dcrat | 9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exe
Size

1.3MB
MD5

506e452b273e48457049804e61dbb54d
SHA1

b54a4bc1bb52de4fd066357a44e407e28262949a
SHA256

9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34
SHA512

1699be031c6cba35c5e3c3a61fdc1d5f3b5c433b88d994c7925a6ae5d15d85c639a1e33b9e615ed6893dcd8269733ce2a550d13d331c022170e5852c1187ec48
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	2404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	2404	schtasks.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/2100-139-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeDllCommonsvc.exedllhost.exedllhost.exedllhost.exe9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 10 IoCs

Processes:

DllCommonsvc.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
2100	DllCommonsvc.exe
3436	dllhost.exe
1716	dllhost.exe
4128	dllhost.exe
3792	dllhost.exe
4876	dllhost.exe
4072	dllhost.exe
4092	dllhost.exe
3860	dllhost.exe
1772	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 13 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Common Files\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Common Files\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Help\mui\0411\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Help\mui\0410\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\0410\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\ServiceState\EventLog\Data\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\debug\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\debug\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Help\mui\0411\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4916	schtasks.exe
3372	schtasks.exe
4960	schtasks.exe
2288	schtasks.exe
1784	schtasks.exe
228	schtasks.exe
1268	schtasks.exe
4156	schtasks.exe
5080	schtasks.exe
4296	schtasks.exe
2668	schtasks.exe
4944	schtasks.exe
4700	schtasks.exe
4312	schtasks.exe
3676	schtasks.exe
4368	schtasks.exe
1716	schtasks.exe
3576	schtasks.exe
3716	schtasks.exe
1728	schtasks.exe
2120	schtasks.exe
1032	schtasks.exe
1508	schtasks.exe
1412	schtasks.exe
3712	schtasks.exe
4940	schtasks.exe
4120	schtasks.exe
1940	schtasks.exe
1564	schtasks.exe
1520	schtasks.exe
1536	schtasks.exe
3964	schtasks.exe
5052	schtasks.exe
3092	schtasks.exe
1604	schtasks.exe
208	schtasks.exe
3704	schtasks.exe
4384	schtasks.exe
4612	schtasks.exe

Modifies registry class 10 IoCs

Processes:

DllCommonsvc.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exedllhost.exedllhost.exedllhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
2100	DllCommonsvc.exe
2100	DllCommonsvc.exe
2100	DllCommonsvc.exe
2100	DllCommonsvc.exe
2100	DllCommonsvc.exe
2100	DllCommonsvc.exe
2100	DllCommonsvc.exe
2100	DllCommonsvc.exe
2100	DllCommonsvc.exe
3444	powershell.exe
4504	powershell.exe
4504	powershell.exe
1172	powershell.exe
1172	powershell.exe
2084	powershell.exe
2084	powershell.exe
2008	powershell.exe
2008	powershell.exe
2452	powershell.exe
2452	powershell.exe
3632	powershell.exe
3632	powershell.exe
384	powershell.exe
384	powershell.exe
4648	powershell.exe
4648	powershell.exe
2552	powershell.exe
2552	powershell.exe
1116	powershell.exe
2088	powershell.exe
2088	powershell.exe
2760	powershell.exe
2760	powershell.exe
1116	powershell.exe
3652	powershell.exe
3652	powershell.exe
4504	powershell.exe
4504	powershell.exe
1172	powershell.exe
1172	powershell.exe
3444	powershell.exe
3444	powershell.exe
2084	powershell.exe
2084	powershell.exe
2008	powershell.exe
2008	powershell.exe
2452	powershell.exe
3632	powershell.exe
384	powershell.exe
4648	powershell.exe
2088	powershell.exe
3652	powershell.exe
2552	powershell.exe
1116	powershell.exe
2760	powershell.exe
3436	dllhost.exe
1716	dllhost.exe
4128	dllhost.exe
3792	dllhost.exe
4876	dllhost.exe
4072	dllhost.exe
4092	dllhost.exe
3860	dllhost.exe
1772	dllhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2100	DllCommonsvc.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3436	dllhost.exe
Token: SeDebugPrivilege	1716	dllhost.exe
Token: SeDebugPrivilege	4128	dllhost.exe
Token: SeDebugPrivilege	3792	dllhost.exe
Token: SeDebugPrivilege	4876	dllhost.exe
Token: SeDebugPrivilege	4072	dllhost.exe
Token: SeDebugPrivilege	4092	dllhost.exe
Token: SeDebugPrivilege	3860	dllhost.exe
Token: SeDebugPrivilege	1772	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exeWScript.execmd.exeDllCommonsvc.execmd.exedllhost.execmd.exedllhost.execmd.exedllhost.execmd.exedllhost.execmd.exe

