dcrat | 36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3

Analysis

max time kernel
143s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exe
Size

1.3MB
MD5

cf9e4bc4fcbfd704c91295a1630d3605
SHA1

61e97e6060d176ed1ac61d54405bc4d00912dfcb
SHA256

36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3
SHA512

1bf6ed8e501158fb00fef235300e679596504252c3a74015592e95d012a2ba1be222cf5d58dd349aa880d8935a8d088426898c16ee479b704ffe5debfb05e210
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4908	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/2628-286-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat
C:\Windows\Performance\WinSAT\DataStore\powershell.exe	dcrat

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2628	DllCommonsvc.exe
4748	DllCommonsvc.exe
4320	powershell.exe
5400	powershell.exe
5600	powershell.exe
5752	powershell.exe
6028	powershell.exe
1712	powershell.exe
196	powershell.exe
1416	powershell.exe
5784	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\es-ES\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\en-US\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\en-US\f8c8f1285d826b	DllCommonsvc.exe

Drops file in Windows directory 14 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\56085415360792	DllCommonsvc.exe
File created	C:\Windows\addins\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\addins\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\en-US\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\System\smss.exe	DllCommonsvc.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_452b1f28f9c19deb\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Links\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Links\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\System\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\e978f868350d50	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4676	schtasks.exe
4492	schtasks.exe
1176	schtasks.exe
3212	schtasks.exe
1276	schtasks.exe
3780	schtasks.exe
1892	schtasks.exe
4756	schtasks.exe
4396	schtasks.exe
3524	schtasks.exe
4888	schtasks.exe
1772	schtasks.exe
2200	schtasks.exe
4240	schtasks.exe
2820	schtasks.exe
4816	schtasks.exe
4132	schtasks.exe
3064	schtasks.exe
4640	schtasks.exe
4732	schtasks.exe
2320	schtasks.exe
4852	schtasks.exe
3920	schtasks.exe
4404	schtasks.exe
1200	schtasks.exe
4312	schtasks.exe
4592	schtasks.exe
4724	schtasks.exe
1804	schtasks.exe
4636	schtasks.exe
4620	schtasks.exe
4104	schtasks.exe
2300	schtasks.exe
4624	schtasks.exe
5060	schtasks.exe
4880	schtasks.exe
4576	schtasks.exe
4560	schtasks.exe
4452	schtasks.exe
820	schtasks.exe
4604	schtasks.exe
4024	schtasks.exe
3088	schtasks.exe
4412	schtasks.exe
4544	schtasks.exe
4364	schtasks.exe
64	schtasks.exe
2464	schtasks.exe
3604	schtasks.exe
3716	schtasks.exe
4356	schtasks.exe
4524	schtasks.exe
4972	schtasks.exe
5048	schtasks.exe
2700	schtasks.exe
380	schtasks.exe
4936	schtasks.exe

