dcrat | 96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2022 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df.exe
Size

1.3MB
MD5

5c43de835d41e3a2351989b75bb1ff45
SHA1

b728880ade45845153baa4a8253b605e6630224e
SHA256

96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df
SHA512

d15358c4178ed9548af212696b712fbb91d5dad5ee764aae6629007033b44f69c6e41e5c3b31ec79a894deb6a12b0b7b667cef9d97ea1d42d785e3c03e60f49b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	1308	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	1308	schtasks.exe	83

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022f87-137.dat	dcrat
behavioral1/files/0x0006000000022f87-138.dat	dcrat
behavioral1/memory/3308-139-0x0000000000480000-0x0000000000590000-memory.dmp	dcrat
behavioral1/files/0x0006000000022f87-146.dat	dcrat
behavioral1/files/0x0006000000022fc8-190.dat	dcrat
behavioral1/files/0x0006000000022fc8-189.dat	dcrat

Executes dropped EXE 3 IoCs

pid	Process
3308	DllCommonsvc.exe
3572	DllCommonsvc.exe
4556	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Java\jre1.8.0_66\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Java\jre1.8.0_66\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\WaaS\tasks\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\Registry.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\es-ES\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\wininit.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Downloads\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3612	schtasks.exe
3232	schtasks.exe
1824	schtasks.exe
4328	schtasks.exe
1504	schtasks.exe
3604	schtasks.exe
3140	schtasks.exe
4852	schtasks.exe
4996	schtasks.exe
1264	schtasks.exe
536	schtasks.exe
4736	schtasks.exe
1992	schtasks.exe
3052	schtasks.exe
4656	schtasks.exe
4908	schtasks.exe
4928	schtasks.exe
2768	schtasks.exe
5012	schtasks.exe
3636	schtasks.exe
4372	schtasks.exe
4700	schtasks.exe
4060	schtasks.exe
2988	schtasks.exe
216	schtasks.exe
344	schtasks.exe
616	schtasks.exe
4836	schtasks.exe
1336	schtasks.exe
3720	schtasks.exe
2368	schtasks.exe
1932	schtasks.exe
3460	schtasks.exe
116	schtasks.exe
2588	schtasks.exe
4244	schtasks.exe
880	schtasks.exe
4936	schtasks.exe
1832	schtasks.exe
2836	schtasks.exe
5064	schtasks.exe
3948	schtasks.exe
3332	schtasks.exe
2724	schtasks.exe
3124	schtasks.exe
1568	schtasks.exe
1508	schtasks.exe
2784	schtasks.exe
2356	schtasks.exe
1844	schtasks.exe
3004	schtasks.exe
2772	schtasks.exe
4596	schtasks.exe
4248	schtasks.exe
2268	schtasks.exe
972	schtasks.exe
2400	schtasks.exe
2512	schtasks.exe
1240	schtasks.exe
2120	schtasks.exe
1352	schtasks.exe
632	schtasks.exe
4112	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3308	DllCommonsvc.exe
1296	powershell.exe
1416	powershell.exe
1372	powershell.exe
2384	powershell.exe
3572	DllCommonsvc.exe
2384	powershell.exe
1296	powershell.exe
1372	powershell.exe
1416	powershell.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
644	powershell.exe
644	powershell.exe
2336	powershell.exe
2336	powershell.exe
1224	powershell.exe
1224	powershell.exe
1668	powershell.exe
1668	powershell.exe
4740	powershell.exe
4740	powershell.exe
4500	powershell.exe
4500	powershell.exe
3228	powershell.exe
3228	powershell.exe
4596	powershell.exe
4596	powershell.exe
3576	powershell.exe
3576	powershell.exe
1404	powershell.exe
1404	powershell.exe
4080	powershell.exe
4080	powershell.exe
3492	powershell.exe
3492	powershell.exe
3772	powershell.exe
3772	powershell.exe
1832	powershell.exe
1832	powershell.exe
3640	powershell.exe
3640	powershell.exe
660	powershell.exe
660	powershell.exe
2052	powershell.exe
2052	powershell.exe
2920	powershell.exe
2920	powershell.exe
4860	powershell.exe
4860	powershell.exe
