dcrat | 9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

Analysis

max time kernel
151s
max time network
140s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-12-2022 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Size

1.3MB
MD5

adde6baef89ebb01b5e60f15610ba470
SHA1

edc49b43aa822b754ee617db11c3ffc1a3e79ec1
SHA256

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
SHA512

89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1144	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral10/memory/1492-65-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral10/memory/1460-90-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
C:\MSOCache\All Users\wininit.exe	dcrat
behavioral10/memory/1700-149-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
C:\MSOCache\All Users\wininit.exe	dcrat
C:\MSOCache\All Users\wininit.exe	dcrat
C:\MSOCache\All Users\wininit.exe	dcrat
C:\MSOCache\All Users\wininit.exe	dcrat
C:\MSOCache\All Users\wininit.exe	dcrat

Executes dropped EXE 7 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exewininit.exewininit.exewininit.exewininit.exewininit.exe

pid process

1492 DllCommonsvc.exe
1460 DllCommonsvc.exe
1700 wininit.exe
1384 wininit.exe
2156 wininit.exe
2452 wininit.exe
2108 wininit.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1340 cmd.exe
1340 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1340	cmd.exe
1340	cmd.exe

Drops file in Program Files directory 16 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\tracing\taskhost.exe DllCommonsvc.exe
File created C:\Windows\tracing\b75386f1303e64 DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\tracing\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\b75386f1303e64	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1340	schtasks.exe
1964	schtasks.exe
1880	schtasks.exe
1804	schtasks.exe
1880	schtasks.exe
1520	schtasks.exe
2044	schtasks.exe
1672	schtasks.exe
1512	schtasks.exe
1576	schtasks.exe
432	schtasks.exe
1744	schtasks.exe
2024	schtasks.exe
1484	schtasks.exe
968	schtasks.exe
736	schtasks.exe
1876	schtasks.exe
2044	schtasks.exe
1620	schtasks.exe
432	schtasks.exe
1028	schtasks.exe
860	schtasks.exe
1792	schtasks.exe
1736	schtasks.exe
964	schtasks.exe
1936	schtasks.exe
960	schtasks.exe
1012	schtasks.exe
1944	schtasks.exe
284	schtasks.exe
1996	schtasks.exe
1712	schtasks.exe
1744	schtasks.exe
1620	schtasks.exe
1532	schtasks.exe
1780	schtasks.exe
1676	schtasks.exe
1896	schtasks.exe
1972	schtasks.exe
1792	schtasks.exe
1672	schtasks.exe
864	schtasks.exe
1736	schtasks.exe
1780	schtasks.exe
284	schtasks.exe
960	schtasks.exe
824	schtasks.exe
1780	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wininit.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wininit.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exe

pid	process
1492	DllCommonsvc.exe
1460	DllCommonsvc.exe
1816	powershell.exe
1948	powershell.exe
936	powershell.exe
824	powershell.exe
600	powershell.exe
1356	powershell.exe
1736	powershell.exe
1964	powershell.exe
1624	powershell.exe
668	powershell.exe
1896	powershell.exe
432	powershell.exe
1360	powershell.exe
1876	powershell.exe
1684	powershell.exe
1700	wininit.exe
1156	powershell.exe
2032	powershell.exe
1384	wininit.exe
2156	wininit.exe
2452	wininit.exe
2108	wininit.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	1492	DllCommonsvc.exe
Token: SeDebugPrivilege	1460	DllCommonsvc.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1700	wininit.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1384	wininit.exe
Token: SeDebugPrivilege	2156	wininit.exe
Token: SeDebugPrivilege	2452	wininit.exe
Token: SeDebugPrivilege	2108	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exeWScript.execmd.exeDllCommonsvc.exeschtasks.exeDllCommonsvc.exe

