dcrat | 10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219

Analysis

max time kernel
146s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exe
Size

1.3MB
MD5

180ccc049395b7691627cc72af8f25fd
SHA1

8d13c7edf79973fc83431de604291cf7fbfc1c2b
SHA256

10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219
SHA512

78403606fbf44b8f1bcd6b3559d904fffdd7f5a523c22417bbe6c6d3ede22a6011405e80c7cc0c88786c7667155b9d60dae6cef7ac07d05c879a2d1c650dcab9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3156	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3156	schtasks.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/3064-282-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat
C:\Users\Public\Pictures\DllCommonsvc.exe	dcrat

Executes dropped EXE 10 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exe

pid	process
3064	DllCommonsvc.exe
356	DllCommonsvc.exe
5648	DllCommonsvc.exe
5568	DllCommonsvc.exe
5936	DllCommonsvc.exe
4852	DllCommonsvc.exe
1376	DllCommonsvc.exe
4372	DllCommonsvc.exe
5424	DllCommonsvc.exe
3988	DllCommonsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\ja-JP\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\explorer.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Downloaded Program Files\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\tracing\services.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\en-US\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\services.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3756	schtasks.exe
4104	schtasks.exe
1704	schtasks.exe
4720	schtasks.exe
4768	schtasks.exe
420	schtasks.exe
1860	schtasks.exe
660	schtasks.exe
2676	schtasks.exe
4840	schtasks.exe
4580	schtasks.exe
4780	schtasks.exe
2132	schtasks.exe
3860	schtasks.exe
2764	schtasks.exe
1308	schtasks.exe
908	schtasks.exe
1140	schtasks.exe
3604	schtasks.exe
4552	schtasks.exe
900	schtasks.exe
2120	schtasks.exe
1220	schtasks.exe
2272	schtasks.exe
4812	schtasks.exe
4620	schtasks.exe
1196	schtasks.exe
2116	schtasks.exe
3560	schtasks.exe
3316	schtasks.exe
2304	schtasks.exe
4740	schtasks.exe
1404	schtasks.exe
1828	schtasks.exe
1320	schtasks.exe
1664	schtasks.exe
2404	schtasks.exe
288	schtasks.exe
2340	schtasks.exe
1784	schtasks.exe
1376	schtasks.exe
2312	schtasks.exe
4632	schtasks.exe
4524	schtasks.exe
1652	schtasks.exe
496	schtasks.exe
2700	schtasks.exe
2608	schtasks.exe
4652	schtasks.exe
2540	schtasks.exe
764	schtasks.exe
204	schtasks.exe
1100	schtasks.exe
2832	schtasks.exe
652	schtasks.exe
1916	schtasks.exe
3148	schtasks.exe