Modifies registry class 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exeDllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exeDllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
4584	powershell.exe
4608	powershell.exe
4000	powershell.exe
4608	powershell.exe
604	powershell.exe
604	powershell.exe
4000	powershell.exe
4748	DllCommonsvc.exe
4584	powershell.exe
4608	powershell.exe
4000	powershell.exe
604	powershell.exe
4584	powershell.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
4748	DllCommonsvc.exe
2264	powershell.exe
2264	powershell.exe
4440	powershell.exe
4440	powershell.exe
2932	powershell.exe
2932	powershell.exe
1548	powershell.exe
1548	powershell.exe
1224	powershell.exe
1224	powershell.exe
2464	powershell.exe
2464	powershell.exe
1900	powershell.exe
1900	powershell.exe
1208	powershell.exe
1208	powershell.exe
364	powershell.exe
364	powershell.exe
4628	powershell.exe
4628	powershell.exe
1424	powershell.exe
1424	powershell.exe
2008	powershell.exe
2008	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
1324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exeDllCommonsvc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2628	DllCommonsvc.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4748	DllCommonsvc.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeIncreaseQuotaPrivilege	4000	powershell.exe
Token: SeSecurityPrivilege	4000	powershell.exe
Token: SeTakeOwnershipPrivilege	4000	powershell.exe
Token: SeLoadDriverPrivilege	4000	powershell.exe
Token: SeSystemProfilePrivilege	4000	powershell.exe
Token: SeSystemtimePrivilege	4000	powershell.exe
Token: SeProfSingleProcessPrivilege	4000	powershell.exe
Token: SeIncBasePriorityPrivilege	4000	powershell.exe
Token: SeCreatePagefilePrivilege	4000	powershell.exe
Token: SeBackupPrivilege	4000	powershell.exe
Token: SeRestorePrivilege	4000	powershell.exe
Token: SeShutdownPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeSystemEnvironmentPrivilege	4000	powershell.exe
Token: SeRemoteShutdownPrivilege	4000	powershell.exe
Token: SeUndockPrivilege	4000	powershell.exe
Token: SeManageVolumePrivilege	4000	powershell.exe
Token: 33	4000	powershell.exe
Token: 34	4000	powershell.exe
Token: 35	4000	powershell.exe
Token: 36	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	4608	powershell.exe
Token: SeSecurityPrivilege	4608	powershell.exe
Token: SeTakeOwnershipPrivilege	4608	powershell.exe
Token: SeLoadDriverPrivilege	4608	powershell.exe
Token: SeSystemProfilePrivilege	4608	powershell.exe
Token: SeSystemtimePrivilege	4608	powershell.exe
Token: SeProfSingleProcessPrivilege	4608	powershell.exe
Token: SeIncBasePriorityPrivilege	4608	powershell.exe
Token: SeCreatePagefilePrivilege	4608	powershell.exe
Token: SeBackupPrivilege	4608	powershell.exe
Token: SeRestorePrivilege	4608	powershell.exe
Token: SeShutdownPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeSystemEnvironmentPrivilege	4608	powershell.exe
Token: SeRemoteShutdownPrivilege	4608	powershell.exe
Token: SeUndockPrivilege	4608	powershell.exe
Token: SeManageVolumePrivilege	4608	powershell.exe
Token: 33	4608	powershell.exe
Token: 34	4608	powershell.exe
Token: 35	4608	powershell.exe
Token: 36	4608	powershell.exe
Token: SeIncreaseQuotaPrivilege	604	powershell.exe
Token: SeSecurityPrivilege	604	powershell.exe
Token: SeTakeOwnershipPrivilege	604	powershell.exe
Token: SeLoadDriverPrivilege	604	powershell.exe
Token: SeSystemProfilePrivilege	604	powershell.exe
Token: SeSystemtimePrivilege	604	powershell.exe
Token: SeProfSingleProcessPrivilege	604	powershell.exe
Token: SeIncBasePriorityPrivilege	604	powershell.exe
Token: SeCreatePagefilePrivilege	604	powershell.exe
Token: SeBackupPrivilege	604	powershell.exe
Token: SeRestorePrivilege	604	powershell.exe
Token: SeShutdownPrivilege	604	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeSystemEnvironmentPrivilege	604	powershell.exe
Token: SeRemoteShutdownPrivilege	604	powershell.exe
Token: SeUndockPrivilege	604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exeWScript.execmd.exeDllCommonsvc.exeDllCommonsvc.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 4532 wrote to memory of 4872	4532	36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exe	WScript.exe
PID 4532 wrote to memory of 4872	4532	36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exe	WScript.exe
PID 4532 wrote to memory of 4872	4532	36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exe	WScript.exe
PID 4872 wrote to memory of 4500	4872	WScript.exe	cmd.exe
PID 4872 wrote to memory of 4500	4872	WScript.exe	cmd.exe
PID 4872 wrote to memory of 4500	4872	WScript.exe	cmd.exe
PID 4500 wrote to memory of 2628	4500	cmd.exe	DllCommonsvc.exe
PID 4500 wrote to memory of 2628	4500	cmd.exe	DllCommonsvc.exe
PID 2628 wrote to memory of 4584	2628	DllCommonsvc.exe	powershell.exe
PID 2628 wrote to memory of 4584	2628	DllCommonsvc.exe	powershell.exe
PID 2628 wrote to memory of 4608	2628	DllCommonsvc.exe	powershell.exe
PID 2628 wrote to memory of 4608	2628	DllCommonsvc.exe	powershell.exe
PID 2628 wrote to memory of 4000	2628	DllCommonsvc.exe	powershell.exe
PID 2628 wrote to memory of 4000	2628	DllCommonsvc.exe	powershell.exe
PID 2628 wrote to memory of 604	2628	DllCommonsvc.exe	powershell.exe
PID 2628 wrote to memory of 604	2628	DllCommonsvc.exe	powershell.exe
PID 2628 wrote to memory of 4748	2628	DllCommonsvc.exe	DllCommonsvc.exe
PID 2628 wrote to memory of 4748	2628	DllCommonsvc.exe	DllCommonsvc.exe
PID 4748 wrote to memory of 2264	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2264	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1548	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1548	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1224	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1224	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1208	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1208	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2932	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2932	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 4440	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 4440	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1900	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1900	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2892	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2892	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 4628	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 4628	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 364	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 364	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 4548	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 4548	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2464	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2464	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1424	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1424	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2008	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 2008	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1312	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1312	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 3396	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 3396	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1324	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 1324	4748	DllCommonsvc.exe	powershell.exe
PID 4748 wrote to memory of 3900	4748	DllCommonsvc.exe	cmd.exe
PID 4748 wrote to memory of 3900	4748	DllCommonsvc.exe	cmd.exe
PID 3900 wrote to memory of 1712	3900	cmd.exe	w32tm.exe
PID 3900 wrote to memory of 1712	3900	cmd.exe	w32tm.exe
PID 3900 wrote to memory of 4320	3900	cmd.exe	powershell.exe
PID 3900 wrote to memory of 4320	3900	cmd.exe	powershell.exe
PID 4320 wrote to memory of 5124	4320	powershell.exe	cmd.exe
PID 4320 wrote to memory of 5124	4320	powershell.exe	cmd.exe
PID 5124 wrote to memory of 4304	5124	cmd.exe	w32tm.exe
PID 5124 wrote to memory of 4304	5124	cmd.exe	w32tm.exe
PID 5124 wrote to memory of 5400	5124	cmd.exe	powershell.exe
PID 5124 wrote to memory of 5400	5124	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exe
"C:\Users\Admin\AppData\Local\Temp\36cfe5df0328e283710c2e51e903746c4734688eb6614b10ec213a05144d79e3.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\dwm.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\fontdrvhost.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\wininit.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\lsass.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\powershell.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\System.exe'
6⤵
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\powershell.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\Idle.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Links\dllhost.exe'
6⤵
PID:1312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\ShellExperienceHost.exe'
6⤵
PID:3396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9OBSyT8Ciq.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:1712

