdb6eac5e126d8cf8b14f56e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc40d27f2c43cb370994512964d6f495

SHA1
521be34f97165d28d35262d80e59b5b305e88eb5

SHA256
95b843ba1842b7d1e998faceb00db44c134b3551bb042b9b529f4663a3a674c6

SHA512
667d01776f15877e16af283c4269390e97c8d044b3b65b96b313d67f670ef693e5ec3193a105d6937afd92726fc7af98a304fc7907e367aa151b06ae46eed6ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
687544e4d5226de831e3300663fccd84

SHA1
fa46e50fd91cf523bed572f9094ef9e48422a6f8

SHA256
b769069ebd4bba207d9b743c028193e4632def753b95b38e38f128e2ecf2cd21

SHA512
b74b0a147e139fabc5a36d77848a2e17c18199e3ecd57a2b1fb21810d0fc46da008ad5452647c8b8cc2c3428fc415349674d9980f000fbfecaea6ef32988bd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat

Filesize
191B

MD5
8167eaead6127dcfd95a905db1c02e3d

SHA1
723c3f0dcfa3d2537a5205e656e3489abfda8613

SHA256
822fb696f2128f8f9181b946e5b9bfa12f033d4c279ed3468210d546dd06af33

SHA512
61c9fdec8a040eb3d5a7248492c49e8cde5c5b57c71cefbbd2b6d7d7746e23cf7890572a820f13b52b9b954629376c94aaeb1b5f350af11a235bc148cf38f203

Download Submit
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

Filesize
191B

MD5
cc7641f9a63f108d008f2295aa22f940

SHA1
218d1650036df82f41ab00c0fb85b9f2407e7851

SHA256
7b4ec3d4476ead6f4d2ceae099a3f79a1555461260953dd40391f37847dbb0a5

SHA512
193db385dcb2336d6494cd8fa79fb250b3a5472f53ef2e2653d25eba8c8e51e032f473414c2b41179971b550b202b00a01ae4cf2f1686bc43ac797461246d48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat

Filesize
191B

MD5
1a8e29e108f7bc27607483ba7516ff58

SHA1
114f32c70ef9a00441fcbf8f3840e3ffd16d4e6d

SHA256
19aa926626310b0aa5a10756817b2727b5fa6a26bfeabcaf0b0ee6340b7cd1e4

SHA512
7bff09c24d1170465021cf3c32f1d54a17243de898c7d1f493fdfcc73bceb11feefc51191a63f4dd0ca59e67aec50f30027f6188d8a6c8e9485dba03f77e3a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

Filesize
191B

MD5
c0a907bd565bd0c18fb6d10803e399b4

SHA1
c6fe73b2a811819f77d9b373c80c5311ec0c46a7

SHA256
0341f0bf77f68c534ae002e868bf5d8011e42bee176749c592bf7490b5eb8ca8

SHA512
7d2a9b6299a38bc848160b92b35749126a92c43c7266d091ec731f105bd44ba76b5587b17fa54126a9591f0d059d75401c34917ae30f048e1673e68b47452e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat

Filesize
191B

MD5
85f82c8c0dbfc8523cdd5653de6017cb

SHA1
70b6da4ff3b6edc1bac335c801cea4d48ca1c31b

SHA256
dd236c21906c7f4ecf4fce32359571b9a93139c3bb3a9e4b6e1121a498867bd7

SHA512
780f916df13af44901d089203699fa4f17f400b6bb9260661c208781bb480ce6d9bf2ad3025f3a5f3c6e3287025cb22c34c5ab0e7f79f6eb6495d6ffa366b594

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
191B

MD5
bd696ad00a969f9021492c442dce0075

SHA1
b4da080d3e8cb46770d65a9b9a3098399d129ddd

SHA256
24ca47589e013756c29308633614548d992638770727c48a2fcf4dfd7ce4f9a9

SHA512
8e566b200acd8195d69c4e384b84cefda8462349c87c4d750fa16557ef4b36a24dcb8a24303047c12412eaddebe5f1df78e9f0af37c4dc6be1c904effc671d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