description	pid	process	target process
PID 4876 wrote to memory of 1988	4876	9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exe	WScript.exe
PID 4876 wrote to memory of 1988	4876	9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exe	WScript.exe
PID 4876 wrote to memory of 1988	4876	9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exe	WScript.exe
PID 1988 wrote to memory of 2564	1988	WScript.exe	cmd.exe
PID 1988 wrote to memory of 2564	1988	WScript.exe	cmd.exe
PID 1988 wrote to memory of 2564	1988	WScript.exe	cmd.exe
PID 2564 wrote to memory of 2100	2564	cmd.exe	DllCommonsvc.exe
PID 2564 wrote to memory of 2100	2564	cmd.exe	DllCommonsvc.exe
PID 2100 wrote to memory of 2452	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2452	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 3444	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 3444	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 4504	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 4504	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 1172	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 1172	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2084	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2084	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2008	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2008	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 3632	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 3632	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 384	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 384	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 4648	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 4648	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2552	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2552	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2760	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2760	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 1116	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 1116	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2088	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 2088	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 3652	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 3652	2100	DllCommonsvc.exe	powershell.exe
PID 2100 wrote to memory of 5088	2100	DllCommonsvc.exe	cmd.exe
PID 2100 wrote to memory of 5088	2100	DllCommonsvc.exe	cmd.exe
PID 5088 wrote to memory of 1572	5088	cmd.exe	w32tm.exe
PID 5088 wrote to memory of 1572	5088	cmd.exe	w32tm.exe
PID 5088 wrote to memory of 3436	5088	cmd.exe	dllhost.exe
PID 5088 wrote to memory of 3436	5088	cmd.exe	dllhost.exe
PID 3436 wrote to memory of 3528	3436	dllhost.exe	cmd.exe
PID 3436 wrote to memory of 3528	3436	dllhost.exe	cmd.exe
PID 3528 wrote to memory of 396	3528	cmd.exe	w32tm.exe
PID 3528 wrote to memory of 396	3528	cmd.exe	w32tm.exe
PID 3528 wrote to memory of 1716	3528	cmd.exe	dllhost.exe
PID 3528 wrote to memory of 1716	3528	cmd.exe	dllhost.exe
PID 1716 wrote to memory of 1172	1716	dllhost.exe	cmd.exe
PID 1716 wrote to memory of 1172	1716	dllhost.exe	cmd.exe
PID 1172 wrote to memory of 800	1172	cmd.exe	w32tm.exe
PID 1172 wrote to memory of 800	1172	cmd.exe	w32tm.exe
PID 1172 wrote to memory of 4128	1172	cmd.exe	dllhost.exe
PID 1172 wrote to memory of 4128	1172	cmd.exe	dllhost.exe
PID 4128 wrote to memory of 1812	4128	dllhost.exe	cmd.exe
PID 4128 wrote to memory of 1812	4128	dllhost.exe	cmd.exe
PID 1812 wrote to memory of 1636	1812	cmd.exe	w32tm.exe
PID 1812 wrote to memory of 1636	1812	cmd.exe	w32tm.exe
PID 1812 wrote to memory of 3792	1812	cmd.exe	dllhost.exe
PID 1812 wrote to memory of 3792	1812	cmd.exe	dllhost.exe
PID 3792 wrote to memory of 4224	3792	dllhost.exe	cmd.exe
PID 3792 wrote to memory of 4224	3792	dllhost.exe	cmd.exe
PID 4224 wrote to memory of 1048	4224	cmd.exe	w32tm.exe
PID 4224 wrote to memory of 1048	4224	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exe
"C:\Users\Admin\AppData\Local\Temp\9184cb951112cb813ca258c224f77a4154072766f7cb36dc83a542c874014f34.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\0411\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\0410\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\fr-FR\Registry.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\conhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ulGmdYJNRV.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1572