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:5124

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4304

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
9⤵
- Executes dropped EXE
- Modifies registry class
PID:5400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
10⤵
PID:5524

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:5584

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
11⤵
- Executes dropped EXE
- Modifies registry class
PID:5600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
12⤵
PID:5696

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:5468

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
13⤵
- Executes dropped EXE
- Modifies registry class
PID:5752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"
14⤵
PID:3120

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:5964

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
15⤵
- Executes dropped EXE
- Modifies registry class
PID:6028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
16⤵
PID:4696

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:6088

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
17⤵
- Executes dropped EXE
- Modifies registry class
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
18⤵
PID:4532

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:2820

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
19⤵
- Executes dropped EXE
- Modifies registry class
PID:196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
20⤵
PID:2520

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:3396

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
21⤵
- Executes dropped EXE
- Modifies registry class
PID:1416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
22⤵
PID:5252

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:5072

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
23⤵
- Executes dropped EXE
PID:5784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
24⤵
PID:1976

C:\Windows\Performance\WinSAT\DataStore\powershell.exe
"C:\Windows\Performance\WinSAT\DataStore\powershell.exe"
25⤵
PID:3836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\csrss.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\System\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\System\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\System\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OneDrive\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OneDrive\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\LanguageModels\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\LocalService\Links\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log
Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
20d1a9780ac32a8b2b04f4ed08099289

