dcrat | 077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779

Analysis

max time kernel
150s
max time network
153s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exe
Size

1.3MB
MD5

3f68a4e49cbdae48082f6733411dee78
SHA1

be3308ec4cdf8d6d1e968380c1ac30e8f8a8c5fc
SHA256

077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779
SHA512

5cb1d16f3f1f4a405ff02ae1d74655736761517a7981d902be69b1b31fa1b69f290548848059b6962ec8001e17293380b9b69bdad9138e25a05215d2d1feac7c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	196	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	5112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	5112	schtasks.exe

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4668-286-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat
C:\Windows\AppPatch\smss.exe	dcrat

Executes dropped EXE 13 IoCs

Processes:

DllCommonsvc.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
4668	DllCommonsvc.exe
5860	smss.exe
5484	smss.exe
3284	smss.exe
6092	smss.exe
3928	smss.exe
4888	smss.exe
1840	smss.exe
4472	smss.exe
1728	smss.exe
5240	smss.exe
5292	smss.exe
4144	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Macromed\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\Macromed\f8c8f1285d826b	DllCommonsvc.exe

Drops file in Program Files directory 9 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\AppPatch\smss.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1600	schtasks.exe
2500	schtasks.exe
4592	schtasks.exe
4656	schtasks.exe
4396	schtasks.exe
1504	schtasks.exe
3312	schtasks.exe
4120	schtasks.exe
4676	schtasks.exe
4804	schtasks.exe
4144	schtasks.exe
432	schtasks.exe
920	schtasks.exe
2084	schtasks.exe
4388	schtasks.exe
2264	schtasks.exe
2840	schtasks.exe
4716	schtasks.exe
1456	schtasks.exe
4440	schtasks.exe
3712	schtasks.exe
2208	schtasks.exe
1740	schtasks.exe
3288	schtasks.exe
4456	schtasks.exe
660	schtasks.exe
1684	schtasks.exe
404	schtasks.exe
3280	schtasks.exe
4488	schtasks.exe
1672	schtasks.exe
4828	schtasks.exe
2304	schtasks.exe
2248	schtasks.exe
3796	schtasks.exe
3928	schtasks.exe
196	schtasks.exe
652	schtasks.exe
392	schtasks.exe
4464	schtasks.exe
1176	schtasks.exe
2608	schtasks.exe
4836	schtasks.exe
1964	schtasks.exe
1968	schtasks.exe
604	schtasks.exe
1164	schtasks.exe
2116	schtasks.exe
2496	schtasks.exe
4688	schtasks.exe
3836	schtasks.exe
4764	schtasks.exe
4824	schtasks.exe
4776	schtasks.exe

Modifies registry class 14 IoCs

Processes:

