dcrat | addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exe
Size

1.3MB
MD5

97de4daed939b69a10f6428de4f67f50
SHA1

5da5c0d5d034703209f0d6aff2d4230528d89b4c
SHA256

addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5
SHA512

66a8f712048daf17a01c5994e321e752cbd7da8b30f639a32b196c8d801f0ca8d9f2a1f123ce78d608359baf37cc857b3bbc9826885d3f32ff3e0a432b2df34a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3028	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/3488-139-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe	dcrat

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
3488	DllCommonsvc.exe
3328	fontdrvhost.exe
5272	fontdrvhost.exe
2844	fontdrvhost.exe
1556	fontdrvhost.exe
5624	fontdrvhost.exe
3548	fontdrvhost.exe
932	fontdrvhost.exe
5768	fontdrvhost.exe
5796	fontdrvhost.exe
4480	fontdrvhost.exe
4588	fontdrvhost.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeaddc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exeDllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 18 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\ee2ad38f3d4382	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Boot\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\rescache\_merged\4245263321\wininit.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2800	schtasks.exe
3236	schtasks.exe
2152	schtasks.exe
1964	schtasks.exe
448	schtasks.exe
2980	schtasks.exe
2292	schtasks.exe
4260	schtasks.exe
3684	schtasks.exe
2932	schtasks.exe
4208	schtasks.exe
3820	schtasks.exe
1744	schtasks.exe
3044	schtasks.exe
4752	schtasks.exe
3328	schtasks.exe
1340	schtasks.exe
3548	schtasks.exe
3164	schtasks.exe
2680	schtasks.exe
2136	schtasks.exe
2116	schtasks.exe
4584	schtasks.exe
756	schtasks.exe
880	schtasks.exe
956	schtasks.exe
3596	schtasks.exe
2520	schtasks.exe
1144	schtasks.exe
1892	schtasks.exe
4332	schtasks.exe
2440	schtasks.exe
1560	schtasks.exe
5036	schtasks.exe
228	schtasks.exe
824	schtasks.exe
780	schtasks.exe
960	schtasks.exe
4644	schtasks.exe
3776	schtasks.exe
1664	schtasks.exe
3744	schtasks.exe
1312	schtasks.exe
4248	schtasks.exe
4276	schtasks.exe
2672	schtasks.exe
4692	schtasks.exe
3968	schtasks.exe
3900	schtasks.exe
1032	schtasks.exe
564	schtasks.exe
220	schtasks.exe
700	schtasks.exe
4244	schtasks.exe
4128	schtasks.exe
540	schtasks.exe
4140	schtasks.exe

Modifies registry class 12 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeaddc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3488	DllCommonsvc.exe
3508	powershell.exe
1004	powershell.exe
1004	powershell.exe
1556	powershell.exe
1556	powershell.exe
1324	powershell.exe
1324	powershell.exe
536	powershell.exe
536	powershell.exe
2128	powershell.exe
2128	powershell.exe
932	powershell.exe
932	powershell.exe
4648	powershell.exe
4648	powershell.exe
4972	powershell.exe
4972	powershell.exe
1816	powershell.exe
1816	powershell.exe
2144	powershell.exe
2144	powershell.exe
4048	powershell.exe
4048	powershell.exe
5076	powershell.exe
5076	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	3488	DllCommonsvc.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3328	fontdrvhost.exe
Token: SeDebugPrivilege	5272	fontdrvhost.exe
Token: SeDebugPrivilege	2844	fontdrvhost.exe
Token: SeDebugPrivilege	1556	fontdrvhost.exe
Token: SeDebugPrivilege	5624	fontdrvhost.exe
Token: SeDebugPrivilege	3548	fontdrvhost.exe
Token: SeDebugPrivilege	932	fontdrvhost.exe
Token: SeDebugPrivilege	5768	fontdrvhost.exe
Token: SeDebugPrivilege	5796	fontdrvhost.exe
Token: SeDebugPrivilege	4480	fontdrvhost.exe
Token: SeDebugPrivilege	4588	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exeWScript.execmd.exeDllCommonsvc.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.exe