SHA1
6f5c7c058604d493baf9716faa1942b3ca247296

SHA256
58964709d000fe467009ba30736aebb23f5e2a6d97b4d9d97ba6d8339c995591

SHA512
76437d962c82fd6898bb05aa1428c1613214ca0c5237051f4535583915e6f818b7073295d47333ce62ca597e50760b65ed9634d918c00ea985924dfe407958b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
20d1a9780ac32a8b2b04f4ed08099289

SHA1
6f5c7c058604d493baf9716faa1942b3ca247296

SHA256
58964709d000fe467009ba30736aebb23f5e2a6d97b4d9d97ba6d8339c995591

SHA512
76437d962c82fd6898bb05aa1428c1613214ca0c5237051f4535583915e6f818b7073295d47333ce62ca597e50760b65ed9634d918c00ea985924dfe407958b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
733fa4c3c893a9aacbff1a83460c015d

SHA1
8acced099d8a24a3f44ed2a812d732a8b8a96716

SHA256
db1d02bdba989b125b1cb8d019f2ebc5c2dd58943e26b7b25fd91300170cc264

SHA512
f089ccc89ad255879dfb1a2459e806fa7d389874317f75f03ba1770df38bbb75b5ab377bd946f8ad57eadc266902abb649cb9fe4466bc1f3c00198bbc4e7b094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9dfc4b50dd9050c285bed0e24d25515e

SHA1
32bde617630d0349123911aa33caf04f9b973d34

SHA256
ade39746da95a903426291327593601cdb4702f3260294d20e1a9b522adccc3d

SHA512
599b78f428e023405313887aff90d22e76cf4a907fabe04fea7278b2a1ffd38b585a21451175f1bfaded93b77dde6ea8420da9aeb9c5105235e6379d020f7343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
31b12f175d7a24d9efec096a61d6bd49

SHA1
a4805dfa1ba56a4485658f438ddc72b2f3054f48

SHA256
958040abd872b703927c97699c2f4896e6bec5169d530e7dc858d7ad52b687b4

SHA512
3647a9e1546f8234e23eefeae865d2f321a40cb2ca85a737646ef1169abe62ab5c56301699a9952fce4fe40a16a184822a572b3c6fbd781b875fb55bba79f920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
31b12f175d7a24d9efec096a61d6bd49

SHA1
a4805dfa1ba56a4485658f438ddc72b2f3054f48

SHA256
958040abd872b703927c97699c2f4896e6bec5169d530e7dc858d7ad52b687b4

SHA512
3647a9e1546f8234e23eefeae865d2f321a40cb2ca85a737646ef1169abe62ab5c56301699a9952fce4fe40a16a184822a572b3c6fbd781b875fb55bba79f920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ece7567b16f33ec89c91dd3d308023b4

SHA1
1cd2f7bbcbea4922c89ce75e5f66da6a3d2aa7f2

SHA256
920a76298d0bc1a2a86258a90fb0c27f31ba24fdb462628e64bc2e901e0a4b80

SHA512
a8e6af9a9bde87d6fdbd5ed06a7e3c3f259ed3b9bd8cf6e63e5d43707a04727fd5f19f9d3c8fdcc50534639c3cb50229d633cae852cbe22af5a35cd335255ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ece7567b16f33ec89c91dd3d308023b4

SHA1
1cd2f7bbcbea4922c89ce75e5f66da6a3d2aa7f2

SHA256
920a76298d0bc1a2a86258a90fb0c27f31ba24fdb462628e64bc2e901e0a4b80

SHA512
a8e6af9a9bde87d6fdbd5ed06a7e3c3f259ed3b9bd8cf6e63e5d43707a04727fd5f19f9d3c8fdcc50534639c3cb50229d633cae852cbe22af5a35cd335255ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5a69775e777e35d4b6e8e44c98dd1b83

