dcrat | 3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe
Size

1.3MB
MD5

29686d3ef9347f94d6151acf51a50a40
SHA1

c572d263b840e6339683c4f92dd9aa400a5b25b3
SHA256

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116
SHA512

855f9380390ea03f9302dd0c389e42ab0c4ad3ad5b71743b7ce0fd811a0424a90d07295b81cbc121acf7bda7a130d7ccacdb7af858894de13ba81c1945f1e53b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	1788	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral2/memory/3336-13-0x0000000000700000-0x0000000000810000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3096	powershell.exe
4148	powershell.exe
2116	powershell.exe
4448	powershell.exe
3592	powershell.exe
3844	powershell.exe
4168	powershell.exe
4932	powershell.exe
1364	powershell.exe
4392	powershell.exe
4388	powershell.exe
4384	powershell.exe
2392	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeDllCommonsvc.exeRuntimeBroker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 14 IoCs

Processes:

DllCommonsvc.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
3336	DllCommonsvc.exe
5480	RuntimeBroker.exe
5752	RuntimeBroker.exe
5952	RuntimeBroker.exe
5192	RuntimeBroker.exe
384	RuntimeBroker.exe
4848	RuntimeBroker.exe
1272	RuntimeBroker.exe
3588	RuntimeBroker.exe
5580	RuntimeBroker.exe
2132	RuntimeBroker.exe
3980	RuntimeBroker.exe
5332	RuntimeBroker.exe
4708	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

Processes:

flow	ioc
57	raw.githubusercontent.com
73	raw.githubusercontent.com
45	raw.githubusercontent.com
56	raw.githubusercontent.com
28	raw.githubusercontent.com
47	raw.githubusercontent.com
60	raw.githubusercontent.com
74	raw.githubusercontent.com
75	raw.githubusercontent.com
29	raw.githubusercontent.com
31	raw.githubusercontent.com
46	raw.githubusercontent.com
55	raw.githubusercontent.com
72	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\fonts\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\rescache\_merged\4245263321\System.exe DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\4245263321\System.exe	DllCommonsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

Processes:

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exeDllCommonsvc.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2000	schtasks.exe
208	schtasks.exe
212	schtasks.exe
4468	schtasks.exe
4152	schtasks.exe
1244	schtasks.exe
3660	schtasks.exe
3624	schtasks.exe
3156	schtasks.exe
4860	schtasks.exe
2676	schtasks.exe
4600	schtasks.exe
2948	schtasks.exe
2844	schtasks.exe
4192	schtasks.exe
740	schtasks.exe
4624	schtasks.exe
4676	schtasks.exe
1308	schtasks.exe
4000	schtasks.exe
3532	schtasks.exe
2664	schtasks.exe
2212	schtasks.exe
1616	schtasks.exe
3648	schtasks.exe
4540	schtasks.exe
3884	schtasks.exe
4252	schtasks.exe
2488	schtasks.exe
2500	schtasks.exe
3128	schtasks.exe
5060	schtasks.exe
2956	schtasks.exe
1776	schtasks.exe
2544	schtasks.exe
2476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
3336	DllCommonsvc.exe
3336	DllCommonsvc.exe
3336	DllCommonsvc.exe
4448	powershell.exe
4448	powershell.exe
4168	powershell.exe
4168	powershell.exe
4384	powershell.exe
4384	powershell.exe
4388	powershell.exe
4388	powershell.exe
4148	powershell.exe
4148	powershell.exe
4392	powershell.exe
4392	powershell.exe
2392	powershell.exe
2392	powershell.exe
1364	powershell.exe
1364	powershell.exe
3096	powershell.exe
3096	powershell.exe
4932	powershell.exe
4932	powershell.exe
3592	powershell.exe
3592	powershell.exe
3844	powershell.exe
3844	powershell.exe
4168	powershell.exe
4384	powershell.exe
4448	powershell.exe
2392	powershell.exe
3096	powershell.exe
4148	powershell.exe
4392	powershell.exe
1364	powershell.exe
4932	powershell.exe
4388	powershell.exe
3844	powershell.exe
3592	powershell.exe
5480	RuntimeBroker.exe
5752	RuntimeBroker.exe
5952	RuntimeBroker.exe
5192	RuntimeBroker.exe
384	RuntimeBroker.exe
4848	RuntimeBroker.exe
1272	RuntimeBroker.exe
3588	RuntimeBroker.exe
5580	RuntimeBroker.exe
2132	RuntimeBroker.exe
3980	RuntimeBroker.exe
5332	RuntimeBroker.exe
4708	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3336	DllCommonsvc.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	5480	RuntimeBroker.exe
Token: SeDebugPrivilege	5752	RuntimeBroker.exe
Token: SeDebugPrivilege	5952	RuntimeBroker.exe
Token: SeDebugPrivilege	5192	RuntimeBroker.exe
Token: SeDebugPrivilege	384	RuntimeBroker.exe
Token: SeDebugPrivilege	4848	RuntimeBroker.exe
Token: SeDebugPrivilege	1272	RuntimeBroker.exe
Token: SeDebugPrivilege	3588	RuntimeBroker.exe
Token: SeDebugPrivilege	5580	RuntimeBroker.exe
Token: SeDebugPrivilege	2132	RuntimeBroker.exe
Token: SeDebugPrivilege	3980	RuntimeBroker.exe
Token: SeDebugPrivilege	5332	RuntimeBroker.exe
Token: SeDebugPrivilege	4708	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exeWScript.execmd.exeDllCommonsvc.execmd.exeRuntimeBroker.execmd.exeRuntimeBroker.execmd.exeRuntimeBroker.execmd.exeRuntimeBroker.execmd.exe

