dcrat | 964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exe
Size

1.3MB
MD5

d7a91c4af5c2771fdbbd4b28ae58bd25
SHA1

31f23078e712650e48753df3653964b8b2989505
SHA256

964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e
SHA512

7d332f5dd7d831d89de97a7549448b90eb8541088791d4630f18c575f06f5624aabf4b5d39bde14e2677a61aebf9da580b282cc737308ae008ce551963ef5d32
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1304	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4844-139-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat
C:\providercommon\backgroundTaskHost.exe	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

backgroundTaskHost.exe964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exeWScript.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exeDllCommonsvc.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe

pid	process
4844	DllCommonsvc.exe
4288	backgroundTaskHost.exe
2188	backgroundTaskHost.exe
4672	backgroundTaskHost.exe
1568	backgroundTaskHost.exe
2280	backgroundTaskHost.exe
3628	backgroundTaskHost.exe
3964	backgroundTaskHost.exe
2336	backgroundTaskHost.exe
1072	backgroundTaskHost.exe
3480	backgroundTaskHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Google\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\wuapihost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\8df8b199a15f03	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\PrintDialog\eddb19405b7ce1	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\backgroundTaskHost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3760	schtasks.exe
2372	schtasks.exe
3724	schtasks.exe
1264	schtasks.exe
4616	schtasks.exe
3044	schtasks.exe
4436	schtasks.exe
3708	schtasks.exe
4608	schtasks.exe
3152	schtasks.exe
2088	schtasks.exe
2668	schtasks.exe
4584	schtasks.exe
4824	schtasks.exe
4492	schtasks.exe
1448	schtasks.exe
100	schtasks.exe
4956	schtasks.exe
3364	schtasks.exe
4112	schtasks.exe
1384	schtasks.exe
4016	schtasks.exe
1772	schtasks.exe
852	schtasks.exe
4260	schtasks.exe
4264	schtasks.exe
1432	schtasks.exe
1108	schtasks.exe
208	schtasks.exe
4516	schtasks.exe
2156	schtasks.exe
4888	schtasks.exe
4836	schtasks.exe
4120	schtasks.exe
1696	schtasks.exe
3080	schtasks.exe

Modifies registry class 11 IoCs

Processes:

backgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	backgroundTaskHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
4844	DllCommonsvc.exe
1644	powershell.exe
1644	powershell.exe
536	powershell.exe
536	powershell.exe
3160	powershell.exe
3160	powershell.exe
3696	powershell.exe
3696	powershell.exe
4808	powershell.exe
4808	powershell.exe
628	powershell.exe
628	powershell.exe
4432	powershell.exe
4432	powershell.exe
2304	powershell.exe
2304	powershell.exe
1440	powershell.exe
1440	powershell.exe
1780	powershell.exe
1780	powershell.exe
4456	powershell.exe
4456	powershell.exe
4624	powershell.exe
4624	powershell.exe
628	powershell.exe
4188	powershell.exe
4188	powershell.exe
1780	powershell.exe
4288	backgroundTaskHost.exe
4288	backgroundTaskHost.exe
1644	powershell.exe
1644	powershell.exe
3160	powershell.exe
3160	powershell.exe
536	powershell.exe
536	powershell.exe
4808	powershell.exe
3696	powershell.exe
4432	powershell.exe
1440	powershell.exe
2304	powershell.exe
4456	powershell.exe
4624	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	4844	DllCommonsvc.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	4288	backgroundTaskHost.exe
Token: SeDebugPrivilege	2188	backgroundTaskHost.exe
Token: SeDebugPrivilege	4672	backgroundTaskHost.exe
Token: SeDebugPrivilege	1568	backgroundTaskHost.exe
Token: SeDebugPrivilege	2280	backgroundTaskHost.exe
Token: SeDebugPrivilege	3628	backgroundTaskHost.exe
Token: SeDebugPrivilege	3964	backgroundTaskHost.exe
Token: SeDebugPrivilege	2336	backgroundTaskHost.exe
Token: SeDebugPrivilege	1072	backgroundTaskHost.exe
Token: SeDebugPrivilege	3480	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exeWScript.execmd.exeDllCommonsvc.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exebackgroundTaskHost.execmd.exe