644	powershell.exe
644	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3308	DllCommonsvc.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	3572	DllCommonsvc.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 928	4088	96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df.exe	79
PID 4088 wrote to memory of 928	4088	96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df.exe	79
PID 4088 wrote to memory of 928	4088	96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df.exe	79
PID 928 wrote to memory of 1716	928	WScript.exe	84
PID 928 wrote to memory of 1716	928	WScript.exe	84
PID 928 wrote to memory of 1716	928	WScript.exe	84
PID 1716 wrote to memory of 3308	1716	cmd.exe	86
PID 1716 wrote to memory of 3308	1716	cmd.exe	86
PID 3308 wrote to memory of 1372	3308	DllCommonsvc.exe	97
PID 3308 wrote to memory of 1372	3308	DllCommonsvc.exe	97
PID 3308 wrote to memory of 1296	3308	DllCommonsvc.exe	98
PID 3308 wrote to memory of 1296	3308	DllCommonsvc.exe	98
PID 3308 wrote to memory of 1416	3308	DllCommonsvc.exe	99
PID 3308 wrote to memory of 1416	3308	DllCommonsvc.exe	99
PID 3308 wrote to memory of 2384	3308	DllCommonsvc.exe	100
PID 3308 wrote to memory of 2384	3308	DllCommonsvc.exe	100
PID 3308 wrote to memory of 3572	3308	DllCommonsvc.exe	105
PID 3308 wrote to memory of 3572	3308	DllCommonsvc.exe	105
PID 3572 wrote to memory of 644	3572	DllCommonsvc.exe	163
PID 3572 wrote to memory of 644	3572	DllCommonsvc.exe	163
PID 3572 wrote to memory of 1224	3572	DllCommonsvc.exe	164
PID 3572 wrote to memory of 1224	3572	DllCommonsvc.exe	164
PID 3572 wrote to memory of 2336	3572	DllCommonsvc.exe	166
PID 3572 wrote to memory of 2336	3572	DllCommonsvc.exe	166
PID 3572 wrote to memory of 3228	3572	DllCommonsvc.exe	168
PID 3572 wrote to memory of 3228	3572	DllCommonsvc.exe	168
PID 3572 wrote to memory of 4500	3572	DllCommonsvc.exe	171
PID 3572 wrote to memory of 4500	3572	DllCommonsvc.exe	171
PID 3572 wrote to memory of 1668	3572	DllCommonsvc.exe	184
PID 3572 wrote to memory of 1668	3572	DllCommonsvc.exe	184
PID 3572 wrote to memory of 4740	3572	DllCommonsvc.exe	172
PID 3572 wrote to memory of 4740	3572	DllCommonsvc.exe	172
PID 3572 wrote to memory of 4596	3572	DllCommonsvc.exe	181
PID 3572 wrote to memory of 4596	3572	DllCommonsvc.exe	181
PID 3572 wrote to memory of 3576	3572	DllCommonsvc.exe	174
PID 3572 wrote to memory of 3576	3572	DllCommonsvc.exe	174
PID 3572 wrote to memory of 1404	3572	DllCommonsvc.exe	176
PID 3572 wrote to memory of 1404	3572	DllCommonsvc.exe	176
PID 3572 wrote to memory of 4080	3572	DllCommonsvc.exe	178
PID 3572 wrote to memory of 4080	3572	DllCommonsvc.exe	178
PID 3572 wrote to memory of 3492	3572	DllCommonsvc.exe	185
PID 3572 wrote to memory of 3492	3572	DllCommonsvc.exe	185
PID 3572 wrote to memory of 3772	3572	DllCommonsvc.exe	186
PID 3572 wrote to memory of 3772	3572	DllCommonsvc.exe	186
PID 3572 wrote to memory of 1832	3572	DllCommonsvc.exe	187
PID 3572 wrote to memory of 1832	3572	DllCommonsvc.exe	187
PID 3572 wrote to memory of 3640	3572	DllCommonsvc.exe	195
PID 3572 wrote to memory of 3640	3572	DllCommonsvc.exe	195
PID 3572 wrote to memory of 4860	3572	DllCommonsvc.exe	189
PID 3572 wrote to memory of 4860	3572	DllCommonsvc.exe	189
PID 3572 wrote to memory of 660	3572	DllCommonsvc.exe	191
PID 3572 wrote to memory of 660	3572	DllCommonsvc.exe	191
PID 3572 wrote to memory of 2052	3572	DllCommonsvc.exe	192
PID 3572 wrote to memory of 2052	3572	DllCommonsvc.exe	192
PID 3572 wrote to memory of 2920	3572	DllCommonsvc.exe	198
PID 3572 wrote to memory of 2920	3572	DllCommonsvc.exe	198
PID 3572 wrote to memory of 4556	3572	DllCommonsvc.exe	201
PID 3572 wrote to memory of 4556	3572	DllCommonsvc.exe	201