SHA1
285e3b6bf1922835523ba461dc054f569d150399

SHA256
ab78363d78647631c958196d88411fe0f05f1c98aa2bdb5f88275d13cc22338a

SHA512
885865783e73db1f19e4d5e94c3cad9494395b18f2f68f2112ea5b488afbd2ee71881a5bab781fc081f571fa8f704e663c5058d6562f41ca2855d900c892d158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5a69775e777e35d4b6e8e44c98dd1b83

SHA1
285e3b6bf1922835523ba461dc054f569d150399

SHA256
ab78363d78647631c958196d88411fe0f05f1c98aa2bdb5f88275d13cc22338a

SHA512
885865783e73db1f19e4d5e94c3cad9494395b18f2f68f2112ea5b488afbd2ee71881a5bab781fc081f571fa8f704e663c5058d6562f41ca2855d900c892d158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4e843da8cd20a3584c331b4e7f726b68

SHA1
d98bdf9406a18e335c470eee20460b8434afabc4

SHA256
9528ff91d153b011d677dedb175d4e279fafe00f5f06891612ab9695a8d6709f

SHA512
87c2d11148f92c14093f0a18875c2453337931e1f283d2bf6df849f3f80bc9176680936d145090052b7025f9e205a7092d5c38fd975200b499ad6fcad9596cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
63569fb371c612b2e13f072632b7ddca

SHA1
53f1f1e385440b02705592b8764df3122d3de4ec

SHA256
3d5a7c3bf8820e9249c9fc563c694db76be7eec293ef435e51542e1492bf6b37

SHA512
55f79a45ad633d0e53df96aa075ff27016810a99293f432e266c3b1160001040ba66dce460a2c8f1e197363f952da86718c777f58e4f7ad9b07897b00f24272a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
63569fb371c612b2e13f072632b7ddca

SHA1
53f1f1e385440b02705592b8764df3122d3de4ec

SHA256
3d5a7c3bf8820e9249c9fc563c694db76be7eec293ef435e51542e1492bf6b37

SHA512
55f79a45ad633d0e53df96aa075ff27016810a99293f432e266c3b1160001040ba66dce460a2c8f1e197363f952da86718c777f58e4f7ad9b07897b00f24272a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
27cb87fbe9344f10018967ebd716727b

SHA1
9bb2752dd21ab4cd2bc86fc1ffa3feaa9dd45402

SHA256
904ac3c231ed7ec535c9412257c7fe9a0a797c7e22ca08b1d0720c197471da26

SHA512
71d6fb6840cc6be1344f70decfb64fbd4451ef2869d3f4007aa35e85f5f6f276888345bc8f37699f823d00d6b895e41a5f7c05937fe4f932dd66dff475c5ca82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d7796860696443ec6de59b84244d1e23

SHA1
baf3e7c297ae07e90baf732d7017ac87bad74c9c

SHA256
a0c5c8237f8f01beea070b7bef8106f4c530aceee064e07d247c1d96e9e6035b

SHA512
c711a08cc8932a055ef733abd7bd470d4ab1ad7e7a8fa8720110abe5661a219836d4db0ede501cae0af9ac7345e6fd26fb034ba558875f762fe24c7a6f89794a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
703a4ad48d9d88e7596da94e2d05f621

SHA1
428c1a6a9e74992e04a9bfc2554a5bd22af33f77

SHA256
5211dd56ff23161089570a30b760e1f646427395149c685349d0241929e3d694

SHA512
97ae404e40291c297e32b6dea8cc3f1448519df3d51899b0159e788505fb202cb459c1b0d6fae48e5d99cdc12858cd22461e2eb27ab981178f0bf5233f1a8618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7b43c98167aa8c99fa67c2c2afba3f69

SHA1
9be7a5effb710e0add88664889dbc1a7ae855b3d

SHA256
552178d6b2cd9a8de5419b80e10af540462a8d77edb4650722676fae4471752a

SHA512
60fb5c7e4f815235260258894d6416c237760e8b5dad4b4ad99becc35f95e023be13d1861e8a16fedddafa4145e22a9ae5623215bc44b88a7e5844112e9aff2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ea8eb4c93b171a1bd8f78c2f8d3c5f91

