dcrat | 940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 12:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe
Size

1.3MB
MD5

3019281f6a1d25674cefdb7741a59320
SHA1

24dc42c1e757d0e98f8cfd93fc7cfced6f1d4f9d
SHA256

940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4
SHA512

589f55abaa01d221cad6ecb86ef6ba191e87553b1ac7640c220526ce6dc7eec5702e816076b554c37283af082b0f58ad63fc7b241d8c4c4543413494ede9437b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1128	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1128	schtasks.exe	82

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022f68-137.dat	dcrat
behavioral1/files/0x0006000000022f68-138.dat	dcrat
behavioral1/memory/4644-139-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat
behavioral1/files/0x0006000000022f92-164.dat	dcrat
behavioral1/files/0x0006000000022f92-165.dat	dcrat
behavioral1/files/0x0006000000022f92-216.dat	dcrat
behavioral1/files/0x0006000000022f92-224.dat	dcrat
behavioral1/files/0x0006000000022f92-231.dat	dcrat
behavioral1/files/0x0006000000022f92-238.dat	dcrat
behavioral1/files/0x0006000000022f92-245.dat	dcrat
behavioral1/files/0x0006000000022f92-252.dat	dcrat
behavioral1/files/0x0006000000022f92-259.dat	dcrat

Executes dropped EXE 9 IoCs

pid	Process
4644	DllCommonsvc.exe
544	RuntimeBroker.exe
1592	RuntimeBroker.exe
1324	RuntimeBroker.exe
760	RuntimeBroker.exe
1708	RuntimeBroker.exe
4736	RuntimeBroker.exe
2828	RuntimeBroker.exe
4068	RuntimeBroker.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\66fc9ff0ee96c2	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4420	schtasks.exe
680	schtasks.exe
228	schtasks.exe
1648	schtasks.exe
4264	schtasks.exe
1812	schtasks.exe
3912	schtasks.exe
1040	schtasks.exe
4768	schtasks.exe
4340	schtasks.exe
1672	schtasks.exe
1072	schtasks.exe
3396	schtasks.exe
112	schtasks.exe
2336	schtasks.exe
1312	schtasks.exe
4712	schtasks.exe
1840	schtasks.exe
4744	schtasks.exe
1444	schtasks.exe
544	schtasks.exe
3500	schtasks.exe
3540	schtasks.exe
3968	schtasks.exe
2900	schtasks.exe
1952	schtasks.exe
2044	schtasks.exe
3612	schtasks.exe
316	schtasks.exe
4276	schtasks.exe
4820	schtasks.exe
4256	schtasks.exe
3308	schtasks.exe
5100	schtasks.exe
4368	schtasks.exe
4460	schtasks.exe
3196	schtasks.exe
3176	schtasks.exe
1964	schtasks.exe
1996	schtasks.exe
3648	schtasks.exe
1044	schtasks.exe
2928	schtasks.exe
1268	schtasks.exe
3660	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
4644	DllCommonsvc.exe
2796	powershell.exe
3092	powershell.exe
3092	powershell.exe
4672	powershell.exe
4672	powershell.exe
4456	powershell.exe
4456	powershell.exe
3284	powershell.exe
3284	powershell.exe
3788	powershell.exe
3788	powershell.exe
3116	powershell.exe
3116	powershell.exe
3444	powershell.exe
3444	powershell.exe
1480	powershell.exe
1480	powershell.exe
3236	powershell.exe
3236	powershell.exe
2252	powershell.exe
2252	powershell.exe
4160	powershell.exe
4160	powershell.exe
1848	powershell.exe
1848	powershell.exe
3292	powershell.exe
3292	powershell.exe
4036	powershell.exe
4036	powershell.exe
456	powershell.exe
456	powershell.exe
2796	powershell.exe
2796	powershell.exe
3092	powershell.exe
3092	powershell.exe
544	RuntimeBroker.exe
544	RuntimeBroker.exe
4456	powershell.exe
4456	powershell.exe
4672	powershell.exe
4672	powershell.exe
3284	powershell.exe
3284	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	DllCommonsvc.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	544	RuntimeBroker.exe
Token: SeDebugPrivilege	1592	RuntimeBroker.exe
Token: SeDebugPrivilege	1324	RuntimeBroker.exe
Token: SeDebugPrivilege	760	RuntimeBroker.exe
Token: SeDebugPrivilege	1708	RuntimeBroker.exe
Token: SeDebugPrivilege	4736	RuntimeBroker.exe
Token: SeDebugPrivilege	2828	RuntimeBroker.exe