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:396

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:800

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:1636

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:1048

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
15⤵
PID:2024

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:424

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
17⤵
PID:2912

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:332

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
19⤵
PID:2468

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:4052

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
21⤵
PID:1716

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:4912

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\mui\0411\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\mui\0411\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\mui\0411\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\mui\0410\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Help\mui\0410\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0410\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Policies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Policies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Temp\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Temp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\debug\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

Filesize
198B

MD5
2d72ce53961e81c82e02aa37186e2e4d

SHA1
4c813da5daed8218dfe453c760a71f786b73cf61

SHA256
96f8cb495acdde9be62b8eeb8f4a94e3ff6c04732f8a2f7c1a5fcb9339d806c7

SHA512
b0e1cb1a017749b9c6ca404e2f1b69137e7194f94a125e90e324dcfb366f65f322e714c14c0997d875f23ef9cda0268bdc2d4956002a019757fb51ad218563b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
198B

MD5
e3b2eb9539ea7b9ace7c8fc8718d3080

SHA1
5808724b4f090a5873764ef945b604c38804f8c3

SHA256
b5e5dc7f05e14ee7ec594ba8c77b0604c487ec14cd65cfbae6f704f57cf9fcbe

SHA512
512431c71ab9bfe7c105d57e6d1eddbdc7f94654ec1ae0cce6f6d020db87f570bf31798788378c8f541f846e3a1ac53f8bf54d540154f135a427d4816bb055b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
198B

MD5
6a669c0741a178d44deb8c5d83b342a1

SHA1
f68289330ae7ada0a213ea29dfb3152b597e477b

SHA256
8d76e5de757622b47f6f811a26b04a08372c8fe48f9cdcf10a0573c5affab027

SHA512
2db3c117d88ee3b8094e76b5658f03cca8b757c93adadd3775f03ac89295a1afb733b30a7dee45754a2f811154ec804d0326921ac53e3bc5bed2ae5e8401c1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

Filesize
198B

MD5
1960e262988578cf1720b3c59310397a

SHA1
851cfb84b77a5a87018319c6814e946fed13164d

SHA256
727a3b759f17b3eb07941aa4f5ebda34c7e766727a10c34f4c71b74ee9251569

SHA512
09136030231412f51e7ee71bbaff72a6a42c167e09c3d909643a1e632e053047435daff652f3c5fd14a497c672af91c6ef38a55dad2688c3aa89ea8c851c8af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
198B

MD5
a14a72123c8091eb465815a3d5b8e228

SHA1
cbc1d44663c751c643b71b4ce1a2125df703b77d

SHA256
1f7f4ddfed78b7d76afedd18445f3441a97d530f577ec0e12c84e48e52481d04

SHA512
c9236820c1ebbe2e7611f6f367776a81da8c6ef4d9b88af553303c8c8dd91e5f21d9c6ee24da7870a41c98674b2fc98694a6b83068c8303b74e02437cc1662eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
198B

MD5
43f0b1514415d23657aa1847fb37abe4

SHA1
40fee1b5b315fae84e465e02036a15ec65ac2665

SHA256
401af0594e0b9689ca0c1ed592ff53530029889af6d8598ef1c1605828907b8f

SHA512
c2d9add08aed175403a3c071fea3e979cbd2ab028bfd394ec9cd781200cb2bf0307c7ddad2954cc9f43c867d55dc543b519f514e8becbdb65b35a2ad7b4027d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

Filesize
198B

MD5
7ab05624e578392b2d2b8a41eff5a270

SHA1
679a8a096392d7112da6d5864200bbd729574b4b

SHA256
b43797acd899f2a4fbb1f5ddaed8743c10d1855353b874967cc3e66c6878d238

SHA512
c7887e3a5d921bd5229c9e315cc0958767df9af09e44605ff13fa111118828c517bfc38b6dd75263d87db22e9056109668834d79046661afa806851ecadddd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulGmdYJNRV.bat

Filesize
198B

MD5
efae2c00c399f4ba1bd788c988624a6e

SHA1
7867e3307a0a4a8a8d43ca3d78dd21f107b1a9b9

SHA256
0ec85b66a95acf53b7bab1ea0e4c8781f8dce1ed5045a60cca5bce74e8d3891a

SHA512
b41f7e37962e8ed6ca18ed85be90ff30925cb40335aea08158cfa29ef044745b46cdfcb76d640a5626602a1ff206a2547f4447addb244d46b50cde35768afb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
198B