DllCommonsvc.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exesmss.exesmss.exesmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
4668	DllCommonsvc.exe
2620	powershell.exe
2620	powershell.exe
2624	powershell.exe
2624	powershell.exe
2484	powershell.exe
2484	powershell.exe
3052	powershell.exe
384	powershell.exe
3052	powershell.exe
384	powershell.exe
3508	powershell.exe
3508	powershell.exe
4940	powershell.exe
4940	powershell.exe
4336	powershell.exe
4336	powershell.exe
4884	powershell.exe
4884	powershell.exe
3568	powershell.exe
3568	powershell.exe
952	powershell.exe
952	powershell.exe
1308	powershell.exe
1308	powershell.exe
4276	powershell.exe
4276	powershell.exe
3584	powershell.exe
3584	powershell.exe
2212	powershell.exe
2212	powershell.exe
1796	powershell.exe
1796	powershell.exe
5048	powershell.exe
5048	powershell.exe
4652	powershell.exe
4652	powershell.exe
2620	powershell.exe
2620	powershell.exe
5048	powershell.exe
2624	powershell.exe
2624	powershell.exe
1796	powershell.exe
2484	powershell.exe
2484	powershell.exe
4884	powershell.exe
384	powershell.exe
384	powershell.exe
3052	powershell.exe
3052	powershell.exe
3508	powershell.exe
3508	powershell.exe
4940	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4668	DllCommonsvc.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	5048	powershell.exe
Token: SeSecurityPrivilege	5048	powershell.exe
Token: SeTakeOwnershipPrivilege	5048	powershell.exe
Token: SeLoadDriverPrivilege	5048	powershell.exe
Token: SeSystemProfilePrivilege	5048	powershell.exe
Token: SeSystemtimePrivilege	5048	powershell.exe
Token: SeProfSingleProcessPrivilege	5048	powershell.exe
Token: SeIncBasePriorityPrivilege	5048	powershell.exe
Token: SeCreatePagefilePrivilege	5048	powershell.exe
Token: SeBackupPrivilege	5048	powershell.exe
Token: SeRestorePrivilege	5048	powershell.exe
Token: SeShutdownPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeSystemEnvironmentPrivilege	5048	powershell.exe
Token: SeRemoteShutdownPrivilege	5048	powershell.exe
Token: SeUndockPrivilege	5048	powershell.exe
Token: SeManageVolumePrivilege	5048	powershell.exe
Token: 33	5048	powershell.exe
Token: 34	5048	powershell.exe
Token: 35	5048	powershell.exe
Token: 36	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	2620	powershell.exe
Token: SeSecurityPrivilege	2620	powershell.exe
Token: SeTakeOwnershipPrivilege	2620	powershell.exe
Token: SeLoadDriverPrivilege	2620	powershell.exe
Token: SeSystemProfilePrivilege	2620	powershell.exe
Token: SeSystemtimePrivilege	2620	powershell.exe
Token: SeProfSingleProcessPrivilege	2620	powershell.exe
Token: SeIncBasePriorityPrivilege	2620	powershell.exe
Token: SeCreatePagefilePrivilege	2620	powershell.exe
Token: SeBackupPrivilege	2620	powershell.exe
Token: SeRestorePrivilege	2620	powershell.exe
Token: SeShutdownPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeSystemEnvironmentPrivilege	2620	powershell.exe
Token: SeRemoteShutdownPrivilege	2620	powershell.exe
Token: SeUndockPrivilege	2620	powershell.exe
Token: SeManageVolumePrivilege	2620	powershell.exe
Token: 33	2620	powershell.exe
Token: 34	2620	powershell.exe
Token: 35	2620	powershell.exe
Token: 36	2620	powershell.exe
Token: SeIncreaseQuotaPrivilege	2624	powershell.exe
Token: SeSecurityPrivilege	2624	powershell.exe
Token: SeTakeOwnershipPrivilege	2624	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exeWScript.execmd.exeDllCommonsvc.execmd.exesmss.execmd.exesmss.execmd.exe