description	pid	process	target process
PID 1368 wrote to memory of 2444	1368	964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exe	WScript.exe
PID 1368 wrote to memory of 2444	1368	964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exe	WScript.exe
PID 1368 wrote to memory of 2444	1368	964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exe	WScript.exe
PID 2444 wrote to memory of 4932	2444	WScript.exe	cmd.exe
PID 2444 wrote to memory of 4932	2444	WScript.exe	cmd.exe
PID 2444 wrote to memory of 4932	2444	WScript.exe	cmd.exe
PID 4932 wrote to memory of 4844	4932	cmd.exe	DllCommonsvc.exe
PID 4932 wrote to memory of 4844	4932	cmd.exe	DllCommonsvc.exe
PID 4844 wrote to memory of 628	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 628	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 536	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 536	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 1644	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 1644	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 3160	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 3160	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 3696	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 3696	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4808	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4808	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 1780	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 1780	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4432	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4432	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 2304	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 2304	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 1440	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 1440	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4456	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4456	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4188	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4188	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4624	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4624	4844	DllCommonsvc.exe	powershell.exe
PID 4844 wrote to memory of 4288	4844	DllCommonsvc.exe	backgroundTaskHost.exe
PID 4844 wrote to memory of 4288	4844	DllCommonsvc.exe	backgroundTaskHost.exe
PID 4288 wrote to memory of 2420	4288	backgroundTaskHost.exe	cmd.exe
PID 4288 wrote to memory of 2420	4288	backgroundTaskHost.exe	cmd.exe
PID 2420 wrote to memory of 4248	2420	cmd.exe	w32tm.exe
PID 2420 wrote to memory of 4248	2420	cmd.exe	w32tm.exe
PID 2420 wrote to memory of 2188	2420	cmd.exe	backgroundTaskHost.exe
PID 2420 wrote to memory of 2188	2420	cmd.exe	backgroundTaskHost.exe
PID 2188 wrote to memory of 2152	2188	backgroundTaskHost.exe	cmd.exe
PID 2188 wrote to memory of 2152	2188	backgroundTaskHost.exe	cmd.exe
PID 2152 wrote to memory of 4980	2152	cmd.exe	w32tm.exe
PID 2152 wrote to memory of 4980	2152	cmd.exe	w32tm.exe
PID 2152 wrote to memory of 4672	2152	cmd.exe	backgroundTaskHost.exe
PID 2152 wrote to memory of 4672	2152	cmd.exe	backgroundTaskHost.exe
PID 4672 wrote to memory of 4308	4672	backgroundTaskHost.exe	cmd.exe
PID 4672 wrote to memory of 4308	4672	backgroundTaskHost.exe	cmd.exe
PID 4308 wrote to memory of 2092	4308	cmd.exe	w32tm.exe
PID 4308 wrote to memory of 2092	4308	cmd.exe	w32tm.exe
PID 4308 wrote to memory of 1568	4308	cmd.exe	backgroundTaskHost.exe
PID 4308 wrote to memory of 1568	4308	cmd.exe	backgroundTaskHost.exe
PID 1568 wrote to memory of 4940	1568	backgroundTaskHost.exe	cmd.exe
PID 1568 wrote to memory of 4940	1568	backgroundTaskHost.exe	cmd.exe
PID 4940 wrote to memory of 3944	4940	cmd.exe	w32tm.exe
PID 4940 wrote to memory of 3944	4940	cmd.exe	w32tm.exe
PID 4940 wrote to memory of 2280	4940	cmd.exe	backgroundTaskHost.exe
PID 4940 wrote to memory of 2280	4940	cmd.exe	backgroundTaskHost.exe
PID 2280 wrote to memory of 3540	2280	backgroundTaskHost.exe	cmd.exe
PID 2280 wrote to memory of 3540	2280	backgroundTaskHost.exe	cmd.exe
PID 3540 wrote to memory of 4388	3540	cmd.exe	w32tm.exe
PID 3540 wrote to memory of 4388	3540	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exe
"C:\Users\Admin\AppData\Local\Temp\964ce730d428aef774eb686ff0419e15e770c89340a266eb3237edb72fb5391e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\wuapihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\StartMenuExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\backgroundTaskHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\backgroundTaskHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\backgroundTaskHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:4248

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4980

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:2092

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:3944

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:4388

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
16⤵
PID:3968

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:112

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
18⤵
PID:2344

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:1364

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
20⤵
PID:3160

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:4728

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
22⤵
PID:1096

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:4760

C:\providercommon\backgroundTaskHost.exe
"C:\providercommon\backgroundTaskHost.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
24⤵
PID:4792

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wuapihostw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\wuapihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wuapihost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wuapihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wuapihostw" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\wuapihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\providercommon\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\providercommon\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\providercommon\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c97a801bb5d6c21c265ab7f283ba83e