description	pid	process	target process
PID 1284 wrote to memory of 2036	1284	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 1284 wrote to memory of 2036	1284	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 1284 wrote to memory of 2036	1284	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 1284 wrote to memory of 2036	1284	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 2036 wrote to memory of 1340	2036	WScript.exe	cmd.exe
PID 2036 wrote to memory of 1340	2036	WScript.exe	cmd.exe
PID 2036 wrote to memory of 1340	2036	WScript.exe	cmd.exe
PID 2036 wrote to memory of 1340	2036	WScript.exe	cmd.exe
PID 1340 wrote to memory of 1492	1340	cmd.exe	DllCommonsvc.exe
PID 1340 wrote to memory of 1492	1340	cmd.exe	DllCommonsvc.exe
PID 1340 wrote to memory of 1492	1340	cmd.exe	DllCommonsvc.exe
PID 1340 wrote to memory of 1492	1340	cmd.exe	DllCommonsvc.exe
PID 1492 wrote to memory of 824	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 824	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 824	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 1948	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 1948	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 1948	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 1816	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 1816	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 1816	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 936	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 936	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 936	1492	DllCommonsvc.exe	powershell.exe
PID 1492 wrote to memory of 960	1492	DllCommonsvc.exe	cmd.exe
PID 1492 wrote to memory of 960	1492	DllCommonsvc.exe	cmd.exe
PID 1492 wrote to memory of 960	1492	DllCommonsvc.exe	cmd.exe
PID 960 wrote to memory of 860	960	schtasks.exe	w32tm.exe
PID 960 wrote to memory of 860	960	schtasks.exe	w32tm.exe
PID 960 wrote to memory of 860	960	schtasks.exe	w32tm.exe
PID 960 wrote to memory of 1460	960	schtasks.exe	DllCommonsvc.exe
PID 960 wrote to memory of 1460	960	schtasks.exe	DllCommonsvc.exe
PID 960 wrote to memory of 1460	960	schtasks.exe	DllCommonsvc.exe
PID 1460 wrote to memory of 600	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 600	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 600	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1736	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1736	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1736	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1964	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1964	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1964	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1624	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1624	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1624	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1356	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1356	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1356	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1896	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1896	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1896	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 2032	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 2032	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 2032	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 884	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 884	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 884	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1156	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1156	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1156	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 432	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 432	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 432	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1876	1460	DllCommonsvc.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
"C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\taskhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat"
5⤵
PID:960

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:860

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\wininit.exe'
7⤵
PID:884

C:\MSOCache\All Users\wininit.exe
"C:\MSOCache\All Users\wininit.exe"
7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"
8⤵
PID:2912

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:2968

C:\MSOCache\All Users\wininit.exe
"C:\MSOCache\All Users\wininit.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
10⤵
PID:1692

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:292

C:\MSOCache\All Users\wininit.exe
"C:\MSOCache\All Users\wininit.exe"
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
12⤵
PID:1012

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:2216

C:\MSOCache\All Users\wininit.exe
"C:\MSOCache\All Users\wininit.exe"
13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
14⤵
PID:2676

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:2232

C:\MSOCache\All Users\wininit.exe
"C:\MSOCache\All Users\wininit.exe"
15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\powershell.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\powershell.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\smss.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\WmiPrvSE.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\powershell.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat
Filesize
198B

MD5
0763f210f51d0ce48a1f8f53abf97c5f

SHA1
53f47c85162eec0c2bc8959294e8e97373279c45

SHA256
70618e4faa270fd0abb9942a3dad0a34743ee050eade992674d21f2758b70c3f

SHA512
35d2f6334357c7210a01861b96545bf0d7424f6231b48c2d1a98aad05faff5c752d2e3cb876809757e48970d52b8bff67f8a89259ba2d1c87b7da861222b6364

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat
Filesize
198B

MD5
844b073769a9edf50975a7a45064d08c

SHA1
df5d222cfb6b28660254e03104ce485fcca1d321

SHA256
8ecb39772d3202450fea14a15c28c35a4cab9e02c7817316af40486b3359a713

SHA512
2d28aa90c0f443ad4c8804c1ab341557572d3c09352edb53bcf0426c34711131542e4feb6fa07f45daff0f584799323a5196f9b5fa90f854072137fb81c98a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat
Filesize
198B