Filesize
191B

MD5
2cabbe118b56ad313a8a01e891df4f43

SHA1
0bf030f0b1b058772ff13ee44dfbaa9e78ba3030

SHA256
2d64a5e72dc621eb746a61c8f7735caee3933914403ccb0f117b40fecefea0a1

SHA512
b896b0ba15dc4a38b2c2a03cb3e62867c2e5a243d7284f636a86a58c1c8f25b82ef51a826b5a371bd6f97810b5dd95944448bf812e332b1d58e1236ed773c321

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

Filesize
191B

MD5
2cabbe118b56ad313a8a01e891df4f43

SHA1
0bf030f0b1b058772ff13ee44dfbaa9e78ba3030

SHA256
2d64a5e72dc621eb746a61c8f7735caee3933914403ccb0f117b40fecefea0a1

SHA512
b896b0ba15dc4a38b2c2a03cb3e62867c2e5a243d7284f636a86a58c1c8f25b82ef51a826b5a371bd6f97810b5dd95944448bf812e332b1d58e1236ed773c321

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

Filesize
191B

MD5
421e1caa1676e0b935abf09144362d68

SHA1
3b324f50158b0b1ef065a0697b72752498227c6b

SHA256
7c69db4e85646ac849c4ac51906b0ea43d3db9971fe2dd6610b048728eb90482

SHA512
35a01816b3a7f3e7f88f63a3f884c831fa63cc9411e62132d9880c89eb0b4584b6c0575ef2661e06a6661dfec9b9a56ea2ca3f087ccbff4001cc0013bc8b76d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
191B

MD5
15d7d5f1dbe3fc6d7ed29c2aff90f868

SHA1
82481e91a24009980836c499a40f79bf1a2e9e15

SHA256
50bad40f7d9340427e6534dd77347e7da263a1e642f2816036a2d31bd1fd6863

SHA512
3c4acf46a9bb87e02c21d15ef7e1fe738a3c04a3d70bd1f6800b834ed9170656a3b1b43282a84abe85daf9a1ba78d39eef76debe63ddfa867f63acb1ce99bcc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

Filesize
191B

MD5
82e224e688d4347f94227fcb483f1af3

SHA1
e1a180ad2921a45b21c264cc62271b7618938298

SHA256
88153f226b30bb7dbe4b60edf3546c1abd4a2e6784c76c2c214ce76ba0346d57

SHA512
41b6b420d60aef487c538316ae6054b1cb5439a53a70f70476b750cd8d9144e4cbed3f6416d756881f55b75e3c07322f87b031f2035982fb6075bd5b8f21694f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
191B

MD5
ce26ba367f9c4528fc183da709283263

SHA1
2845a0c3f5874e61ead0a5b2554ceefa213cdc22

SHA256
941dac8755deca85e6a46ffdd89f1b2526de53ecf9ec8285e16242288c2b7f6d

SHA512
f3c612623f5475dafd542fa669f7a0c818dfbcd469db27de11ecb89afcb2d722c3edada39704b2c2f6d8d5f198bddf7abe1210c262cf16fa472f456d9e78121c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2668-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-116-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2700-1045-0x0000000001240000-0x0000000001252000-memory.dmp

Filesize
72KB

Download
memory/3772-1083-0x00000000012C0000-0x00000000012D2000-memory.dmp

Filesize
72KB

Download
memory/3896-388-0x0000018F20560000-0x0000018F20582000-memory.dmp

Filesize
136KB

Download
memory/3900-397-0x000002183DE40000-0x000002183DEB6000-memory.dmp

Filesize
472KB

Download
memory/4276-1056-0x00000000017E0000-0x00000000017F2000-memory.dmp

Filesize
72KB

Download
memory/4460-1072-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/4768-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-286-0x0000000001080000-0x000000000108C000-memory.dmp

Filesize
48KB

Download
memory/4892-282-0x00000000006C0000-0x00000000007D0000-memory.dmp

Filesize
1.1MB

Download
memory/4892-283-0x0000000001060000-0x0000000001072000-memory.dmp

Filesize
72KB

Download
memory/4892-284-0x0000000001070000-0x000000000107C000-memory.dmp

Filesize
48KB

Download
memory/4892-285-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/5864-948-0x0000000001730000-0x0000000001742000-memory.dmp

Filesize
72KB

Download