SHA1
c974b8f55f8e9523e09efcca15e98bbc3fdaecf9

SHA256
c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa

SHA512
842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c4400e33e1a14c31fad6fd0ec0ad3955

SHA1
b88f9eac58fc8269cd311ba925fb8a0a352c05b2

SHA256
9e63e95aa54d6a5cb3bc5e7575212e77170f5a3be6d83a76007b0f99ef6aee50

SHA512
b01214a85de8c946e3bf120182c94c8d2574a1c3b8755b0605830adf5714d3698bc8256e044278eabd2a46c5cd8a215b0ff7ad2ab5212a41426dbaf634858b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c4400e33e1a14c31fad6fd0ec0ad3955

SHA1
b88f9eac58fc8269cd311ba925fb8a0a352c05b2

SHA256
9e63e95aa54d6a5cb3bc5e7575212e77170f5a3be6d83a76007b0f99ef6aee50

SHA512
b01214a85de8c946e3bf120182c94c8d2574a1c3b8755b0605830adf5714d3698bc8256e044278eabd2a46c5cd8a215b0ff7ad2ab5212a41426dbaf634858b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat
Filesize
219B

MD5
4e19bef3b3b2b8dcacae4a96b27a9c2c

SHA1
3d51f4e42fbb1a180cf9a6c569fbe59cbf5fc43d

SHA256
100818c6ca331135015551de7bf4543e106587848610316125d8236bc802c98d

SHA512
a63815ef69fe8c7211e2f21d9136ebb160e4ab6750a7223e69f4cc5214e20d995c6fff592392fa33c70d5ee30708f76f05114bc174fa4f4cca21ef605b60bfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat
Filesize
219B

MD5
279b0ecbefa531c829daa195105c1f50

SHA1
a5fa57cb0d0ed0a339492db0a8c665f2d477c5e3

SHA256
441da77ebbaf94a01fe5835ad7aef84b063b71dad7ee6d99aae4848aad031577

SHA512
3e79dcdb315dd5e5d7cf5de8ecd491a7de1f0bae93fbce3fd0a44ae62af5a0d7445047a2bf6a18f43a2dd7f764a6784072915915dc70aea8a8c45ff77cf76c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\9OBSyT8Ciq.bat
Filesize
219B

MD5
07fe7806820c888af288dd1181d78c8a

SHA1
a87285558e8b57b5bcdadf145587bcd3431c5870

SHA256
a3124c4a68c6bcfdf45e407d852b929aa494c196c281cc3da463a650ef7a2da0

SHA512
fa89836b6d2e64d534f4e1772ead968bba57b17a84ebfe8108385cd8568a329dfa5c215cf2462cf6e84e48216dede3127512189879582b7e2d79a69bf3ddaa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat
Filesize
219B

MD5
0fd8841ab53d37e5e19f2e094d12e321

SHA1
97444f530e3f8462952f3855e25933853b022e0f

SHA256
3a88dff8f9aab8a4e07703fa4bc9c1d329cedf839e88840662f96cc72d093205

SHA512
0d0097f9bde7781530f7c199e5a633dba269cecbe3b2306ea2b892a3efe8ade9087c6f6ad177b6cb8482f6cda8bac35c2c8be00df3fff7aa1a874af700aa277c

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat
Filesize
219B

MD5
e7ee2b6d7224f1f6b0da59ffaff80fee

SHA1
fbc269688bf3b0cf88566001ac9f4146e9610f68

SHA256
da7fb2976c7657f79c0a858392395dc51a98e3f2cedfb9fea6a4bfac330f8912

SHA512
4bb59b4c213cb621fe290ab71c493b3a5c86b41927a11433de052eca082dbc423d957b05b30d7ed0ba91d0339e681fbe5c7beca05ea1d24c8285b447761b901d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat
Filesize
219B

MD5
57e191396112a246d1305c5fb902be7b

SHA1
2a7831adab9605d9e1858d4bac736424b8045871

SHA256
9b8bb08d0c4908d5cd519ee7f35b3172d6941f9d38468e4499888c36f0e5e293

SHA512
852bc7d655f46c94ffa78b231e37ca85c1d3cf08ef6696a749379050a79f15621eddcca9697e5dc471b9be5862a7599b4273205626d94f8b743076d591fb345c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat
Filesize
219B