MD5
378be49f07013d4819118312be6d7aa9

SHA1
910dd473c36cda35fc073809dbea01b996fb4946

SHA256
28fdb0ac6a2c42a5ed479b3f1c0f70c7178a889c6a06e8315d2d74e547b9b99c

SHA512
7863d3e20c0abb126092b2d1d505ebfd0023cd0990f3068d902da261ab3cdf43e33d460d6ac910f45b0c43242f0d8a3ac676d9e4c5e2e0720a27b142c4ef4d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat
Filesize
198B

MD5
a1e63a1cc7b53eed3a2aceeb8fa00b5b

SHA1
5a4f9eae7d6afc80c0de7ed92cda4e79f265c450

SHA256
ebb9ed72443d4c87b6f711d5942e38b715a97d401793d11e5635d72dc8753208

SHA512
262466483d3ee8a23811af1aa7648429291fef113ba3f717d6c6d1fbfbb065c7434e0624391fcd777c6352c918bd87896be966bbe8ee8af24d1c3993c3b078f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat
Filesize
199B

MD5
9bc80f842bdfdee5b63e1319a06a03d4

SHA1
c49bf9e1949fcc6c78e00c90c23842e8b000ca02

SHA256
a6d3ef08cc021e58bc857f3231a25806657034b45d8a6b7038bb6208278e9bba

SHA512
5fd168e8d98361c600e6c88cc614d851630adfca365fc8cb69a8369ae27c140a4428fd26130b2a2a176f1ffd164f3b486f0a0c43a3eb6ef94284931d8c07dd0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
40e85f7cc21343f509dc1dc94eca0da8

SHA1
33e55f67f519b66a5d9acf06e1b18dc0319297f4

SHA256
6e8185600fe5d01662fb24ccdb0e83fa8983a48455c98cb2aa612fbbce148f60

SHA512
7f63d68468fc0c2ba67ef02aa8ab1eb93a6c3ebc7e60b84913d48f4bade5310073772dc5066ba715b0445a9ade1f638c775bba8d21df2ce11c24f985578ee0cf

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/292-255-0x0000000000000000-mapping.dmp

Download
memory/432-189-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/432-219-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/432-180-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/432-218-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/432-163-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/432-222-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/432-203-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/432-127-0x0000000000000000-mapping.dmp

Download
memory/600-198-0x000000000227B000-0x000000000229A000-memory.dmp

Filesize
124KB

Download
memory/600-172-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/600-214-0x000000000227B000-0x000000000229A000-memory.dmp

Filesize
124KB

Download
memory/600-156-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/600-118-0x0000000000000000-mapping.dmp

Download
memory/600-177-0x0000000002274000-0x0000000002277000-memory.dmp

Filesize
12KB

Download
memory/600-207-0x0000000002274000-0x0000000002277000-memory.dmp

Filesize
12KB

Download
memory/668-209-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/668-200-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/668-169-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/668-213-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/668-190-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/668-181-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/668-195-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/668-130-0x0000000000000000-mapping.dmp

Download
memory/824-104-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/824-92-0x000007FEE9C70000-0x000007FEEA7CD000-memory.dmp

Filesize
11.4MB

Download
memory/824-70-0x0000000000000000-mapping.dmp

Download
memory/824-111-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/824-110-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/824-74-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/824-108-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/824-77-0x000007FEEBAB0000-0x000007FEEC4D3000-memory.dmp

Filesize
10.1MB

Download
memory/824-100-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/824-93-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/860-85-0x0000000000000000-mapping.dmp

Download
memory/884-125-0x0000000000000000-mapping.dmp

Download
memory/936-94-0x000007FEE9C70000-0x000007FEEA7CD000-memory.dmp

Filesize
11.4MB

Download
memory/936-113-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/936-112-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/936-98-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/936-103-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/936-106-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/936-87-0x000007FEEBAB0000-0x000007FEEC4D3000-memory.dmp

Filesize
10.1MB

Download
memory/936-73-0x0000000000000000-mapping.dmp

Download
memory/936-109-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/960-81-0x0000000000000000-mapping.dmp

Download
memory/1012-261-0x0000000000000000-mapping.dmp

Download
memory/1156-126-0x0000000000000000-mapping.dmp

Download
memory/1156-238-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

Filesize
11.4MB

Download
memory/1156-235-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

Filesize
10.1MB

Download
memory/1284-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1340-59-0x0000000000000000-mapping.dmp