Token: SeDebugPrivilege	4068	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 2368	800	940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe	78
PID 800 wrote to memory of 2368	800	940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe	78
PID 800 wrote to memory of 2368	800	940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe	78
PID 2368 wrote to memory of 1420	2368	WScript.exe	79
PID 2368 wrote to memory of 1420	2368	WScript.exe	79
PID 2368 wrote to memory of 1420	2368	WScript.exe	79
PID 1420 wrote to memory of 4644	1420	cmd.exe	81
PID 1420 wrote to memory of 4644	1420	cmd.exe	81
PID 4644 wrote to memory of 3444	4644	DllCommonsvc.exe	128
PID 4644 wrote to memory of 3444	4644	DllCommonsvc.exe	128
PID 4644 wrote to memory of 2796	4644	DllCommonsvc.exe	133
PID 4644 wrote to memory of 2796	4644	DllCommonsvc.exe	133
PID 4644 wrote to memory of 4672	4644	DllCommonsvc.exe	129
PID 4644 wrote to memory of 4672	4644	DllCommonsvc.exe	129
PID 4644 wrote to memory of 3092	4644	DllCommonsvc.exe	132
PID 4644 wrote to memory of 3092	4644	DllCommonsvc.exe	132
PID 4644 wrote to memory of 4456	4644	DllCommonsvc.exe	135
PID 4644 wrote to memory of 4456	4644	DllCommonsvc.exe	135
PID 4644 wrote to memory of 3284	4644	DllCommonsvc.exe	136
PID 4644 wrote to memory of 3284	4644	DllCommonsvc.exe	136
PID 4644 wrote to memory of 3788	4644	DllCommonsvc.exe	139
PID 4644 wrote to memory of 3788	4644	DllCommonsvc.exe	139
PID 4644 wrote to memory of 3116	4644	DllCommonsvc.exe	142
PID 4644 wrote to memory of 3116	4644	DllCommonsvc.exe	142
PID 4644 wrote to memory of 1480	4644	DllCommonsvc.exe	143
PID 4644 wrote to memory of 1480	4644	DllCommonsvc.exe	143
PID 4644 wrote to memory of 3236	4644	DllCommonsvc.exe	145
PID 4644 wrote to memory of 3236	4644	DllCommonsvc.exe	145
PID 4644 wrote to memory of 4160	4644	DllCommonsvc.exe	151
PID 4644 wrote to memory of 4160	4644	DllCommonsvc.exe	151
PID 4644 wrote to memory of 2252	4644	DllCommonsvc.exe	147
PID 4644 wrote to memory of 2252	4644	DllCommonsvc.exe	147
PID 4644 wrote to memory of 1848	4644	DllCommonsvc.exe	148
PID 4644 wrote to memory of 1848	4644	DllCommonsvc.exe	148
PID 4644 wrote to memory of 3292	4644	DllCommonsvc.exe	153
PID 4644 wrote to memory of 3292	4644	DllCommonsvc.exe	153
PID 4644 wrote to memory of 456	4644	DllCommonsvc.exe	155
PID 4644 wrote to memory of 456	4644	DllCommonsvc.exe	155
PID 4644 wrote to memory of 4036	4644	DllCommonsvc.exe	156
PID 4644 wrote to memory of 4036	4644	DllCommonsvc.exe	156
PID 4644 wrote to memory of 544	4644	DllCommonsvc.exe	160
PID 4644 wrote to memory of 544	4644	DllCommonsvc.exe	160
PID 544 wrote to memory of 4148	544	RuntimeBroker.exe	161
PID 544 wrote to memory of 4148	544	RuntimeBroker.exe	161
PID 4148 wrote to memory of 1040	4148	cmd.exe	163
PID 4148 wrote to memory of 1040	4148	cmd.exe	163
PID 4148 wrote to memory of 1592	4148	cmd.exe	167
PID 4148 wrote to memory of 1592	4148	cmd.exe	167
PID 1592 wrote to memory of 4560	1592	RuntimeBroker.exe	170
PID 1592 wrote to memory of 4560	1592	RuntimeBroker.exe	170
PID 4560 wrote to memory of 5064	4560	cmd.exe	172
PID 4560 wrote to memory of 5064	4560	cmd.exe	172
PID 4560 wrote to memory of 1324	4560	cmd.exe	175
PID 4560 wrote to memory of 1324	4560	cmd.exe	175
PID 1324 wrote to memory of 3124	1324	RuntimeBroker.exe	176
PID 1324 wrote to memory of 3124	1324	RuntimeBroker.exe	176
PID 3124 wrote to memory of 632	3124	cmd.exe	178
PID 3124 wrote to memory of 632	3124	cmd.exe	178
PID 3124 wrote to memory of 760	3124	cmd.exe	179
PID 3124 wrote to memory of 760	3124	cmd.exe	179
PID 760 wrote to memory of 4608	760	RuntimeBroker.exe	180
PID 760 wrote to memory of 4608	760	RuntimeBroker.exe	180
PID 4608 wrote to memory of 2268	4608	cmd.exe	182
PID 4608 wrote to memory of 2268	4608	cmd.exe	182