description	pid	process	target process
PID 4984 wrote to memory of 4444	4984	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe	WScript.exe
PID 4984 wrote to memory of 4444	4984	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe	WScript.exe
PID 4984 wrote to memory of 4444	4984	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe	WScript.exe
PID 4444 wrote to memory of 2532	4444	WScript.exe	cmd.exe
PID 4444 wrote to memory of 2532	4444	WScript.exe	cmd.exe
PID 4444 wrote to memory of 2532	4444	WScript.exe	cmd.exe
PID 2532 wrote to memory of 3336	2532	cmd.exe	DllCommonsvc.exe
PID 2532 wrote to memory of 3336	2532	cmd.exe	DllCommonsvc.exe
PID 3336 wrote to memory of 3096	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 3096	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 3844	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 3844	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4168	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4168	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4932	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4932	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 1364	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 1364	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4148	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4148	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 2116	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 2116	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4392	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4392	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4388	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4388	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4448	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4448	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4384	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 4384	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 3592	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 3592	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 2392	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 2392	3336	DllCommonsvc.exe	powershell.exe
PID 3336 wrote to memory of 2444	3336	DllCommonsvc.exe	cmd.exe
PID 3336 wrote to memory of 2444	3336	DllCommonsvc.exe	cmd.exe
PID 2444 wrote to memory of 4320	2444	cmd.exe	w32tm.exe
PID 2444 wrote to memory of 4320	2444	cmd.exe	w32tm.exe
PID 2444 wrote to memory of 5480	2444	cmd.exe	RuntimeBroker.exe
PID 2444 wrote to memory of 5480	2444	cmd.exe	RuntimeBroker.exe
PID 5480 wrote to memory of 5640	5480	RuntimeBroker.exe	cmd.exe
PID 5480 wrote to memory of 5640	5480	RuntimeBroker.exe	cmd.exe
PID 5640 wrote to memory of 5696	5640	cmd.exe	w32tm.exe
PID 5640 wrote to memory of 5696	5640	cmd.exe	w32tm.exe
PID 5640 wrote to memory of 5752	5640	cmd.exe	RuntimeBroker.exe
PID 5640 wrote to memory of 5752	5640	cmd.exe	RuntimeBroker.exe
PID 5752 wrote to memory of 5868	5752	RuntimeBroker.exe	cmd.exe
PID 5752 wrote to memory of 5868	5752	RuntimeBroker.exe	cmd.exe
PID 5868 wrote to memory of 5920	5868	cmd.exe	w32tm.exe
PID 5868 wrote to memory of 5920	5868	cmd.exe	w32tm.exe
PID 5868 wrote to memory of 5952	5868	cmd.exe	RuntimeBroker.exe
PID 5868 wrote to memory of 5952	5868	cmd.exe	RuntimeBroker.exe
PID 5952 wrote to memory of 4440	5952	RuntimeBroker.exe	cmd.exe
PID 5952 wrote to memory of 4440	5952	RuntimeBroker.exe	cmd.exe
PID 4440 wrote to memory of 4732	4440	cmd.exe	w32tm.exe
PID 4440 wrote to memory of 4732	4440	cmd.exe	w32tm.exe
PID 4440 wrote to memory of 5192	4440	cmd.exe	RuntimeBroker.exe
PID 4440 wrote to memory of 5192	4440	cmd.exe	RuntimeBroker.exe
PID 5192 wrote to memory of 4592	5192	RuntimeBroker.exe	cmd.exe
PID 5192 wrote to memory of 4592	5192	RuntimeBroker.exe	cmd.exe
PID 4592 wrote to memory of 5144	4592	cmd.exe	w32tm.exe
PID 4592 wrote to memory of 5144	4592	cmd.exe	w32tm.exe
PID 4592 wrote to memory of 384	4592	cmd.exe	RuntimeBroker.exe
PID 4592 wrote to memory of 384	4592	cmd.exe	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe
"C:\Users\Admin\AppData\Local\Temp\3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gwg06dQqhn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4320
      - C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5696
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5920
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4732
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5144
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        15⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5268
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        17⤵
        
        PID:700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5324
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
        19⤵
        
        PID:5296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4540
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
        21⤵
        
        PID:4748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5040
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        23⤵
        