description	pid	process	target process
PID 1816 wrote to memory of 4972	1816	addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exe	WScript.exe
PID 1816 wrote to memory of 4972	1816	addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exe	WScript.exe
PID 1816 wrote to memory of 4972	1816	addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exe	WScript.exe
PID 4972 wrote to memory of 4448	4972	WScript.exe	cmd.exe
PID 4972 wrote to memory of 4448	4972	WScript.exe	cmd.exe
PID 4972 wrote to memory of 4448	4972	WScript.exe	cmd.exe
PID 4448 wrote to memory of 3488	4448	cmd.exe	DllCommonsvc.exe
PID 4448 wrote to memory of 3488	4448	cmd.exe	DllCommonsvc.exe
PID 3488 wrote to memory of 3508	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 3508	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 536	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 536	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1556	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1556	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1324	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1324	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 2128	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 2128	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1004	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1004	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 932	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 932	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 4648	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 4648	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1816	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1816	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 4972	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 4972	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 4048	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 4048	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 2144	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 2144	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 5048	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 5048	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 5076	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 5076	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 216	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 216	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 2500	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 2500	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 872	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 872	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 3104	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 3104	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1804	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 1804	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 3904	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 3904	3488	DllCommonsvc.exe	powershell.exe
PID 3488 wrote to memory of 3328	3488	DllCommonsvc.exe	fontdrvhost.exe
PID 3488 wrote to memory of 3328	3488	DllCommonsvc.exe	fontdrvhost.exe
PID 3328 wrote to memory of 5988	3328	fontdrvhost.exe	cmd.exe
PID 3328 wrote to memory of 5988	3328	fontdrvhost.exe	cmd.exe
PID 5988 wrote to memory of 6108	5988	cmd.exe	w32tm.exe
PID 5988 wrote to memory of 6108	5988	cmd.exe	w32tm.exe
PID 5988 wrote to memory of 5272	5988	cmd.exe	fontdrvhost.exe
PID 5988 wrote to memory of 5272	5988	cmd.exe	fontdrvhost.exe
PID 5272 wrote to memory of 5604	5272	fontdrvhost.exe	cmd.exe
PID 5272 wrote to memory of 5604	5272	fontdrvhost.exe	cmd.exe
PID 5604 wrote to memory of 3628	5604	cmd.exe	w32tm.exe
PID 5604 wrote to memory of 3628	5604	cmd.exe	w32tm.exe
PID 5604 wrote to memory of 2844	5604	cmd.exe	fontdrvhost.exe
PID 5604 wrote to memory of 2844	5604	cmd.exe	fontdrvhost.exe
PID 2844 wrote to memory of 5220	2844	fontdrvhost.exe	cmd.exe
PID 2844 wrote to memory of 5220	2844	fontdrvhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exe
"C:\Users\Admin\AppData\Local\Temp\addc42e69559f307ae39cc92d158cb4e378ca1400d5d4b929ccd379cfd6547b5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\WmiPrvSE.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\Registry.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:5988

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:6108

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:5604

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:3628

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
10⤵
PID:5220

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:2788

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
11⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat"
12⤵
PID:5316

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:3320

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
13⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
14⤵
PID:5468

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:3940

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
15⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
16⤵
PID:4320

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:4108

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
17⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
18⤵
PID:6000

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:5716

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
19⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
20⤵
PID:5828

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:780

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
21⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
22⤵
PID:6084

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:2292

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
23⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
24⤵
PID:5864

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:5844

C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
"C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe"
25⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
26⤵
PID:3784

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:5936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\sihost.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Temp\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Temp\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SendTo\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SendTo\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat
Filesize
220B

MD5
0556079168cdd733a459083eae539802

SHA1
b724716f647af66f14cadf6311b691bb92208683

SHA256
7f0100993aa8a713bb5d3e81a64d444e41c4f7d9b4d5a1a46fccaf1b6588b645

SHA512
fbfc054f3a8e6e60d0a7d59ba29f5a4a99c70907ecc5f0763a8e35b2d92636a339cab336dea8439e83ad1773b45f9c7b6e08bfdcc0cb64c3cdabc655f0cdcdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat
Filesize
220B

MD5
57dc4ad055e9da0ccdc1ed2e5acd5cc6

SHA1
3cdff48a8988e2e474df48da4f78d4bc0c55dd3c

SHA256
b1ec3886f41c70e80a5521abf8ac9a44a94a8d51aa9fe17e195d512d51050439

SHA512
737afe4ea8e192967cacd4180ccb24f4f7de795a1218279b830496fc64372024d33cc82241f7dc387ebb3c3ea787f5484320118e8fc539de7c99d9f62ce2cfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat
Filesize
220B

MD5
8b88c7f13f5b5ad0b5bc3a9d3e797a4c

SHA1
123152d4fef43070122003701faaab0fbefa368b

SHA256
6181647828fb7fb0229645e2a5b0b29386d961121bd8f6d8621140ac1cbd7615

SHA512
43c02ffaf71a29d6ce312f5e8fac423d5dc5b4864dc3b2f9e8a5ac3f9b2c17d7baf3f08a3fac3459a1179a73ab4a07be81b1540b9a9df57404e492958d567ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat
Filesize
220B