C:\Users\Admin\AppData\Local\Temp\96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df.exe
"C:\Users\Admin\AppData\Local\Temp\96f21f5d8c213aa42314b5f543eb8988631d52156bc014fa126214e39b3fc2df.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Downloads\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\dllhost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\spoolsv.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Registry.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\cmd.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
      - C:\Recovery\WindowsRE\powershell.exe
        
        "C:\Recovery\WindowsRE\powershell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Fonts\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre1.8.0_66\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre1.8.0_66\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\odt\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8bddd49178ab7a6dbaef04ef4d4e3136

SHA1
bbed7d12dc14d72fcaf3766d79b85c0533c18038

SHA256
f58f5b1ce12e665fee9fa939ba4be8a6867dc9917d89609d735abd5d80ccdaf3

SHA512
d416df76cbbd005f28a616fbe0f98b18848858566639c8b8c6f50bb48f8597c4fc7230bd8b18800a4b2fb7257d79d695f7f062d1ae53edd041ac01ce47377701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
669da47b4b9fbd5be73aa95dae38ae5b

SHA1
5118811981f4c9dcf0c4c4225824563f917bccda

SHA256
649b913bb8af13c4c91937cb2675287e92b71f9f8afa0a15575b99b7316ce0e0

SHA512
7b554e7cbccd9896c7feb4e8f78d9e2652f04e4696d8a745e0a462b91a43044487e6d4a50dea6853624d32b76445bdf44e10e338ceb32eeeeaa6d8e5f9423b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2262839c93970e05099a4a7d8d6bf51b

SHA1
5bdc2124f4d84180ab974594fc5d0acce89e02bc

SHA256
df5987de92b53918f66a554e5599a52da01e174b13cd27ac4ba9b12e5b402a65

SHA512
b2c74af14d5f73122c881a2e3e8e94df5c38bc116c837052e21384a3b20167d7746a86680ce88b22e477117924b2fba5d4748135dbd96448e85b77c8bdaf9e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34891037c8ca7dbe22788a126bfae60a

SHA1
e3e68c0e73b116fa820c6325dee96f9c9a05e96c

SHA256
3f6bb2fb5bb2a11f55f3f48907024b6f8a48236ac9b1e07ecc7fbcaf0c1b8760

SHA512
08ebdef74d9b80c359b6dbdb279a8c0283a45374ce4cd925a86ec033b36cb63bac503737e2ecb3385970d02cc9969335be84e81595921d64349e8474f6ce6b14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c639e7fa8faf97d0951c6e90f842cbb

SHA1
f3d29d041c22b3fde250027b49ae1eaef113b2ee

SHA256
1e2f6e9239b7cf6448626195198e6bab7dd93bfcdc44849635d264e60a007b7d

SHA512
bd7312b3053b3985828fa22ad8414b34460491c136d91fde4bcdb0a91c870fcf993d1df76cb8c2cdce3b44aca516b3cf025770745dd0527d86eb8c657f7632e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4f78d43cdfcf616f3c0e119007ed7278

SHA1
09a6c518ab86d2453ddd47a01ea75c73b42acb00

SHA256
2f5e44d83d645c750dae76297908f576a27021be1debf6ac64f480090107849c

SHA512
fc65774eb94f6ad88d79dd508230ff7a3eba88c02ad1b58a72ca7a2ca357eee50365e21d01eb74bc1c2d0208618b7cc01cb49b90befd0d73ef4b15343fa64a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4f78d43cdfcf616f3c0e119007ed7278