description	pid	process	target process
PID 2696 wrote to memory of 2188	2696	077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exe	WScript.exe
PID 2696 wrote to memory of 2188	2696	077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exe	WScript.exe
PID 2696 wrote to memory of 2188	2696	077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exe	WScript.exe
PID 2188 wrote to memory of 2420	2188	WScript.exe	cmd.exe
PID 2188 wrote to memory of 2420	2188	WScript.exe	cmd.exe
PID 2188 wrote to memory of 2420	2188	WScript.exe	cmd.exe
PID 2420 wrote to memory of 4668	2420	cmd.exe	DllCommonsvc.exe
PID 2420 wrote to memory of 4668	2420	cmd.exe	DllCommonsvc.exe
PID 4668 wrote to memory of 2624	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2624	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2620	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2620	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2484	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2484	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2288	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2288	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 3052	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 3052	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 384	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 384	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 3508	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 3508	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4884	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4884	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4940	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4940	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4336	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4336	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 3568	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 3568	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 952	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 952	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 1308	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 1308	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4276	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4276	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 3584	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 3584	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2212	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 2212	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 1796	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 1796	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 5048	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 5048	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4652	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 4652	4668	DllCommonsvc.exe	powershell.exe
PID 4668 wrote to memory of 1048	4668	DllCommonsvc.exe	cmd.exe
PID 4668 wrote to memory of 1048	4668	DllCommonsvc.exe	cmd.exe
PID 1048 wrote to memory of 4120	1048	cmd.exe	w32tm.exe
PID 1048 wrote to memory of 4120	1048	cmd.exe	w32tm.exe
PID 1048 wrote to memory of 5860	1048	cmd.exe	smss.exe
PID 1048 wrote to memory of 5860	1048	cmd.exe	smss.exe
PID 5860 wrote to memory of 5444	5860	smss.exe	cmd.exe
PID 5860 wrote to memory of 5444	5860	smss.exe	cmd.exe
PID 5444 wrote to memory of 5552	5444	cmd.exe	w32tm.exe
PID 5444 wrote to memory of 5552	5444	cmd.exe	w32tm.exe
PID 5444 wrote to memory of 5484	5444	cmd.exe	smss.exe
PID 5444 wrote to memory of 5484	5444	cmd.exe	smss.exe
PID 5484 wrote to memory of 5656	5484	smss.exe	cmd.exe
PID 5484 wrote to memory of 5656	5484	smss.exe	cmd.exe
PID 5656 wrote to memory of 224	5656	cmd.exe	w32tm.exe
PID 5656 wrote to memory of 224	5656	cmd.exe	w32tm.exe
PID 5656 wrote to memory of 3284	5656	cmd.exe	smss.exe
PID 5656 wrote to memory of 3284	5656	cmd.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exe
"C:\Users\Admin\AppData\Local\Temp\077242ad561c2803acd9b61a1805bdd65f13f04aab4c24752797c2bc90ac5779.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
5⤵
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\Macromed\ShellExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P92iKPgOMs.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4120

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:5444

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:5552

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:5656

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:224

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
10⤵
- Executes dropped EXE
- Modifies registry class
PID:3284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
11⤵
PID:6008

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:6076

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
12⤵
- Executes dropped EXE
- Modifies registry class
PID:6092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
13⤵
PID:312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:4600

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
14⤵
- Executes dropped EXE
- Modifies registry class
PID:3928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
15⤵
PID:3476

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:5828

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
16⤵
- Executes dropped EXE
- Modifies registry class
PID:4888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
17⤵
PID:2396

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:3524

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
18⤵
- Executes dropped EXE
- Modifies registry class
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"
19⤵
PID:1796

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:2348

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
20⤵
- Executes dropped EXE
- Modifies registry class
PID:4472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
21⤵
PID:4936

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:1456

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
22⤵
- Executes dropped EXE
- Modifies registry class
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
23⤵
PID:4624

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:4376

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
24⤵
- Executes dropped EXE
- Modifies registry class
PID:5240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
25⤵
PID:5304

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:5080

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
26⤵
- Executes dropped EXE
- Modifies registry class
PID:5292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"
27⤵
PID:436

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
28⤵
PID:5984

C:\Windows\AppPatch\smss.exe
"C:\Windows\AppPatch\smss.exe"
28⤵
- Executes dropped EXE
- Modifies registry class
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
29⤵
PID:1992

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
30⤵
PID:3944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\Macromed\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Macromed\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\Macromed\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\AppPatch\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
16ef0bc2b172a62d1d2bbbb447fea035

SHA1
2608489b212c66fd22a688ec646a96f63ba629c4

SHA256
00d20d677fecb7ca8ee07fe135bc9cfdb2aba75effa55ab4b376a655b60574aa

SHA512
69b439a9fb1437cee5990b47c8d6857352cbaa4ecc0672bf58c9aa6ce06a9126f7e91e15e4b9b618ab2b7515e1864c0193540e4e8033f8030140c1781e3bcca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
16ef0bc2b172a62d1d2bbbb447fea035