Modifies registry class 10 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exe10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exeDllCommonsvc.exeDllCommonsvc.exeDllCommonsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
3064	DllCommonsvc.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
1532	powershell.exe
1532	powershell.exe
5036	powershell.exe
1532	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
1532	powershell.exe
4228	powershell.exe
4860	powershell.exe
4860	powershell.exe
4900	powershell.exe
4900	powershell.exe
4872	powershell.exe
4872	powershell.exe
4360	powershell.exe
4360	powershell.exe
4212	powershell.exe
4212	powershell.exe
3364	powershell.exe
3364	powershell.exe
5096	powershell.exe
5096	powershell.exe
4168	powershell.exe
4168	powershell.exe
4860	powershell.exe
1264	powershell.exe
1264	powershell.exe
4964	powershell.exe
4964	powershell.exe
2032	powershell.exe
2032	powershell.exe
5032	powershell.exe
5032	powershell.exe
3052	powershell.exe
3052	powershell.exe
5004	powershell.exe
5004	powershell.exe
4752	powershell.exe
4752	powershell.exe
4504	powershell.exe
4504	powershell.exe
4900	powershell.exe
4872	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3064	DllCommonsvc.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	356	DllCommonsvc.exe
Token: SeIncreaseQuotaPrivilege	5036	powershell.exe
Token: SeSecurityPrivilege	5036	powershell.exe
Token: SeTakeOwnershipPrivilege	5036	powershell.exe
Token: SeLoadDriverPrivilege	5036	powershell.exe
Token: SeSystemProfilePrivilege	5036	powershell.exe
Token: SeSystemtimePrivilege	5036	powershell.exe
Token: SeProfSingleProcessPrivilege	5036	powershell.exe
Token: SeIncBasePriorityPrivilege	5036	powershell.exe
Token: SeCreatePagefilePrivilege	5036	powershell.exe
Token: SeBackupPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	5036	powershell.exe
Token: SeRemoteShutdownPrivilege	5036	powershell.exe
Token: SeUndockPrivilege	5036	powershell.exe
Token: SeManageVolumePrivilege	5036	powershell.exe
Token: 33	5036	powershell.exe
Token: 34	5036	powershell.exe
Token: 35	5036	powershell.exe
Token: 36	5036	powershell.exe
Token: SeIncreaseQuotaPrivilege	1532	powershell.exe
Token: SeSecurityPrivilege	1532	powershell.exe
Token: SeTakeOwnershipPrivilege	1532	powershell.exe
Token: SeLoadDriverPrivilege	1532	powershell.exe
Token: SeSystemProfilePrivilege	1532	powershell.exe
Token: SeSystemtimePrivilege	1532	powershell.exe
Token: SeProfSingleProcessPrivilege	1532	powershell.exe
Token: SeIncBasePriorityPrivilege	1532	powershell.exe
Token: SeCreatePagefilePrivilege	1532	powershell.exe
Token: SeBackupPrivilege	1532	powershell.exe
Token: SeRestorePrivilege	1532	powershell.exe
Token: SeShutdownPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeSystemEnvironmentPrivilege	1532	powershell.exe
Token: SeRemoteShutdownPrivilege	1532	powershell.exe
Token: SeUndockPrivilege	1532	powershell.exe
Token: SeManageVolumePrivilege	1532	powershell.exe
Token: 33	1532	powershell.exe
Token: 34	1532	powershell.exe
Token: 35	1532	powershell.exe
Token: 36	1532	powershell.exe
Token: SeIncreaseQuotaPrivilege	4228	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exeWScript.execmd.exeDllCommonsvc.exeDllCommonsvc.execmd.exeDllCommonsvc.execmd.exeDllCommonsvc.exe

description	pid	process	target process
PID 3680 wrote to memory of 3356	3680	10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exe	WScript.exe
PID 3680 wrote to memory of 3356	3680	10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exe	WScript.exe
PID 3680 wrote to memory of 3356	3680	10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exe	WScript.exe
PID 3356 wrote to memory of 4312	3356	WScript.exe	cmd.exe
PID 3356 wrote to memory of 4312	3356	WScript.exe	cmd.exe
PID 3356 wrote to memory of 4312	3356	WScript.exe	cmd.exe
PID 4312 wrote to memory of 3064	4312	cmd.exe	DllCommonsvc.exe
PID 4312 wrote to memory of 3064	4312	cmd.exe	DllCommonsvc.exe
PID 3064 wrote to memory of 5036	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 5036	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 1532	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 1532	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4228	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4228	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4860	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4860	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4900	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4900	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4872	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4872	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4360	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4360	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4212	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4212	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 3364	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 3364	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 2032	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 2032	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 5096	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 5096	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 1264	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 1264	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4964	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4964	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4168	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4168	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 5032	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 5032	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 3052	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 3052	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 5004	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 5004	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4728	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4728	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4752	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4752	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4504	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 4504	3064	DllCommonsvc.exe	powershell.exe
PID 3064 wrote to memory of 356	3064	DllCommonsvc.exe	DllCommonsvc.exe
PID 3064 wrote to memory of 356	3064	DllCommonsvc.exe	DllCommonsvc.exe
PID 356 wrote to memory of 5284	356	DllCommonsvc.exe	cmd.exe
PID 356 wrote to memory of 5284	356	DllCommonsvc.exe	cmd.exe
PID 5284 wrote to memory of 5344	5284	cmd.exe	w32tm.exe
PID 5284 wrote to memory of 5344	5284	cmd.exe	w32tm.exe
PID 5284 wrote to memory of 5648	5284	cmd.exe	DllCommonsvc.exe
PID 5284 wrote to memory of 5648	5284	cmd.exe	DllCommonsvc.exe
PID 5648 wrote to memory of 5468	5648	DllCommonsvc.exe	cmd.exe
PID 5648 wrote to memory of 5468	5648	DllCommonsvc.exe	cmd.exe
PID 5468 wrote to memory of 5528	5468	cmd.exe	w32tm.exe
PID 5468 wrote to memory of 5528	5468	cmd.exe	w32tm.exe
PID 5468 wrote to memory of 5568	5468	cmd.exe	DllCommonsvc.exe
PID 5468 wrote to memory of 5568	5468	cmd.exe	DllCommonsvc.exe
PID 5568 wrote to memory of 5616	5568	DllCommonsvc.exe	cmd.exe
PID 5568 wrote to memory of 5616	5568	DllCommonsvc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exe
"C:\Users\Admin\AppData\Local\Temp\10661e43d4769a0e3d3568cab9c196865b0f6750ebe4bcdf0eccabdb118a9219.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\services.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\taskhostw.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\services.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
5⤵
PID:4728