MD5
cf00252108902285bf7ed296c2e46714

SHA1
afeb92d3501b79d30506bfdd5a4d2e9b5adbf503

SHA256
d9a7f2d30a52debef20d0b198896fbb0d3af718626bda3180713841fd7a13f84

SHA512
7dc4ff54e6fe3284fb6ec70368366bf6f9e2e7c2b9f6b8b309c6df4d154fe424d4dbee817bdb7d435dc452ea20dfd8e04b6f66de9d273dbec52014946c2ec3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat
Filesize
219B

MD5
6244180198bd7e4059dc96548350b215

SHA1
db0a7b524ca6fa0170f62a8903fce1f3265921dc

SHA256
81551563acfbacf56da89a62fed6ad6293054138d1a5d16bc1823be3fb6a4aba

SHA512
c48aaa1d32914b2e4f7f41c09d690359409f8cdd12363017cb7c4250c6ba4ded1faea8c404f453d0f0cd12f0e8f012584a49fb5d5eb1cf7f0a133c089b1a5f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat
Filesize
219B

MD5
cfbc944959f474b8f050cec19dda659d

SHA1
770abbfd993dc8e98bb8aace721e61974dddf08e

SHA256
5958cb470a7de4230a0483fddd6d9307cdcc5aed3a849fc94fb7d76653a55e52

SHA512
e9608baab48e48c1ec5b8807775520b6231f30813c2ff0d152a19231d0cf0e525730970e6ee6fbcdfb1760dbbe76dab9374bb8d63cbb5d6ad47a9e20d620405b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat
Filesize
219B

MD5
a50cf1191432c9e29a2a5a6f90933444

SHA1
20b1b944a07fd8a552e9246d362ea41600778b8d

SHA256
67bca0b40ac50230c7b395b4318c63e5a52bfb5f99fd4e43a8e125c27d530139

SHA512
bf8ac41aa577c486e78d3f54343c8d0b4f62a813fd2ca1a82938477e5705b8200efe06e42dff9aef1eb5fc7e373947ec721f9e450b993a49373554e040f9b24c

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Performance\WinSAT\DataStore\powershell.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/196-1070-0x00000000011B0000-0x00000000011C2000-memory.dmp

Filesize
72KB

Download
memory/196-1068-0x0000000000000000-mapping.dmp

Download
memory/364-448-0x0000000000000000-mapping.dmp

Download
memory/604-294-0x0000000000000000-mapping.dmp

Download
memory/1208-440-0x0000000000000000-mapping.dmp

Download
memory/1224-439-0x0000000000000000-mapping.dmp

Download
memory/1312-468-0x0000000000000000-mapping.dmp

Download
memory/1324-475-0x0000000000000000-mapping.dmp

Download
memory/1416-1074-0x0000000000000000-mapping.dmp

Download
memory/1416-1076-0x0000000002D50000-0x0000000002D62000-memory.dmp

Filesize
72KB

Download
memory/1424-457-0x0000000000000000-mapping.dmp

Download
memory/1548-438-0x0000000000000000-mapping.dmp

Download
memory/1712-569-0x0000000000000000-mapping.dmp

Download
memory/1712-1064-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/1712-1062-0x0000000000000000-mapping.dmp

Download
memory/1900-443-0x0000000000000000-mapping.dmp

Download
memory/1976-1082-0x0000000000000000-mapping.dmp

Download
memory/2008-462-0x0000000000000000-mapping.dmp

Download
memory/2264-437-0x0000000000000000-mapping.dmp

Download
memory/2464-455-0x0000000000000000-mapping.dmp

Download
memory/2520-1071-0x0000000000000000-mapping.dmp

Download
memory/2628-289-0x00000000017D0000-0x00000000017DC000-memory.dmp

Filesize
48KB

Download
memory/2628-286-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/2628-287-0x00000000017B0000-0x00000000017C2000-memory.dmp