SHA1
2608489b212c66fd22a688ec646a96f63ba629c4

SHA256
00d20d677fecb7ca8ee07fe135bc9cfdb2aba75effa55ab4b376a655b60574aa

SHA512
69b439a9fb1437cee5990b47c8d6857352cbaa4ecc0672bf58c9aa6ce06a9126f7e91e15e4b9b618ab2b7515e1864c0193540e4e8033f8030140c1781e3bcca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
93508868e27338e22d8379ba6b31d499

SHA1
4f3d59cd1b6eace4543b42cdaf47b703b3013979

SHA256
5c03cc7a636ad55210cf56f8196c81ba416b965a2360b1f93bf3bab71c131dff

SHA512
b1bf70a7a4b52880dfdc92c4f52a87d6db8389711a908fd0ead6da77427e9e6041c432bf38d374f78e7c5e12420db4c144c9cb3a64c4bb438ea97232b9761486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
93508868e27338e22d8379ba6b31d499

SHA1
4f3d59cd1b6eace4543b42cdaf47b703b3013979

SHA256
5c03cc7a636ad55210cf56f8196c81ba416b965a2360b1f93bf3bab71c131dff

SHA512
b1bf70a7a4b52880dfdc92c4f52a87d6db8389711a908fd0ead6da77427e9e6041c432bf38d374f78e7c5e12420db4c144c9cb3a64c4bb438ea97232b9761486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a472dc5b7337a87a4b373c970562886c

SHA1
345a76dab592022c963dd0d176afeadd4e023abe

SHA256
228c03f543bd74922d640c21b9bbccd05be96686c4f61f5f663e0ccd2a92230d

SHA512
090c6ca504b64b16345997781362fc70fd5441f64451d89d444ddbd27459163c2f3a6386a5ed377c3e39380292b7e8f31940d401eaad9f31328a681f49de8c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
716faa7d0e31e2aaadcd6c30d3453508

SHA1
4b2f27209a3830ef07dbf0016e1f0c2c958db1bc

SHA256
6d515df6a69a0e69e1a4aca8e87a5ea20ebb4bb7ddd333a689bb38b53b57b7ab

SHA512
a344469de8fd4b3fa4f73badf95feb6df3b2d4a2866c8fae57f914888745455e4b6f8af4e124fc38f07984ba4d4ca3d6e160aa0fc98ad3188a6fa4edd96c60a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aee2902fe7101cacc61e3fa9f5ffcae5

SHA1
7234f3b14cbce32230fc45eb02eac49da4d8afbc

SHA256
f17115c406d9ff406db2fce893664857e8f63d2ab9202cc0e54442ebbac7f297

SHA512
c687543e2b8ab4041094a741a3f5adc4f042ec2758b7f1ea04f975b8d991e38cc5989bfa4032cfe8b49cbe090b0c69da70bc037995ca7aeda940154ddad84927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aee2902fe7101cacc61e3fa9f5ffcae5

SHA1
7234f3b14cbce32230fc45eb02eac49da4d8afbc

SHA256
f17115c406d9ff406db2fce893664857e8f63d2ab9202cc0e54442ebbac7f297

SHA512
c687543e2b8ab4041094a741a3f5adc4f042ec2758b7f1ea04f975b8d991e38cc5989bfa4032cfe8b49cbe090b0c69da70bc037995ca7aeda940154ddad84927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e36443bbd919d47e9837de136d988979

SHA1
04fbef23c44c5e17d984d8341756028e6566d6bd

SHA256
52b9895310035e3730983dc6b755faeda2a885e9955238126624bc0116e610e2

SHA512
c590d6018600229da0ce5aadbb81274d5c85df64bbeacaba49eca6ea0f724d9c0fc84d12108e5d53217c7d8900a46bbb9d132c1b1edf0f9f40a9178cd57bed2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e36443bbd919d47e9837de136d988979

SHA1
04fbef23c44c5e17d984d8341756028e6566d6bd

SHA256
52b9895310035e3730983dc6b755faeda2a885e9955238126624bc0116e610e2

SHA512
c590d6018600229da0ce5aadbb81274d5c85df64bbeacaba49eca6ea0f724d9c0fc84d12108e5d53217c7d8900a46bbb9d132c1b1edf0f9f40a9178cd57bed2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9eca653d81f022e856a9f4b9b70b55ab