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:5284

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:5344

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:5468

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:5528

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
10⤵
PID:5616

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:5848

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
11⤵
- Executes dropped EXE
- Modifies registry class
PID:5936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
12⤵
PID:3512

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:5916

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
13⤵
- Executes dropped EXE
- Modifies registry class
PID:4852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
14⤵
PID:5704

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:3624

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
15⤵
- Executes dropped EXE
- Modifies registry class
PID:1376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
16⤵
PID:5012

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:5116

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
17⤵
- Executes dropped EXE
- Modifies registry class
PID:4372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
18⤵
PID:6108

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:3796

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
19⤵
- Executes dropped EXE
- Modifies registry class
PID:5424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
20⤵
PID:4616

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:5808

C:\Users\Public\Pictures\DllCommonsvc.exe
"C:\Users\Public\Pictures\DllCommonsvc.exe"
21⤵
- Executes dropped EXE
- Modifies registry class
PID:3988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
22⤵
PID:4632

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
50eeb0753366270136a4995fcb0bc77f

SHA1
cb4c9670938d76fa75ebd48f1e3aba71043f0b95

SHA256
0d36c9c8f3704e8b46aa364093aa69599332c9870723a82e8bd59e12e5585ad5

SHA512
6db746a2eb73cf4821e9634c56f098021e9241cb8df0f0393792dbc739287970b22a081cf70c07a1f980a2687034d6ea6b97e469de912d58559c6739e4040c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4d27707fe71ffe6eeea9f1a39b02860

SHA1
d314dd8e3d36c5c056bdb91d74d2bd8396306722

SHA256
0342b04a443e1f5785edd23fb7edb424ba8e5cda9bd060dda7dc6e97ff83412a

SHA512
0557849ce72a7a3d8d7225db70969e366086fc8e91f687b0c5ea91a6fb83f7a25a14524784c9a6b7e3b8eb0ebd3c3dfb8a21f010e84c22437fc1530d80236a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cd6e7893533790764f361170a904cf0

SHA1
ad637d84e185a184502dd80416b2b3e315f5a657

SHA256
b28e5d6e734ec3050de8c37ffd3f20d218e032c14aa400cf0a5bf6d1177ff0e1

SHA512
4cd6bfe293592d2e91d81c9fa4ea8caa1cb6b1d159e548d7668b63f45584df69ab31b1c665934b451a2c2ac1b70e8f1fd4191e0c63f1983ac0d8133ebc275fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e6af359c4b2ed353569eda7084a47076

SHA1
a00f2b7574d55d9567668436d7ebbae9d45c8cea

SHA256
8cc864d9f911117c35da5789cc0be8ced581ec989cd425ed33d88dd184e37df9

SHA512
8df009704f6540263fa238ec9e329ff7bcf0c492655d497fa2728e57be59367d04622599c03ab3ff236ab41fd13187ea4293a22a975ee8676f13d3c64d6cef0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7eb67338a0f99c3c5c5af22f4ebf8929