SHA1
7c0a4cb73d63702a2d454268d983e0dcb36a8bf8

SHA256
69d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7

SHA512
d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
205B

MD5
dd536e16324b6627cf6bd8ade7f9da71

SHA1
dee0984ae28891bdc991ad9e0f9b5f013555dac8

SHA256
1409b8d462eaca709713cbb36906649a3dcd208c54e76a03cb85c359e19bdc5b

SHA512
663ae7f6b064559527d86a7aa48675036e8567cc5550eb197ac798ba49c28b107860739811f863026aa870bcd2519d39c1cc581cf8422757ea349b39ab90d8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

Filesize
205B

MD5
0fbbdf46eeb20debee0cb936c4c0f17a

SHA1
e1342cbc7ec4040d20bccfcdec330659cd70f7f5

SHA256
173e0757eeb53ef634d98b912f5b60ed1c42ff6060c4ed0b55c72b236ca4530a

SHA512
7e88ee308ca464c83f3456c3c92040c1344391a519bbc52b811d8037044460d70fc12068f1c13ec201a61bbc7d631125b1711010d6f7f0501f148aad947aea2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

Filesize
205B

MD5
2aa843e15099b8f9275c7e209c0c293f

SHA1
875d28f8982f775087eda42ce6d12216635e5f16

SHA256
ad056ca35ac665ecc62d43e5d994dca466fbe84b62f273cefa35b70d9f0e0670

SHA512
1ac7e8de9b582babc39e47a6dab125c2a68dae3ab298b42666269300c67da1721f30e6fd7a7796410bcdb2ee90fd8ddb7b1de24d99f511e81beff1184e5df304

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
205B

MD5
aa24703da62d17e4a335244b5a43566e

SHA1
776088d461e7efefde8b174575565e2140f4c388

SHA256
e1bcc3359ab35b15c1353db7443711a2559d46445198fa201a072a1c8b5c419f

SHA512
8ddea7242276782830ca634b6b82b38e0c09ff7d4b80707d12e1b71110d186322bd5ff6f84bc04e76a6f6d9b166cb0256a1f3af186396ec0bd4cdf7e24fdb838

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
205B

MD5
d5f1e4839bfdac21e56c3872a692e0eb

SHA1
d1210d5c13195d264ce37bf558f92fd3e0017c11

SHA256
79297a8b673f56e48485ab1c49b53336315c009c85438e2140fe030a0684673c

SHA512
99a07219042c223d3c54d1d9691a16b6d5b5f62bccaedd402a44a9ee5cfbe4da0c0fecd2d55883becb197c2ea4fa58f4d055a73b211c69f03c0e831d07db0d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

Filesize
205B

MD5
df97c49075cad54586c71496ff663f96

SHA1
279d241e4886b44c5be843c1add63999d8dfaa97

SHA256
92421e3c8ee1850117486c3138a85d06b9949ac036f37a78b2d5b59c0cae5312

SHA512
50f0501260a818931275aa09b2053be0b7490c893ddc0f47358c53b5304529611cc88655c79cea824a1da6d3b68e528c41f6c28a75d5ae29b5ddafbc3198d04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
205B

MD5
5b810694c4f995de58b89c316c4ee33a

SHA1
1b219d3a1c5521c62e3ef5a1a840731a92a9b6e3

SHA256
421359b1412fe7937dce7e8ffe60c8fc5c3db92a420929ecbb016b6179f7fa6e

SHA512
7a36c64699f39dddfb86e073a4d9db1c1d50bcc27a1e36a9bb94e115510ced4cacad39b5a8ca215e3e6e0f2ffcae7699b336ec8e5271ebd31565423e2f74e521

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
205B

MD5
d787474d33603b785e4a0fd2e86aec7c

SHA1
252367e0e80d8ab44e15e4457c47f184ac008a74

SHA256
80d8a81ede3508517d56e56dc63ac47b88c031405231ee2ecd192d2fbada8ff4

SHA512
94f4d2676ab5648f333e9686d5231f04c7b1666e72fcee439a13d16aa241c73362d3f12974ec96ad3a49fdde60c70a446fa94230c0aa959a3a7cfc6def5a498b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
205B

MD5
d787474d33603b785e4a0fd2e86aec7c

SHA1
252367e0e80d8ab44e15e4457c47f184ac008a74

SHA256
80d8a81ede3508517d56e56dc63ac47b88c031405231ee2ecd192d2fbada8ff4

SHA512
94f4d2676ab5648f333e9686d5231f04c7b1666e72fcee439a13d16aa241c73362d3f12974ec96ad3a49fdde60c70a446fa94230c0aa959a3a7cfc6def5a498b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
205B