SHA1
96ae06bf3790b7d458c80149322654904aada0aa

SHA256
d46d420c6c57562ed9cb04c5efb25e3e078ef39f0d981328e8f9a4d32d13d172

SHA512
46f1f7f246d0a36cd30d6758802435900415fe3c9477f7a06fdf00d2e43acd0e487ffe87784645631bd2b7d3d0987b4222d7f5e1cedd1539feb91dca6f03a91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9eca653d81f022e856a9f4b9b70b55ab

SHA1
96ae06bf3790b7d458c80149322654904aada0aa

SHA256
d46d420c6c57562ed9cb04c5efb25e3e078ef39f0d981328e8f9a4d32d13d172

SHA512
46f1f7f246d0a36cd30d6758802435900415fe3c9477f7a06fdf00d2e43acd0e487ffe87784645631bd2b7d3d0987b4222d7f5e1cedd1539feb91dca6f03a91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc77d11a32bbfe82f066058e03de5c30

SHA1
b6066f7b3b8a0bd748e21b5b8c3b70cedf03c336

SHA256
e25aeae4626fd32f0eb26ecb753eba3777b7417a94961921abd873533aaffa1b

SHA512
e19f8a6154bf430c30adceac8dbb0522ccd89e578582418dd119cd0ff94e2d7c739eb59b84e3f99b71cf9f871a7fcc7afbc7e6176b39a8f57ef77912056d4120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc77d11a32bbfe82f066058e03de5c30

SHA1
b6066f7b3b8a0bd748e21b5b8c3b70cedf03c336

SHA256
e25aeae4626fd32f0eb26ecb753eba3777b7417a94961921abd873533aaffa1b

SHA512
e19f8a6154bf430c30adceac8dbb0522ccd89e578582418dd119cd0ff94e2d7c739eb59b84e3f99b71cf9f871a7fcc7afbc7e6176b39a8f57ef77912056d4120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc77d11a32bbfe82f066058e03de5c30

SHA1
b6066f7b3b8a0bd748e21b5b8c3b70cedf03c336

SHA256
e25aeae4626fd32f0eb26ecb753eba3777b7417a94961921abd873533aaffa1b

SHA512
e19f8a6154bf430c30adceac8dbb0522ccd89e578582418dd119cd0ff94e2d7c739eb59b84e3f99b71cf9f871a7fcc7afbc7e6176b39a8f57ef77912056d4120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc77d11a32bbfe82f066058e03de5c30

SHA1
b6066f7b3b8a0bd748e21b5b8c3b70cedf03c336

SHA256
e25aeae4626fd32f0eb26ecb753eba3777b7417a94961921abd873533aaffa1b

SHA512
e19f8a6154bf430c30adceac8dbb0522ccd89e578582418dd119cd0ff94e2d7c739eb59b84e3f99b71cf9f871a7fcc7afbc7e6176b39a8f57ef77912056d4120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
71655960df19d1280b593837300d5270

SHA1
1adcd5ca90d53f8b8a4a73f7896a54de0256b370

SHA256
f44c3e212ac53d9a6e8ca565009aaf0b8b2ad7d0641ab12106a023257bc019cc

SHA512
3329bcb7d223811d284297517dd6b7f241f0e9e30076ef9d46171159b6fd866acce74b4ac11278ea3a56736c2ad3599bee66b8498bd841ed6ab82cf1875e3a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat
Filesize
193B

MD5
e44eabaf599d0becc8a72bb09bbc3e03

SHA1
ebe9a0896382bcffcac03e6675fd68dab02af62d

SHA256
8b55a624e8d523bdc0716aec3824a792187a2fc6b2fa69f4d4e2e0dfcfb41349

SHA512
b7b82b9131c6f9d15f8d69ca6fb3fe803bc32c47044c251a818d1b1b748e32f6e5be47d2726e684ebe7789709f1d308f430ed908dedaa096f3dcd43e24d2b881