C:\Users\Admin\AppData\Local\Temp\940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe
"C:\Users\Admin\AppData\Local\Temp\940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\StartMenuExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
    - - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1040
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5064
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:632
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2268
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        14⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:932
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        16⤵
        
        PID:3100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:992
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        18⤵
        
        PID:4244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2824
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        20⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Migration\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
204B

MD5
ced13f5244db8106224b55ee80727a6c

SHA1
b871bef900e10a21513911cc658edf9297b79e67

SHA256
a4afc68d82d80f3b4988699bea2cb54f8be47ab4624b0f81e2241e2ca6837fec

SHA512
a1d0d6a5ba6ac68b50710842c659efd6e65130838fea9d087b1bb35ee7ab1c376cd07923932aec078e21464d6bf9625da0749ebc75bce60ec0e74e8bd1804d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
204B

MD5
a877c1dcd7ef47f6bb931ee48b2228d1

SHA1
d596fea704a6960c7ff5a76dfa98bddbc0b4606c

SHA256
f15fec4dede5044efd2a0b60825fcf92c10695f307a307bea01136a5d46a777b

SHA512
dfcb09a7fc72be89f2c75216e5c106da937bd45281f7fa8498cb7a8fb933825767a1095175a9bf9b8ea1bfef2025305e74e13323f77e7ff2aa0b4b8d39d441d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
204B

MD5
4f7981e6d7a20ef5d710a738da259788

SHA1
11659e3772f3e760ab4b0d7e7a79d70bbb246a66

SHA256
25e965c688d5f3b9fc0b148655c63d9379a26ce6bde2593aec5e0a4f476d3c8e

SHA512
f76bfe06d751c4ae2559ba3e6f743a04fab3b879b985eb8c0faf8ffaacb07f71be94f23cdb9360abd7e55af9ae23c34ac1ccdfcfa68e060ce06bf511d73bd142

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
204B

MD5
f955dd5bb9fdcfc517e8fac9f833a261

SHA1
cf3f390c3a4b7f21a5521f44daa73b34064cbfff

SHA256
6c924ca44bc0eb38a2f2f783223b5baf0a892745d3cc40fce02949e778bb8ad1

SHA512
ac39690cab60a2d615792e57efe69abff33c4529ba046ef9baa909765f18df5b87727aeba73f074787450ffdf18b672ef69311793a36c7ff5a72299239126978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
204B