SHA1
09a6c518ab86d2453ddd47a01ea75c73b42acb00

SHA256
2f5e44d83d645c750dae76297908f576a27021be1debf6ac64f480090107849c

SHA512
fc65774eb94f6ad88d79dd508230ff7a3eba88c02ad1b58a72ca7a2ca357eee50365e21d01eb74bc1c2d0208618b7cc01cb49b90befd0d73ef4b15343fa64a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4f78d43cdfcf616f3c0e119007ed7278

SHA1
09a6c518ab86d2453ddd47a01ea75c73b42acb00

SHA256
2f5e44d83d645c750dae76297908f576a27021be1debf6ac64f480090107849c

SHA512
fc65774eb94f6ad88d79dd508230ff7a3eba88c02ad1b58a72ca7a2ca357eee50365e21d01eb74bc1c2d0208618b7cc01cb49b90befd0d73ef4b15343fa64a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af61dcf914d57e7998dfe04d3ed238cb

SHA1
429f22ebb40d3ff40b8e4b8efd0c94e9a37e6e22

SHA256
e635343dd85fef83832c727509de1e949d80b711a1deba38b1484aaf57304b84

SHA512
71bfc18f015863392782358c3fc3b9bd9a83cda5cf00a09fff114474475639fbad40a8b1ded3967ba2cd362da2ec34c9021b2859055700136c6ef1ffc082f0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e383847151b30ec22446d64b24189495

SHA1
3e64497f604d192219c1cca9e4b6b22633d9963b

SHA256
0c7de2e8b8dce87eaf2f9835ff32e7178fd6af360edffdd89bfa45c6e83318e7

SHA512
db78534748d3c96db0073806c728669ea84d1ec91008389936bf3a708fe3ff263a195f675279fb5c9c323b055512f312ef3834e9e6105aaff2cc2ee5e370a6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d56b891107bed1137ff884fe67e66a9

SHA1
28d4cb96f644bd2fd17435e138b956a52fd76afd

SHA256
66b68b52a17db584276ed2930f7f58dab150509a8dde1895b1a8db9e4ab1d8b3

SHA512
fb7c5252ba4da1cb6af102325a3c653db131dea2917a44f972da57431bcc5603f2f696c94db176cae21c9e7326cfe6be7332e8ba5493d76406b33c38293a4f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d56b891107bed1137ff884fe67e66a9

SHA1
28d4cb96f644bd2fd17435e138b956a52fd76afd

SHA256
66b68b52a17db584276ed2930f7f58dab150509a8dde1895b1a8db9e4ab1d8b3

SHA512
fb7c5252ba4da1cb6af102325a3c653db131dea2917a44f972da57431bcc5603f2f696c94db176cae21c9e7326cfe6be7332e8ba5493d76406b33c38293a4f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d56b891107bed1137ff884fe67e66a9

SHA1
28d4cb96f644bd2fd17435e138b956a52fd76afd

SHA256
66b68b52a17db584276ed2930f7f58dab150509a8dde1895b1a8db9e4ab1d8b3

SHA512
fb7c5252ba4da1cb6af102325a3c653db131dea2917a44f972da57431bcc5603f2f696c94db176cae21c9e7326cfe6be7332e8ba5493d76406b33c38293a4f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d56b891107bed1137ff884fe67e66a9

SHA1
28d4cb96f644bd2fd17435e138b956a52fd76afd

SHA256
66b68b52a17db584276ed2930f7f58dab150509a8dde1895b1a8db9e4ab1d8b3

SHA512
fb7c5252ba4da1cb6af102325a3c653db131dea2917a44f972da57431bcc5603f2f696c94db176cae21c9e7326cfe6be7332e8ba5493d76406b33c38293a4f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d56b891107bed1137ff884fe67e66a9

SHA1
28d4cb96f644bd2fd17435e138b956a52fd76afd

SHA256
66b68b52a17db584276ed2930f7f58dab150509a8dde1895b1a8db9e4ab1d8b3

SHA512
fb7c5252ba4da1cb6af102325a3c653db131dea2917a44f972da57431bcc5603f2f696c94db176cae21c9e7326cfe6be7332e8ba5493d76406b33c38293a4f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d56b891107bed1137ff884fe67e66a9