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat
Filesize
193B

MD5
8a25218d7a28de0fe9e56853fdbdd7ec

SHA1
408f258238e03fec97eed557a55c81b9f0d1d6a8

SHA256
d47e15d55dec547167b7df327246ebba1473545aee3b048a8e30ef8b372d58be

SHA512
ddeae7a8b91ae98a25f32bcc923551b7f6b32ae847d184c14ce26c00dcf07831a9438bcc935d87c45eb2446a96b2d61a8ad920b5a8c047409a232de10400b84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat
Filesize
193B

MD5
37bb1e834bc63a6f7b3cc9110d0754ed

SHA1
6347bd1aabdf1c1fb5ec37529068cdc70aba5f9c

SHA256
2e365486e95279497a69614f69012e7782ed82516d4c95cc297262dd1c21e7d4

SHA512
5b8463f532aee73988c6423aed8f5266e8c2b60fae71e3e7e1f4a2a3d230e2affc47f3270dd6ced0e0633097874e8d767841e3f91577e14e3f293ff7c7378339

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat
Filesize
193B

MD5
ce9d0ecf24a121188d60d437911e84b2

SHA1
50b02c699b6fdcad45d051143aa1e2935c674349

SHA256
78c7589048fccb956bd844f8133fee2127dc6259c7d66d5a63e6908332983f24

SHA512
813356cb03b1b82859d2ee0453d1da894c5220af80d5477f3a5655b552a167003d86722acdc9b4f7f4f2b2cdbf931b7352086bf8d78f46b1f9fe1ee13dd1c2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\P92iKPgOMs.bat
Filesize
193B

MD5
caac2fcaceecfa5cdf633fa39c9392b9

SHA1
4c9a8796489f929881bae17f9c802ea01443f95e

SHA256
302c8b487c43f24b2dbc0e5969d52143e67748f0d7a3a1ba569e084c2f6e9164

SHA512
859a6a377e85f6123f18453ef02de6fbe690cda2b2227fca31aae3eeef0e9a8be01d0280683b21e9c2bfdc8c81c0c6a0a31d74030586b4407578d0ee88e3d3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat
Filesize
193B

MD5
3bccdd827f3a96eac910e31109f5bd00

SHA1
16bbf69739046b846baec8c2d8d1e1ffc2a9efe2

SHA256
eb3ebe5ddff4752b1a92537edd243acd4676967ed3fb63d0f935dad383823e49

SHA512
9f00a137693f870e50409a0816ebfc7ab72c23735e98bfc8fec963c8a02e075df752ab1fdb06e51e2f21338288c529f6698761a5960a2c183e4652ae8b9d6b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat
Filesize
193B

MD5
7f32851c5c08a61755e7617203750346

SHA1
3002a499c9161e93f95fa0c8208f21f61ee96999

SHA256
c6ecd16d62ba2428a343acf9b6e024495429acd614235b35862cec74feb42989

SHA512
2028495d12b74f4327402bf37cfaef5fcb022ddb7e33f19f0ba4beff9828b1d2780452126e664b1d9b9c608eede59c2822881acb8bc823e7014c9e2656cb32bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat
Filesize
193B

MD5
3bfc8c7d53f284022caffb1cba1518dc

SHA1
a8504858da8337c2d540f900c3a23a8fdf518171

SHA256
b0db292cda3b84f1b876e6631d13f309ee4f071edc6707a41a227967a884c7d8

SHA512
b41bb0f7d9ac8c5d1e6049c49ad7124fa3815e2a8f5fdccc7b8d2c5577b29f3b89b6256b26a0fe82b25aef4f4670f93001de1d1015b724e210f053441c9fc6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat
Filesize
193B

MD5
5fb87b7ffc499acbd575086afabd034b

SHA1
aa7c0e52c76559ca6affbf20cbb89e078aa4839b

SHA256
b3603adb82305e4a23a10be50450b5ba7e25b77c0ecd64ebc4cc96218e1e8fdf

SHA512
eed2e9a9645102e1d981affd81289e7ca6d93957b354e5aaf9e3933183c49ffbf08de66be5b502e2bfd7def265071b5796e987be78f82eb8e1680df892db9296