MD5
14590597aa3c87d1dde96e45321ea973

SHA1
7884292eb9a383271f75d7df3ba570081b33f49b

SHA256
7582653c7358f83a564565eabddf71ef12e1b741a15e4f01cd1e391a0dd5e92a

SHA512
aa59131e442a020ffb9991c134f7d82b6c0e377b0841e0df799c8c0675e1e2be2ebadcb6ceb9d8fb469ef0f7208aa9dfba6c3cdc80a5708e56fd300454b65912

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat
Filesize
220B

MD5
a4dff2f947f6fcf6d98c052d87029e3a

SHA1
bcf8f28072f4dec8d6c2dcc3ab2f132551c97741

SHA256
247cdcf96e75d919e12c1a05a5006a2c2196176d21ce24bde18c2d0c9128cfb0

SHA512
d58e47cccee14cf3b389eb003b2cf5270504aa81fd9df61a709e89bff599d781280eabd2970adfaf75d4580688d91d876ead10b089fdca42300c9de5b86b889a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat
Filesize
220B

MD5
16f9e9d15f3fab912ff7e0b2941ae781

SHA1
cf6fbd140ad0aa3de9593380e6d98ded434d5800

SHA256
bcb8cb676925e38996683bd772afa7312853c607213b2fb7fab85761b06a3757

SHA512
cc0503870ad70497e3161921ad50b76facd790d9d79e032f8ee8fd6a37b9378ef2ad7e396a13560f1239764e80ce83a20a772d8e861abd9c54e37c4fc2c44a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat
Filesize
220B

MD5
1eab9202e0c8d6481899c4a326e230ac

SHA1
329a9d7db995a5a406a42aca2c7194d6637e6975

SHA256
2a1ab13784edadb755d879b98de71650acda7ce9344792a5b02ed3f95e4f3a66

SHA512
7af9e6f19b05f095e4c56188f4df49a47dc22b293c5f180b7246dd91c3e394fdfb3ab5a38e18b1548a534a61a1be494c39bf14ecea8c68197c6bc2982c7d6853

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat
Filesize
220B

MD5
d91863d0050ac5a26401b91d09fd93f9

SHA1
f2d0d875c220376b7539d5fb36011d44f47da92a

SHA256
d76ddde9283b6cc705ee996cfad6a5fc8d44010f9a288e72519287f2b110ec42

SHA512
e366c557eb06c0369c36220fad1ad7b2404b727f787b296b0fb3e6609d3ebf99972433d66db5bac4d4f03c68b2128c87cf7a30248bb9ff5b63bb0152708102e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat
Filesize
220B

MD5
9c32bfc3e473ef8574afd96937ef355e

SHA1
662247834de62bea82845c1aaea9a9ca81896d5b

SHA256
5d2c7d29882371c588e4ce43e94bcd73435bfa4f9a212a11d1649151fa7e758a

SHA512
159670a797cdf319fca313f1ca895002b6916196fe02eda75fd9618dfb0fe6a7eae021c5799c763393bedb288ce495dd13ee90074f671b1a4855b37f9faf7b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat
Filesize
220B

MD5
35b899416bf581ffbaad93c79c64dc66

SHA1
5b7fc722c520c3c7d694c86aa4412dbe6fb9e8de

SHA256
1706b1906a9b6e08c70294ad32428785dff174c473d011e6cb4b65b67d3b4474

SHA512
1033ff295d37fa302c8fd9dfc2b8024ea1db45ea301d3faef8e4496c8f6286addbfa2822bc0423ecaaac7544e5a560afe704065d8a956129167b0cfaa7c9f5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat
Filesize
220B

MD5
75d70389230325c61a60564a126a25a7

SHA1
5e3740cfc6345910abe6cb8f09076d3b69318e88

SHA256
5c77737746604aa3a308a3924dd17150135f971c81a5f1909674e1612c734af4

SHA512
c44dc203a93ff2be99d093f3539d6a246f51cbe11914af123558c5321e17a54c1471fc12ec196122d29d35ecc70e2d218aa03257eaaf00a348efefb1a1673e65

Download Submit
C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/216-220-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/216-177-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/216-156-0x0000000000000000-mapping.dmp

Download
memory/536-142-0x0000000000000000-mapping.dmp

Download
memory/536-200-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/536-160-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/780-279-0x0000000000000000-mapping.dmp

Download
memory/872-188-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/872-225-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/872-159-0x0000000000000000-mapping.dmp

Download
memory/932-273-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/932-147-0x0000000000000000-mapping.dmp