SHA1
874823a6c0590634faf8191321c7243b070fad8a

SHA256
7242918c4e0940bf420cbf530f0a833c569a295b6a2d1771bb48dd51ebe4c476

SHA512
ec5a61f6244c58de0a1483c109a8436233d4bd6cddd0ed8dfe83133c8ddf7625c8ab55a3250ae97971dec2a09ef8d9d2fd36d6b50b6cbaee2b3a2d6756396dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ce28230d6be991db7555841f682b4369

SHA1
5d2eca4b37e6965f0785b044c8808c38161efca9

SHA256
005e7c375184bdbf371b472c561eb3667b4961fe4a29c184ad253fc3a0b5bea8

SHA512
64679b6db2f712ea63dde97303fecc33548c9966d2b6e50f16f16e8ea0552b49076390e3880add0d78f1063baf0ed986a752f3ab4580d419b6453d1b8fdf2faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f12dc609a48a18470d0d83b1d8276b7

SHA1
8e7260391fd31930f331b6799d9f699e9f2ed879

SHA256
b56754a80479d6d3e6e06358474695ac92a16b8cb8890ae77deb582500d0050e

SHA512
29d020f08dab157badaec3e249c0657fc31bf2184912281149814e3c3ae3f1c69d2af83e4574c96e60776fce9ab39626a324eacd447fdbe634a9b179f23ca571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f12dc609a48a18470d0d83b1d8276b7

SHA1
8e7260391fd31930f331b6799d9f699e9f2ed879

SHA256
b56754a80479d6d3e6e06358474695ac92a16b8cb8890ae77deb582500d0050e

SHA512
29d020f08dab157badaec3e249c0657fc31bf2184912281149814e3c3ae3f1c69d2af83e4574c96e60776fce9ab39626a324eacd447fdbe634a9b179f23ca571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fad8934fb04fa08bbbbc7fbfec8b5bab

SHA1
6fe89d2180ef335b411128f201fd4047fc0db92f

SHA256
67f41ed9ec61533198cf7d9cabc68b3efcbbf54e58a706c38dff0020adbfd9d5

SHA512
1114453a3dd3f96e0fc237f8817e39eba095fc5a073b7a6f101f9d16bc0c8f0a1ecf2f55bc660ace7d2344d17de5105dce5ef84014c0c289db6b09c905304596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fad8934fb04fa08bbbbc7fbfec8b5bab

SHA1
6fe89d2180ef335b411128f201fd4047fc0db92f

SHA256
67f41ed9ec61533198cf7d9cabc68b3efcbbf54e58a706c38dff0020adbfd9d5

SHA512
1114453a3dd3f96e0fc237f8817e39eba095fc5a073b7a6f101f9d16bc0c8f0a1ecf2f55bc660ace7d2344d17de5105dce5ef84014c0c289db6b09c905304596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2b6067578d1643da09a8b1e73b79c6d

SHA1
ce297502621d2bf687feb6212cdeeac254ab12a8

SHA256
feb2480092fea4c3a47172b934c727e19e3bbbca0338144e520757657e3eaa64

SHA512
a85f3482e11e2ccf2b07611e0cb7ea0dd994c022fe1c932f29b1238cda9f6d345c2a52d2dc90206a73c153048c8af362c3d04483b1d5587b9dbbe402880de5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ffbb82bfd54680ea7d07469c31bbe5fd

SHA1
2553410b780cefec9f86920d84d04ad249e2b007

SHA256
789c5762984fd461cfa19e5dc6cf2bc996d8d091c5b603bb259848ce8054656c

SHA512
c2777e3f8dba2dc38c9c39c3ae72ab337c0cd2c384edc202b148ddd34d0e90de39a60de78703c073a52c23711e84d4f456ca4d924b210cddcae1bb05b9a0f7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52010e360a5454f325e0d15dfc620986

SHA1
2205e67cc9ec925b1a1d8b627e7fc230f76ea3e3

SHA256
97f4d22c3db47013b9eb32f56ad5fab796bd714f4377eb1fd3d486d6803253a4

SHA512
d5520bd614650a614148f6f72f38192f39b1466c58d7bccfd66fc25fef2700b4218e1857951f7ecb50f660629621733740c951b2fe2520aa788a0351ce5a8799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
065652c1b131f15ad9a5b2338a544297