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat
Filesize
193B

MD5
64bbfaff06d5904cf04a8d31ef7e9dac

SHA1
e279527dfbca9b490822b850df7cee3e3553eeae

SHA256
3ab4637fc9d0d2aa5811af343ff2a2b2637e32e477cbec00b00213b3af99f936

SHA512
a37398eb51a50fc899b130d97170d5f176f75b4d7701f965ae913ef9de5e1254ad202d7205cec9eb00fc8c0d69f33da82475cc44e90e95051ee0172fdb86318b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat
Filesize
193B

MD5
c6245013dff8735a6c024ad7025e9085

SHA1
e98d23159749225e847eab484ad50cb08a237550

SHA256
e7f08fc26e51542c7b1ba95b6fc046c1380e42e8ad7cf2ed089040f0f95f7292

SHA512
05d60090d2279c06d8ee221b7a3f69bdb1b515b2a48578f66c6acdc007b6bf2bd91eb14ad7863c4218b6ed458e621e0cce872e706b37e356d762d6122fd71662

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat
Filesize
193B

MD5
c6245013dff8735a6c024ad7025e9085

SHA1
e98d23159749225e847eab484ad50cb08a237550

SHA256
e7f08fc26e51542c7b1ba95b6fc046c1380e42e8ad7cf2ed089040f0f95f7292

SHA512
05d60090d2279c06d8ee221b7a3f69bdb1b515b2a48578f66c6acdc007b6bf2bd91eb14ad7863c4218b6ed458e621e0cce872e706b37e356d762d6122fd71662

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat
Filesize
193B

MD5
663525d66ed9eeadbaa605d246a02aaf

SHA1
0564082af57b1e4cd91e1e30ef344ca837cd0ebe

SHA256
4a166557326908961cb8d2d3bb01013b7a3d77632fdb383e1eb2d8c294d45122

SHA512
b3dba4505edbae38d7ec50fd9f7c9e490c6b7e39a8731c72c48add6c5bfdf87cd3f42f308c0cce743be0210bc549678d0dc6cc37060c78991c7448a6fec3223e

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppPatch\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/224-963-0x0000000000000000-mapping.dmp

Download
memory/312-971-0x0000000000000000-mapping.dmp

Download
memory/384-296-0x0000000000000000-mapping.dmp

Download
memory/436-1011-0x0000000000000000-mapping.dmp

Download
memory/952-308-0x0000000000000000-mapping.dmp

Download
memory/1048-371-0x0000000000000000-mapping.dmp

Download
memory/1308-312-0x0000000000000000-mapping.dmp

Download
memory/1456-996-0x0000000000000000-mapping.dmp

Download
memory/1728-997-0x0000000000000000-mapping.dmp

Download
memory/1796-328-0x0000000000000000-mapping.dmp

Download
memory/1796-989-0x0000000000000000-mapping.dmp

Download
memory/1840-986-0x0000000000000000-mapping.dmp

Download
memory/1840-988-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/1992-1016-0x0000000000000000-mapping.dmp

Download
memory/2188-186-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-184-0x0000000000000000-mapping.dmp

Download
memory/2188-185-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2212-324-0x0000000000000000-mapping.dmp