MD5
e47daea18174812e2402c81228970525

SHA1
122716a9aeee487697b596998b1e9192bdd74601

SHA256
d9fd8dbe023e0e43ea02de566bdf021b440961783b397c85788b5091253d99ac

SHA512
4290e010410903a45587f15cc33fccdfb5811ae9629f5a99807c8088b4a485def2ee1e393c527ce383b990b3da99061674006ec45877fb99b3d3881dde8c936f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/332-244-0x0000000000000000-mapping.dmp

Download
memory/384-162-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/384-148-0x0000000000000000-mapping.dmp

Download
memory/384-191-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/396-209-0x0000000000000000-mapping.dmp

Download
memory/424-237-0x0000000000000000-mapping.dmp

Download
memory/800-216-0x0000000000000000-mapping.dmp

Download
memory/1048-231-0x0000000000000000-mapping.dmp

Download
memory/1116-173-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/1116-152-0x0000000000000000-mapping.dmp

Download
memory/1116-194-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/1172-214-0x0000000000000000-mapping.dmp

Download
memory/1172-157-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/1172-182-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/1172-144-0x0000000000000000-mapping.dmp

Download
memory/1572-169-0x0000000000000000-mapping.dmp

Download
memory/1636-223-0x0000000000000000-mapping.dmp

Download
memory/1716-217-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/1716-213-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/1716-256-0x0000000000000000-mapping.dmp

Download
memory/1716-210-0x0000000000000000-mapping.dmp

Download
memory/1772-263-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/1772-262-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/1772-260-0x0000000000000000-mapping.dmp

Download
memory/1812-221-0x0000000000000000-mapping.dmp

Download
memory/1988-132-0x0000000000000000-mapping.dmp

Download
memory/2008-174-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2008-161-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2008-146-0x0000000000000000-mapping.dmp

Download
memory/2024-235-0x0000000000000000-mapping.dmp

Download
memory/2084-145-0x0000000000000000-mapping.dmp

Download
memory/2084-180-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2084-159-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2088-154-0x0000000000000000-mapping.dmp

Download
memory/2088-193-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2088-165-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2100-163-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2100-136-0x0000000000000000-mapping.dmp

Download
memory/2100-140-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2100-139-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2452-171-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2452-185-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2452-141-0x0000000000000000-mapping.dmp

Download
memory/2468-249-0x0000000000000000-mapping.dmp

Download
memory/2552-164-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2552-150-0x0000000000000000-mapping.dmp

Download
memory/2552-198-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2564-135-0x0000000000000000-mapping.dmp

Download
memory/2760-151-0x0000000000000000-mapping.dmp

Download
memory/2760-201-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2760-167-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2912-242-0x0000000000000000-mapping.dmp

Download
memory/3436-202-0x0000000000000000-mapping.dmp

Download
memory/3436-205-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3436-207-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3444-181-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3444-153-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3444-142-0x0000000000000000-mapping.dmp

Download
memory/3444-158-0x000001E3139F0000-0x000001E313A12000-memory.dmp

Filesize
136KB

Download
memory/3528-206-0x0000000000000000-mapping.dmp

Download
memory/3632-147-0x0000000000000000-mapping.dmp

Download
memory/3632-188-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3632-170-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3652-168-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3652-199-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3652-155-0x0000000000000000-mapping.dmp

Download
memory/3792-225-0x0000000000000000-mapping.dmp

Download
memory/3792-229-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3792-227-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3860-259-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3860-255-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3860-253-0x0000000000000000-mapping.dmp

Download
memory/4052-251-0x0000000000000000-mapping.dmp

Download
memory/4072-239-0x0000000000000000-mapping.dmp

Download
memory/4072-241-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4072-245-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4092-246-0x0000000000000000-mapping.dmp

Download
memory/4092-252-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4092-248-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4128-218-0x0000000000000000-mapping.dmp

Download
memory/4128-224-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4128-220-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4224-228-0x0000000000000000-mapping.dmp

Download
memory/4504-143-0x0000000000000000-mapping.dmp

Download
memory/4504-156-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4504-184-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4648-197-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4648-172-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4648-149-0x0000000000000000-mapping.dmp

Download
memory/4876-238-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4876-232-0x0000000000000000-mapping.dmp

Download
memory/4876-234-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4912-258-0x0000000000000000-mapping.dmp

Download
memory/5088-160-0x0000000000000000-mapping.dmp

Download