SHA1
5f9203ff9a4ccb9219b6319cdb2bae3f722c88ee

SHA256
eb2ef53038efdec1b0ce54e88fd5aa7950a480c854481f3e2f00305c7ed87f14

SHA512
ade7b1249eadbf6f4ff3f65707deb7c9778c41241771c131daaf0f203e4b40f975933d365d005be6301054a4d083c580b7920cd6a7228887307bc1cab9058adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2a5f8ad4cf63c7ec3d249873f04471d

SHA1
a12785d6badef2e939375cb245bd78ab9f14ca21

SHA256
eb0e8a5a8ec4136db4e0c9e6649ed012c7bd18954f530ad2293a0678c6e68476

SHA512
56902a74fc1c7458bdcb895f38d3cfb83e0e7f0b7326753b52a0f8c0acfaf0a885e0e1aa0e27e311477ffabfd857ed6b7cd80f5c90fd1d06a817885571821a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2a5f8ad4cf63c7ec3d249873f04471d

SHA1
a12785d6badef2e939375cb245bd78ab9f14ca21

SHA256
eb0e8a5a8ec4136db4e0c9e6649ed012c7bd18954f530ad2293a0678c6e68476

SHA512
56902a74fc1c7458bdcb895f38d3cfb83e0e7f0b7326753b52a0f8c0acfaf0a885e0e1aa0e27e311477ffabfd857ed6b7cd80f5c90fd1d06a817885571821a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06fce4987ce1baafafd782fc2730145c

SHA1
0a31d56cef6ff89cc0e2f4af4658777d33cc2f84

SHA256
abb9f2652e6752f4dff18cc0c919b35a307bff738b91d88685d5968e7efdafee

SHA512
98a9a9327ba9fe4bfc66c6ea391353a3a26665edcf1d64a89a2f0940e8c34ee92de246f8be0fa7fbd6dcddf215cb621b01d77c253657bc411e6d53a2b059e317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e8def7bce13c99a8240e36a91df2e98

SHA1
48193710e07e74a38a7589b25a64ae2cc488b8ed

SHA256
fab26de512ec2eaa57728425e9f81e11faee0c4da5cae6be60a98a7f465d8472

SHA512
fb596e088941196aca367bf5f52fc97691c0ca91443bfd7f89ac99590109fc25e9e7e0cfa68b0681418044d407b5a4443c1acb4c1df00d27c8f56a73cb810197

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
206B

MD5
6b4613f2381252cf5efccdfeb7364d61

SHA1
3b466eb22786fbb53974ce0e36bc5c93cd7c6cc2

SHA256
adc3b913e34c121b74b7ff0aa0839b1af6184660a6fcc0ac298fe3cf81d3a453

SHA512
ee9f73abc4583ec9949529b0faa5c4d31ba32f14c3a392816693250df6938f363a07137d4ed5a764572444e9d1771c89b83651cb0a9faba9cbd4e961bb647a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

Filesize
206B

MD5
c54d9aecdb91a9f47225f6de70bf8e83

SHA1
2b8858e4e8a95f0e6642d6b9106f0ee9afcfbd02

SHA256
3ac8aa22526bf4850ef9281c8458a5bd887a5deecb8662668d13635a0d4fbdc6

SHA512
def4ee991c87acf63d161bcbd1e7fd9c69294bc5fb423100754571004bb12f26a6877c1c5006163a03f487420a05990c4ac929974b5d612e65ae08a6d48891f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
206B

MD5
3acbf8f3ae4ea6d1fc50901d3b8810e0

SHA1
3d77224a4abf70fd4f7bb5c5719107125bd32368

SHA256
fa36948daa9b9c481e4b3196b751fc0f369e0a4cec229595bae5a8ed72a2e305

SHA512
5983865d0d82cc3d141b332b3fb0044bd0c566cccc7fef1e8c540751dac033e8b9ad27e4e5f5c2e620213e1c099f35ecee6f090d12c7b420564dfdf8138e403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
206B