Download
memory/932-269-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/932-267-0x0000000000000000-mapping.dmp

Download
memory/932-208-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/932-172-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-146-0x0000000000000000-mapping.dmp

Download
memory/1004-196-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-169-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-144-0x0000000000000000-mapping.dmp

Download
memory/1324-198-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-165-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-164-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-248-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/1556-143-0x0000000000000000-mapping.dmp

Download
memory/1556-252-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/1556-246-0x0000000000000000-mapping.dmp

Download
memory/1556-194-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-227-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-179-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-162-0x0000000000000000-mapping.dmp

Download
memory/1816-214-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1816-174-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1816-149-0x0000000000000000-mapping.dmp

Download
memory/2128-202-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-171-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-145-0x0000000000000000-mapping.dmp

Download
memory/2144-153-0x0000000000000000-mapping.dmp

Download
memory/2144-183-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-218-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-286-0x0000000000000000-mapping.dmp

Download
memory/2500-158-0x0000000000000000-mapping.dmp

Download
memory/2500-187-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2500-222-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-244-0x0000000000000000-mapping.dmp

Download
memory/2844-245-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/2844-241-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/2844-239-0x0000000000000000-mapping.dmp

Download
memory/3104-228-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-178-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-161-0x0000000000000000-mapping.dmp

Download
memory/3320-251-0x0000000000000000-mapping.dmp

Download
memory/3328-186-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-180-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-166-0x0000000000000000-mapping.dmp

Download
memory/3488-170-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3488-139-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/3488-136-0x0000000000000000-mapping.dmp

Download
memory/3488-140-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3508-191-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3508-141-0x0000000000000000-mapping.dmp

Download
memory/3508-150-0x00000283F0430000-0x00000283F0452000-memory.dmp

Filesize
136KB

Download
memory/3508-157-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-260-0x0000000000000000-mapping.dmp

Download
memory/3548-266-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/3548-262-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/3628-238-0x0000000000000000-mapping.dmp

Download
memory/3784-298-0x0000000000000000-mapping.dmp

Download
memory/3904-181-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-230-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-163-0x0000000000000000-mapping.dmp

Download
memory/3940-258-0x0000000000000000-mapping.dmp

Download
memory/4048-152-0x0000000000000000-mapping.dmp

Download
memory/4048-175-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-215-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/4108-265-0x0000000000000000-mapping.dmp

Download
memory/4320-263-0x0000000000000000-mapping.dmp

Download
memory/4448-135-0x0000000000000000-mapping.dmp

Download
memory/4480-294-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/4480-290-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/4480-288-0x0000000000000000-mapping.dmp

Download
memory/4588-295-0x0000000000000000-mapping.dmp

Download
memory/4648-205-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-173-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-148-0x0000000000000000-mapping.dmp

Download
memory/4972-132-0x0000000000000000-mapping.dmp

Download
memory/4972-207-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-151-0x0000000000000000-mapping.dmp

Download
memory/4972-182-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-154-0x0000000000000000-mapping.dmp

Download
memory/5048-217-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-185-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-155-0x0000000000000000-mapping.dmp

Download
memory/5076-213-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-176-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5220-242-0x0000000000000000-mapping.dmp

Download
memory/5272-236-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5272-234-0x00007FF81BE00000-0x00007FF81C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5272-231-0x0000000000000000-mapping.dmp

Download
memory/5316-249-0x0000000000000000-mapping.dmp

Download
memory/5468-256-0x0000000000000000-mapping.dmp

Download
memory/5604-235-0x0000000000000000-mapping.dmp

Download
memory/5624-259-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/5624-253-0x0000000000000000-mapping.dmp

Download
memory/5624-255-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/5716-272-0x0000000000000000-mapping.dmp

Download
memory/5768-276-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/5768-280-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/5768-274-0x0000000000000000-mapping.dmp

Download
memory/5796-281-0x0000000000000000-mapping.dmp

Download
memory/5796-287-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/5796-283-0x00007FF81BAA0000-0x00007FF81C561000-memory.dmp

Filesize
10.8MB

Download
memory/5828-277-0x0000000000000000-mapping.dmp

Download
memory/5844-293-0x0000000000000000-mapping.dmp

Download
memory/5864-291-0x0000000000000000-mapping.dmp

Download
memory/5936-300-0x0000000000000000-mapping.dmp

Download
memory/5988-184-0x0000000000000000-mapping.dmp

Download
memory/6000-270-0x0000000000000000-mapping.dmp

Download
memory/6084-284-0x0000000000000000-mapping.dmp

Download
memory/6108-190-0x0000000000000000-mapping.dmp

Download