MD5
ebdb931f760e9944ffcdf5228e4b8143

SHA1
1c05b7e59823245276e82c26dec0eec894e51667

SHA256
ae2df7132ee34064713f2bc08cfed0d4532127ec79f5f0657580ade57ea5d787

SHA512
fab3a39ba82de132b7e46520c94ef7e59b8a2fd6872ddc6c31887f8c99a4d68c721a688c86edf10ebc739375b7331d35b42d25fb5716ddec28ca7dad98397ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
204B

MD5
a3fcd2851a70ef750cb839781700ad9d

SHA1
7974492f09b419c8c2e828837226f9ba947234e2

SHA256
cfd76a1a7ae8d72568d6b9f9a702cc517dfe259b06c4c1ab7b5d2c35f4d31f7c

SHA512
e87f8b20dfde614577bdc2a257fd5153884d8da091bdbc7e34343cfad1e2999b52a91e2904c4fa7ac922bf7bc5a1788195eba152c12e4e133fc4917bef8f82f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
204B

MD5
189974043921dfca0edd8e53ea5d229d

SHA1
bc32c5a8bf734d6f8953cffd96b24b3efa918e3d

SHA256
296e56731b14fc52c036e8f7bbcdf82d596f5fb92db9a64b8f0edee22c751eb5

SHA512
47c25c53d4b012170be1792a8fed4363bafbf6dc2337b3a339b8f5af609a1fec12f44296a3feaa39073f185b2ce3ca05f7b5e85db87cedd392bd5310e61e3fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
204B

MD5
ebdc6c17ee8ad72144d778eecd2f8e42

SHA1
ccf7c5befd69405e7bd4a8944cc6262fd1b5bf35

SHA256
5908281f68f44140bf34a931137ad70da6698ba257b4068db82340bda995e41e

SHA512
46cd2f7670b2d1fe41848876c89e970313f4a8a4ff4c5b2ce624b319a5bf7cb79916e4c542baacace46519ec325b841f20ddf0321a0a72c4a0d65ee83543efcd

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/456-210-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/456-172-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/544-178-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/544-180-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/760-232-0x00007FF9F39A0000-0x00007FF9F4461000-memory.dmp

Filesize
10.8MB

Download
memory/760-236-0x00007FF9F39A0000-0x00007FF9F4461000-memory.dmp

Filesize
10.8MB

Download
memory/1324-225-0x00007FF9F39A0000-0x00007FF9F4461000-memory.dmp

Filesize
10.8MB

Download
memory/1324-229-0x00007FF9F39A0000-0x00007FF9F4461000-memory.dmp

Filesize
10.8MB

Download
memory/1480-198-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/1480-169-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/1592-220-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/1592-218-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/1708-243-0x00007FF9F39A0000-0x00007FF9F4461000-memory.dmp

Filesize
10.8MB

Download
memory/1708-239-0x00007FF9F39A0000-0x00007FF9F4461000-memory.dmp

Filesize
10.8MB

Download
memory/1848-176-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/1848-208-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/2252-171-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/2252-205-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-153-0x000001AFF94F0000-0x000001AFF9512000-memory.dmp

Filesize
136KB

Download
memory/2796-156-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-183-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-253-0x00007FF9F3AC0000-0x00007FF9F4581000-memory.dmp

Filesize
10.8MB

Download
memory/2828-257-0x00007FF9F3AC0000-0x00007FF9F4581000-memory.dmp

Filesize
10.8MB

Download
memory/3092-161-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-186-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-168-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-192-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3236-199-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3236-175-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-162-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-197-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3292-214-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3292-177-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3444-174-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3444-203-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-166-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-206-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-213-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-173-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-264-0x00007FF9F3AC0000-0x00007FF9F4581000-memory.dmp

Filesize
10.8MB

Download
memory/4068-260-0x00007FF9F3AC0000-0x00007FF9F4581000-memory.dmp

Filesize
10.8MB

Download
memory/4160-204-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-170-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-160-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-194-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-139-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/4644-140-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-167-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-190-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-159-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-250-0x00007FF9F39A0000-0x00007FF9F4461000-memory.dmp

Filesize
10.8MB

Download
memory/4736-246-0x00007FF9F39A0000-0x00007FF9F4461000-memory.dmp

Filesize
10.8MB

Download