MD5
a4c6593ec51229354ba28fa312269419

SHA1
446a789ac67025f55443dbc753d86732301a21de

SHA256
c217304b72a1ba3c5ec84fa6429a654cce0d5659f985c8b37800792822013c99

SHA512
7a0fe634f6005f6b0df50e3e8bbc1cdb14ad86f11c17ff3032a9ff1559bfa0c055a8a69a4f6f37eac4c16aa4a0068350f320d92ffe977d5246cefd3dcd2ba886

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
206B

MD5
e91d13ae6603703bcdf8c85cba470d7d

SHA1
cb94888a068b629178ac418c2b6bd5155cb8ee61

SHA256
9972db94631fed8257e1dbe6d4e4f37fa100cf67060f0ee6b3808cf37caa71d1

SHA512
6c45d0064458f7fb2e81a1a93d17f47ef064adbbea4807fe7cab18361cbc5e5cbc7634e7ec44f54fb6e7e7e8b3a6744a7326bbeca63c22e3162a733e6ecf533c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
206B

MD5
30d7ec809a953366ccebe09e441d7e9b

SHA1
c66615e4689241ae9b9c5abc67b49ac08b4c4f43

SHA256
904401ae11196e4cbc181855d7fea3d6eb2e6f7451db2135cc1c9a6fda453a10

SHA512
cb026a1a95dcb924148309fe729ec3bf2756bcb7619e0cc12ffaa8a6a61181ec52511a83c52066757e63bb71a5366bbccb13061d4363accf3fadf3899dbe444b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

Filesize
206B

MD5
5e0782804df16bf762778c778d7ec866

SHA1
e6e95ba26e5caffaaab96e39df8359bb7e484755

SHA256
524f5251f39f32f4bb1c59a0e66b745af60f745aac986d1514166b612c4e41bf

SHA512
8e16528aa3ac2bdcc3088d96fe690629da3b69f34c58ab27759259bfeb870429f3756132a1ccecb1bcc68b39d43383a76482c4bebf48842851bc68756564cc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

Filesize
206B

MD5
0a6ac599f329424281f8128caf22f27b

SHA1
2c1b91f411d66e8cfea6befcb592ba0e2fb420ff

SHA256
279c9a8c40b01bb7ff4c68aafbdb1f26907bb0a10f25313c182262bce522486a

SHA512
f41d2f970da397f7b68df039ca5907d7b982f343d28975d03d3cdc8a58686a57032ffdd216270ac2bca4952b978fc4d8209b200bc7eb51f3e1c1715069c9cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

Filesize
206B

MD5
d1380f98f7b4259c2662f00c47019123

SHA1
0b1e807d12bd2dc7ed2d71ee71454b0096edc550

SHA256
1f57a35239565e35f8bcc7cd75bfe12efeea0a1965e2c3cf25f52f17474c3b8b

SHA512
4af3c82d0fc903125c90ff0ab03617cda3a62fb891d01bdeb131699c03aee94d0af0a1c27d1af6da8df4f999802e4a0a09aebba15c019bf8470a93ec9b734c87

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Pictures\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/356-479-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/356-405-0x0000000000000000-mapping.dmp

Download
memory/1264-302-0x0000000000000000-mapping.dmp

Download
memory/1376-1043-0x0000000000000000-mapping.dmp

Download
memory/1532-288-0x0000000000000000-mapping.dmp

Download
memory/2032-296-0x0000000000000000-mapping.dmp

Download
memory/3052-324-0x0000000000000000-mapping.dmp

Download
memory/3064-286-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/3064-285-0x00000000015B0000-0x00000000015BC000-memory.dmp

Filesize
48KB

Download
memory/3064-284-0x00000000015A0000-0x00000000015AC000-memory.dmp

Filesize
48KB

Download
memory/3064-283-0x0000000001580000-0x0000000001592000-memory.dmp

Filesize
72KB

Download
memory/3064-282-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/3064-279-0x0000000000000000-mapping.dmp

Download
memory/3356-180-0x0000000000000000-mapping.dmp

Download
memory/3356-182-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3356-181-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3364-295-0x0000000000000000-mapping.dmp