MD5
7bc5e8ac7c106255e86da69a06efa0b5

SHA1
c60987a0ff8bba71f066655d5db3192a18640155

SHA256
d3a81fc1f6a6bd8ec1679857170387731b999f48eff2f9a0cacf4ef36339708d

SHA512
ad609cdf38ab67a56733644e5e26a4eeb8ba9dbe7846a508c8c5478371977c31a7cfce81ffcdbb0fc086e8ea274583c673bf6709d3fdaba7426e58152a2a101c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\backgroundTaskHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/112-238-0x0000000000000000-mapping.dmp

Download
memory/536-189-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/536-154-0x0000018A23B60000-0x0000018A23B82000-memory.dmp

Filesize
136KB

Download
memory/536-142-0x0000000000000000-mapping.dmp

Download
memory/536-157-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/628-180-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/628-141-0x0000000000000000-mapping.dmp

Download
memory/628-165-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1072-254-0x0000000000000000-mapping.dmp

Download
memory/1072-256-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-260-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/1096-257-0x0000000000000000-mapping.dmp

Download
memory/1364-245-0x0000000000000000-mapping.dmp

Download
memory/1440-166-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1440-150-0x0000000000000000-mapping.dmp

Download
memory/1440-196-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1568-225-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/1568-219-0x0000000000000000-mapping.dmp

Download
memory/1568-221-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-181-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1644-143-0x0000000000000000-mapping.dmp

Download
memory/1644-155-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1780-147-0x0000000000000000-mapping.dmp

Download
memory/1780-164-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1780-182-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/2088-268-0x0000000000000000-mapping.dmp

Download
memory/2092-218-0x0000000000000000-mapping.dmp

Download
memory/2152-208-0x0000000000000000-mapping.dmp

Download
memory/2188-203-0x0000000000000000-mapping.dmp

Download
memory/2188-211-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/2188-207-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/2188-206-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-228-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-232-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-226-0x0000000000000000-mapping.dmp

Download
memory/2304-197-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/2304-149-0x0000000000000000-mapping.dmp

Download
memory/2304-171-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/2336-253-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-247-0x0000000000000000-mapping.dmp

Download
memory/2336-249-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-243-0x0000000000000000-mapping.dmp

Download
memory/2420-173-0x0000000000000000-mapping.dmp

Download
memory/2444-132-0x0000000000000000-mapping.dmp

Download
memory/3160-161-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3160-184-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3160-250-0x0000000000000000-mapping.dmp

Download
memory/3160-144-0x0000000000000000-mapping.dmp

Download
memory/3480-265-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-266-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-261-0x0000000000000000-mapping.dmp

Download
memory/3480-263-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/3540-229-0x0000000000000000-mapping.dmp

Download
memory/3628-235-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/3628-239-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/3628-233-0x0000000000000000-mapping.dmp

Download
memory/3696-186-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3696-162-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3696-145-0x0000000000000000-mapping.dmp

Download
memory/3944-224-0x0000000000000000-mapping.dmp

Download
memory/3964-240-0x0000000000000000-mapping.dmp

Download
memory/3964-242-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-246-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/3968-236-0x0000000000000000-mapping.dmp

Download
memory/4188-201-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4188-152-0x0000000000000000-mapping.dmp

Download
memory/4188-168-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4248-175-0x0000000000000000-mapping.dmp

Download
memory/4288-156-0x0000000000000000-mapping.dmp

Download
memory/4288-176-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4288-169-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4308-215-0x0000000000000000-mapping.dmp

Download
memory/4388-231-0x0000000000000000-mapping.dmp

Download
memory/4432-148-0x0000000000000000-mapping.dmp

Download
memory/4432-167-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4432-194-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4456-151-0x0000000000000000-mapping.dmp

Download
memory/4456-172-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4456-202-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4624-170-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4624-153-0x0000000000000000-mapping.dmp

Download
memory/4624-199-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4672-216-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-214-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-212-0x0000000000000000-mapping.dmp

Download
memory/4728-252-0x0000000000000000-mapping.dmp

Download
memory/4760-259-0x0000000000000000-mapping.dmp

Download
memory/4792-264-0x0000000000000000-mapping.dmp

Download
memory/4808-163-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4808-146-0x0000000000000000-mapping.dmp

Download
memory/4808-190-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4844-140-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4844-139-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/4844-136-0x0000000000000000-mapping.dmp

Download
memory/4844-160-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4932-135-0x0000000000000000-mapping.dmp

Download
memory/4940-222-0x0000000000000000-mapping.dmp

Download
memory/4980-210-0x0000000000000000-mapping.dmp

Download