SHA1
28d4cb96f644bd2fd17435e138b956a52fd76afd

SHA256
66b68b52a17db584276ed2930f7f58dab150509a8dde1895b1a8db9e4ab1d8b3

SHA512
fb7c5252ba4da1cb6af102325a3c653db131dea2917a44f972da57431bcc5603f2f696c94db176cae21c9e7326cfe6be7332e8ba5493d76406b33c38293a4f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
db9c5308f6767121fa1fa7f7c31e6589

SHA1
f26b22a0ed448b85f741a46c6812b42f29ba1ec3

SHA256
2560795c0b8d4ff54d5611c0730803b4d840753feb815804d92aee572109e25e

SHA512
d97b58760ed3d3a56930eaaf7b665016323767742af65413f42148cd1e718238d20af3ec5c44c7605dfb67d463d2726f1493fb6e18a5df637f10a7f434394cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
db9c5308f6767121fa1fa7f7c31e6589

SHA1
f26b22a0ed448b85f741a46c6812b42f29ba1ec3

SHA256
2560795c0b8d4ff54d5611c0730803b4d840753feb815804d92aee572109e25e

SHA512
d97b58760ed3d3a56930eaaf7b665016323767742af65413f42148cd1e718238d20af3ec5c44c7605dfb67d463d2726f1493fb6e18a5df637f10a7f434394cc0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/644-207-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/644-163-0x0000000000000000-mapping.dmp

Download
memory/644-178-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/660-238-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/660-180-0x0000000000000000-mapping.dmp

Download
memory/660-198-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/928-132-0x0000000000000000-mapping.dmp

Download
memory/1224-212-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1224-181-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1224-164-0x0000000000000000-mapping.dmp

Download
memory/1296-142-0x0000000000000000-mapping.dmp

Download
memory/1296-161-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-149-0x00000259BA410000-0x00000259BA432000-memory.dmp

Filesize
136KB

Download
memory/1296-150-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1372-153-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1372-141-0x0000000000000000-mapping.dmp

Download
memory/1372-162-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-172-0x0000000000000000-mapping.dmp

Download
memory/1404-222-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-201-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-157-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-151-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-143-0x0000000000000000-mapping.dmp

Download
memory/1668-217-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-186-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-168-0x0000000000000000-mapping.dmp

Download
memory/1716-135-0x0000000000000000-mapping.dmp

Download
memory/1832-204-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1832-176-0x0000000000000000-mapping.dmp

Download
memory/1832-239-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-206-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-182-0x0000000000000000-mapping.dmp

Download
memory/2052-243-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-184-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-209-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-165-0x0000000000000000-mapping.dmp

Download
memory/2384-152-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2384-160-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2384-144-0x0000000000000000-mapping.dmp

Download
memory/2920-200-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-242-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-183-0x0000000000000000-mapping.dmp

Download
memory/3228-188-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3228-166-0x0000000000000000-mapping.dmp

Download
memory/3228-226-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3308-136-0x0000000000000000-mapping.dmp

Download
memory/3308-139-0x0000000000480000-0x0000000000590000-memory.dmp

Filesize
1.1MB

Download
memory/3308-140-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3308-148-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3492-230-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3492-203-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3492-174-0x0000000000000000-mapping.dmp

Download
memory/3572-145-0x0000000000000000-mapping.dmp

Download
memory/3572-193-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3572-154-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-224-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-195-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-171-0x0000000000000000-mapping.dmp

Download
memory/3640-177-0x0000000000000000-mapping.dmp

Download
memory/3640-237-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-197-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-175-0x0000000000000000-mapping.dmp

Download
memory/3772-196-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-231-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-173-0x0000000000000000-mapping.dmp

Download
memory/4080-202-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-227-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-185-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-167-0x0000000000000000-mapping.dmp

Download
memory/4500-214-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-244-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-187-0x0000000000000000-mapping.dmp

Download
memory/4556-199-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-170-0x0000000000000000-mapping.dmp

Download
memory/4596-223-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-194-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-218-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-191-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-169-0x0000000000000000-mapping.dmp

Download
memory/4860-235-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4860-179-0x0000000000000000-mapping.dmp

Download
memory/4860-205-0x00007FFFE0FF0000-0x00007FFFE1AB1000-memory.dmp

Filesize
10.8MB

Download