Download
memory/3512-1035-0x0000000000000000-mapping.dmp

Download
memory/3624-1042-0x0000000000000000-mapping.dmp

Download
memory/3680-160-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-147-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-178-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-177-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-176-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-132-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-175-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-174-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-173-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-172-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-171-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-168-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-170-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-169-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-117-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-166-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-134-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-131-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-130-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-129-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-118-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-135-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-128-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-167-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-165-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-164-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-136-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-119-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-127-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-179-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-126-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-137-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-122-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-163-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-138-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-162-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-161-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-116-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-121-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-159-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-139-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-158-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-157-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-124-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-156-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-140-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-125-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-155-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-154-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-153-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-152-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-151-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-150-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-149-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-148-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-133-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-146-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-145-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-144-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-143-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-142-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-141-0x0000000077200000-0x000000007738E000-memory.dmp

Filesize
1.6MB

Download
memory/3796-1053-0x0000000000000000-mapping.dmp

Download
memory/3988-1060-0x0000000000000000-mapping.dmp

Download
memory/3988-1062-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/4168-311-0x0000000000000000-mapping.dmp

Download
memory/4212-294-0x0000000000000000-mapping.dmp

Download
memory/4228-289-0x0000000000000000-mapping.dmp

Download
memory/4312-256-0x0000000000000000-mapping.dmp

Download
memory/4360-293-0x0000000000000000-mapping.dmp

Download
memory/4372-1048-0x0000000000000000-mapping.dmp

Download
memory/4372-1050-0x0000000001090000-0x00000000010A2000-memory.dmp

Filesize
72KB

Download
memory/4504-349-0x0000000000000000-mapping.dmp

Download
memory/4616-1057-0x0000000000000000-mapping.dmp

Download
memory/4632-1063-0x0000000000000000-mapping.dmp

Download
memory/4728-334-0x0000000000000000-mapping.dmp

Download
memory/4752-343-0x0000000000000000-mapping.dmp

Download
memory/4852-1038-0x0000000000000000-mapping.dmp

Download
memory/4860-290-0x0000000000000000-mapping.dmp

Download
memory/4872-292-0x0000000000000000-mapping.dmp

Download
memory/4900-291-0x0000000000000000-mapping.dmp

Download
memory/4964-306-0x0000000000000000-mapping.dmp

Download
memory/5004-329-0x0000000000000000-mapping.dmp

Download
memory/5012-1045-0x0000000000000000-mapping.dmp

Download
memory/5032-316-0x0000000000000000-mapping.dmp

Download
memory/5036-375-0x0000028C419A0000-0x0000028C419C2000-memory.dmp

Filesize
136KB

Download
memory/5036-287-0x0000000000000000-mapping.dmp

Download
memory/5036-411-0x0000028C5BCE0000-0x0000028C5BD56000-memory.dmp

Filesize
472KB

Download
memory/5096-298-0x0000000000000000-mapping.dmp

Download
memory/5116-1047-0x0000000000000000-mapping.dmp

Download
memory/5284-719-0x0000000000000000-mapping.dmp

Download
memory/5344-920-0x0000000000000000-mapping.dmp

Download
memory/5424-1056-0x0000000002CB0000-0x0000000002CC2000-memory.dmp

Filesize
72KB

Download
memory/5424-1054-0x0000000000000000-mapping.dmp

Download
memory/5468-1023-0x0000000000000000-mapping.dmp

Download
memory/5528-1025-0x0000000000000000-mapping.dmp

Download
memory/5568-1026-0x0000000000000000-mapping.dmp

Download
memory/5568-1028-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/5616-1029-0x0000000000000000-mapping.dmp

Download
memory/5648-982-0x0000000000000000-mapping.dmp

Download
memory/5648-984-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/5696-1065-0x0000000000000000-mapping.dmp

Download
memory/5704-1040-0x0000000000000000-mapping.dmp

Download
memory/5808-1059-0x0000000000000000-mapping.dmp

Download
memory/5848-1031-0x0000000000000000-mapping.dmp

Download
memory/5916-1037-0x0000000000000000-mapping.dmp

Download
memory/5936-1034-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/5936-1032-0x0000000000000000-mapping.dmp

Download
memory/6108-1051-0x0000000000000000-mapping.dmp

Download