Filesize
72KB

Download
memory/2628-288-0x00000000031E0000-0x00000000031EC000-memory.dmp

Filesize
48KB

Download
memory/2628-290-0x00000000017E0000-0x00000000017EC000-memory.dmp

Filesize
48KB

Download
memory/2628-283-0x0000000000000000-mapping.dmp

Download
memory/2820-1067-0x0000000000000000-mapping.dmp

Download
memory/2892-444-0x0000000000000000-mapping.dmp

Download
memory/2932-441-0x0000000000000000-mapping.dmp

Download
memory/3120-1054-0x0000000000000000-mapping.dmp

Download
memory/3396-471-0x0000000000000000-mapping.dmp

Download
memory/3396-1073-0x0000000000000000-mapping.dmp

Download
memory/3836-1085-0x0000000000000000-mapping.dmp

Download
memory/3836-1087-0x0000000001120000-0x0000000001132000-memory.dmp

Filesize
72KB

Download
memory/3900-510-0x0000000000000000-mapping.dmp

Download
memory/4000-293-0x0000000000000000-mapping.dmp

Download
memory/4304-1008-0x0000000000000000-mapping.dmp

Download
memory/4320-925-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/4320-804-0x0000000000000000-mapping.dmp

Download
memory/4440-442-0x0000000000000000-mapping.dmp

Download
memory/4500-260-0x0000000000000000-mapping.dmp

Download
memory/4532-167-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-1065-0x0000000000000000-mapping.dmp

Download
memory/4532-121-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-122-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-123-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-125-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-126-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-128-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-130-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-129-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-183-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-182-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-181-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-180-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-179-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-178-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-131-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-133-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-177-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-176-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-175-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-170-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-171-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-174-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-172-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-132-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-173-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-169-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-168-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-120-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-166-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-165-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-164-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-161-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-163-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-162-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-160-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-159-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-158-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-157-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-156-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-155-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-154-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-153-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-135-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-152-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-134-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-151-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-136-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-137-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-150-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-138-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-148-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-139-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-140-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-149-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-147-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-146-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-141-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-142-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-145-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-143-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-144-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4548-450-0x0000000000000000-mapping.dmp

Download
memory/4584-314-0x00000205B4740000-0x00000205B4762000-memory.dmp

Filesize
136KB

Download
memory/4584-291-0x0000000000000000-mapping.dmp

Download
memory/4608-292-0x0000000000000000-mapping.dmp

Download
memory/4608-321-0x000002486FB10000-0x000002486FB86000-memory.dmp

Filesize
472KB

Download
memory/4628-445-0x0000000000000000-mapping.dmp

Download
memory/4696-1059-0x0000000000000000-mapping.dmp

Download
memory/4748-295-0x0000000000000000-mapping.dmp

Download
memory/4748-315-0x0000000002300000-0x0000000002312000-memory.dmp

Filesize
72KB

Download
memory/4872-185-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4872-186-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4872-184-0x0000000000000000-mapping.dmp

Download
memory/5072-1079-0x0000000000000000-mapping.dmp

Download
memory/5124-1006-0x0000000000000000-mapping.dmp

Download
memory/5252-1077-0x0000000000000000-mapping.dmp

Download
memory/5400-1042-0x0000000000000000-mapping.dmp

Download
memory/5468-1051-0x0000000000000000-mapping.dmp

Download
memory/5524-1044-0x0000000000000000-mapping.dmp

Download
memory/5584-1046-0x0000000000000000-mapping.dmp

Download
memory/5600-1047-0x0000000000000000-mapping.dmp

Download
memory/5668-1084-0x0000000000000000-mapping.dmp

Download
memory/5696-1049-0x0000000000000000-mapping.dmp

Download
memory/5752-1052-0x0000000000000000-mapping.dmp

Download
memory/5784-1080-0x0000000000000000-mapping.dmp

Download
memory/5964-1056-0x0000000000000000-mapping.dmp

Download
memory/6028-1057-0x0000000000000000-mapping.dmp

Download
memory/6088-1061-0x0000000000000000-mapping.dmp

Download