Download
memory/1356-174-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1356-185-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1356-215-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/1356-208-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1356-122-0x0000000000000000-mapping.dmp

Download
memory/1356-197-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/1356-157-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/1360-224-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/1360-191-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1360-227-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1360-166-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/1360-129-0x0000000000000000-mapping.dmp

Download
memory/1360-182-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1384-250-0x0000000000000000-mapping.dmp

Download
memory/1460-88-0x0000000000000000-mapping.dmp

Download
memory/1460-91-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/1460-90-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1492-67-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/1492-69-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1492-65-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/1492-68-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/1492-63-0x0000000000000000-mapping.dmp

Download
memory/1492-66-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1624-147-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/1624-121-0x0000000000000000-mapping.dmp

Download
memory/1624-216-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/1624-210-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/1624-217-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/1624-184-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/1624-173-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1624-202-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1684-183-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1684-131-0x0000000000000000-mapping.dmp

Download
memory/1684-192-0x0000000002104000-0x0000000002107000-memory.dmp

Filesize
12KB

Download
memory/1684-171-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/1684-225-0x000000000210B000-0x000000000212A000-memory.dmp

Filesize
124KB

Download
memory/1692-253-0x0000000000000000-mapping.dmp

Download
memory/1700-149-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/1700-139-0x0000000000000000-mapping.dmp

Download
memory/1736-119-0x0000000000000000-mapping.dmp

Download
memory/1736-194-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1736-199-0x00000000023CB000-0x00000000023EA000-memory.dmp

Filesize
124KB

Download
memory/1736-206-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/1736-175-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1736-155-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/1736-186-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/1736-212-0x00000000023CB000-0x00000000023EA000-memory.dmp

Filesize
124KB

Download
memory/1816-102-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1816-99-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1816-72-0x0000000000000000-mapping.dmp

Download
memory/1816-116-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1816-115-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1816-96-0x000007FEE9C70000-0x000007FEEA7CD000-memory.dmp

Filesize
11.4MB

Download
memory/1816-86-0x000007FEEBAB0000-0x000007FEEC4D3000-memory.dmp

Filesize
10.1MB

Download
memory/1816-107-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1876-205-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1876-128-0x0000000000000000-mapping.dmp

Download
memory/1876-179-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1876-201-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1876-188-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1876-167-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/1876-211-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1876-196-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1896-161-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/1896-178-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1896-123-0x0000000000000000-mapping.dmp

Download
memory/1896-223-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1896-226-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/1896-193-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/1948-71-0x0000000000000000-mapping.dmp

Download
memory/1948-97-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1948-83-0x000007FEEBAB0000-0x000007FEEC4D3000-memory.dmp

Filesize
10.1MB

Download
memory/1948-117-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1948-95-0x000007FEE9C70000-0x000007FEEA7CD000-memory.dmp

Filesize
11.4MB

Download
memory/1948-105-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1948-114-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1948-101-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1964-187-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1964-120-0x0000000000000000-mapping.dmp

Download
memory/1964-176-0x000007FEE9110000-0x000007FEE9C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1964-220-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/1964-159-0x000007FEEC340000-0x000007FEECD63000-memory.dmp

Filesize
10.1MB

Download
memory/1964-221-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1964-204-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/2032-124-0x0000000000000000-mapping.dmp

Download
memory/2032-237-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

Filesize
10.1MB

Download
memory/2036-55-0x0000000000000000-mapping.dmp

Download
memory/2108-271-0x0000000000000000-mapping.dmp

Download
memory/2156-256-0x0000000000000000-mapping.dmp

Download
memory/2216-263-0x0000000000000000-mapping.dmp

Download
memory/2232-270-0x0000000000000000-mapping.dmp

Download
memory/2452-264-0x0000000000000000-mapping.dmp

Download
memory/2676-268-0x0000000000000000-mapping.dmp

Download
memory/2912-236-0x0000000000000000-mapping.dmp

Download
memory/2968-241-0x0000000000000000-mapping.dmp

Download