Download
memory/2288-294-0x0000000000000000-mapping.dmp

Download
memory/2348-991-0x0000000000000000-mapping.dmp

Download
memory/2396-983-0x0000000000000000-mapping.dmp

Download
memory/2420-260-0x0000000000000000-mapping.dmp

Download
memory/2484-293-0x0000000000000000-mapping.dmp

Download
memory/2620-365-0x000002C298FD0000-0x000002C298FF2000-memory.dmp

Filesize
136KB

Download
memory/2620-292-0x0000000000000000-mapping.dmp

Download
memory/2624-291-0x0000000000000000-mapping.dmp

Download
memory/2696-168-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-155-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-121-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-122-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-123-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-125-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-126-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-128-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-129-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-183-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-182-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-130-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-131-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-181-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-132-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-180-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-179-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-133-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-134-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-135-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-136-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-138-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-178-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-177-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-137-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-139-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-140-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-176-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-175-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-141-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-174-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-173-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-171-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-172-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-170-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-169-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-120-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-167-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-161-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-166-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-164-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-165-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-162-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-163-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-160-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-159-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-158-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-142-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-157-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-143-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-152-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-156-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-144-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-145-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-147-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-153-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-146-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-148-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-154-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-149-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-151-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-150-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-295-0x0000000000000000-mapping.dmp

Download
memory/3284-964-0x0000000000000000-mapping.dmp

Download
memory/3476-977-0x0000000000000000-mapping.dmp

Download
memory/3508-297-0x0000000000000000-mapping.dmp

Download
memory/3524-985-0x0000000000000000-mapping.dmp

Download
memory/3568-306-0x0000000000000000-mapping.dmp

Download
memory/3584-319-0x0000000000000000-mapping.dmp

Download
memory/3928-974-0x0000000000000000-mapping.dmp

Download
memory/3928-976-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download
memory/3944-1018-0x0000000000000000-mapping.dmp

Download
memory/4120-435-0x0000000000000000-mapping.dmp

Download
memory/4144-1014-0x0000000000000000-mapping.dmp

Download
memory/4276-314-0x0000000000000000-mapping.dmp

Download
memory/4336-302-0x0000000000000000-mapping.dmp

Download
memory/4376-1001-0x0000000000000000-mapping.dmp

Download
memory/4472-992-0x0000000000000000-mapping.dmp

Download
memory/4600-973-0x0000000000000000-mapping.dmp

Download
memory/4624-999-0x0000000000000000-mapping.dmp

Download
memory/4652-337-0x0000000000000000-mapping.dmp

Download
memory/4668-290-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/4668-283-0x0000000000000000-mapping.dmp

Download
memory/4668-286-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/4668-287-0x0000000000960000-0x0000000000972000-memory.dmp

Filesize
72KB

Download
memory/4668-288-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/4668-289-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/4884-298-0x0000000000000000-mapping.dmp

Download
memory/4888-982-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/4888-980-0x0000000000000000-mapping.dmp

Download
memory/4936-994-0x0000000000000000-mapping.dmp

Download
memory/4940-301-0x0000000000000000-mapping.dmp

Download
memory/5048-406-0x000001C93EA70000-0x000001C93EAE6000-memory.dmp

Filesize
472KB

Download
memory/5048-330-0x0000000000000000-mapping.dmp

Download
memory/5080-1007-0x0000000000000000-mapping.dmp

Download
memory/5240-1002-0x0000000000000000-mapping.dmp

Download
memory/5240-1004-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/5292-1008-0x0000000000000000-mapping.dmp

Download
memory/5292-1010-0x0000000001380000-0x0000000001392000-memory.dmp

Filesize
72KB

Download
memory/5304-1005-0x0000000000000000-mapping.dmp

Download
memory/5444-954-0x0000000000000000-mapping.dmp

Download
memory/5484-957-0x0000000000000000-mapping.dmp

Download
memory/5484-960-0x0000000001550000-0x0000000001562000-memory.dmp

Filesize
72KB

Download
memory/5552-956-0x0000000000000000-mapping.dmp

Download
memory/5656-961-0x0000000000000000-mapping.dmp

Download
memory/5828-979-0x0000000000000000-mapping.dmp

Download
memory/5860-824-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/5860-714-0x0000000000000000-mapping.dmp

Download
memory/5984-1013-0x0000000000000000-mapping.dmp

Download
memory/6008-966-0x0000000000000000-mapping.dmp

Download
memory/6076-968-0x0000000000000000-mapping.dmp

Download
memory/6092-969-0x0000000000000000-mapping.dmp

Download