        PID:5644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5784
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        25⤵
        
        PID:3916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1704
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
        27⤵
        
        PID:4156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4780
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
        29⤵
        
        PID:5280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4932
        
        C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        31⤵
        
        PID:3356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\providercommon\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\providercommon\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\providercommon\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
724B

MD5
44a043d64b5dd22d98e04fde5558e979

SHA1
4e240742d34e275545d25edd6a349860339d8d2a

SHA256
dd104e8cc8ad2413950038a96622761bc1c3f21393a602538cdc7a21553867d8

SHA512
3f08f466b5a59a491e156a6bb0273bcc7f761c78b95ea541d13077a20d80834c2cfbf5ba8f2a244c800c0116374ea73c25f2b57978be20157e350718dcceab36

Download Submit
C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat

Filesize
233B

MD5
007203ddd88583f112788cc85a681396

SHA1
fdb0ecb34cd5d43e3c0d8de58fd269ee86ab8238

SHA256
fe067342d0172055fde50403571bbe3dd7f6dd9f28a75688ff5fe494c138c52c

SHA512
7e0e3be6f7fe8fee95688ef8add4750c5fb70ce93e8a660d05b1ae3da9e16331655e18499014e446352f16298fbaeb3d7196df2331fcd10e592f6050ecaef626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

Filesize
233B

MD5
cc9168dd713e458a3d3e9b4f40a77794

SHA1
079c767056fa1a4b93d380b01caab7ef17e394a1

SHA256
1a8c1d15a8e8e22438c634a58303e1b251baad54cad9870f15ffb6e0a90c1466

SHA512
9772cf95d60a3ce5cd2747f4c18ab5b04cb54b7be267fa87ce232874113c78900af2f2c86952dca47d2ecbffb3302b64fe3baf243281f11eeaaf9b2b91c598b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

Filesize
233B

MD5
1f9fd2dd7263282ccbc0bb9c7ea907fe

SHA1
c6df121aac8a02f20a9053448c7a2151c2d152e0

SHA256
86ab975824d0ce04fcb48d69f1c361f2e8c58d2ffdd1bfe61c81d15c1529930e

SHA512
cd66c3c64a250c2e0f8aeee2b04331da9c31387b75841e952ec3d940ebf9061d970b90e9453d5b8b63904946a817df0f8171117a3b6e46c2ffec22f17ed908f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

Filesize
233B

MD5
bf8cef197642df3a184a7a56a249d2de

SHA1
05ddbab2e728bb6da14f3b0c8a270d95d27ed0e0

SHA256
4e65c82d4c91750f035555b3e000598fcd87309af68fb521e5e896ad7836bdb6

SHA512
66a9f6f4eb1041d2bfe907ddd4306c61c5fb860a50966158ebffd50b3d80dc0f088eb31cf50c42a3fde70c7ebbb96a9f63e40400f434681995b77baa7cbb37ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

Filesize
233B

MD5
d6a975f3b84e977c442ed1db79cdd118

SHA1
07b9a0ed65b0b4302ee6ae83559ec45b79dbe88c

SHA256
8179f24c0a120648eb64e79d433666cbf89f24517b2eb9c4d5109e74a411ec28

SHA512
43bc7b2bb37e1d981286f4431b81cbb1e6f81560bbec44071c6aadcd272572d622be71923470ac77466d8a7dc992ba217aec260a864a27b04f9e8fed2a16f9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

Filesize
233B

MD5
db6020b25cc901666e2e061e1f420f42

SHA1
3e2f0fbd11df299ad5d7fae150b7ab2c3b78fae7

SHA256
2a6a0231b78d4f8ee03dacdf1ec851fdf0732b04842cf57f5ed2dc1859f07181

SHA512
83169cb93c800d74feb8ebb18946b805bf8f0765a463905bd62ff3e066e169f760dd2ea1ed47717be3be8ae396c2ff2bc582010762b19d3a4d76eb37b2855a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

Filesize
233B

MD5
876366f64a77f04e148580f2b85667cc

SHA1
f7d1c6f78c3da842ea3460c224db778a258333a1

SHA256
26f7992a95526cb683e4b11b75161ad6ee0afedf39fcd15cd1e9f460cfe72127

SHA512
2f6c6dd194c1ceef7a825fb855a6c9ecde832cce1feb7abf71cfad1135beab19063cacb1637f1920acd43e1fdfcd9cb6ffaa822699607027933101e94b5d9d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
233B

MD5
ba300046bcf866151fbd6535c3d0e8b3

SHA1
f812b019da87748fb65662712d247544ee3b9a00

SHA256
c9ffcd4d63f399bffa2522b9054a21d2813d400712e745119f21d5f90123e55a

SHA512
a9208438af423dbd8084bae5946b1f0d439d100f78b30f49ff745ee60d8d9d54f3f28840482d4c82477648ad479469b20a1b8b3724d580211d91cca0253ab5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

Filesize
233B

MD5
b11be8750a67261d45cbf83c615ab8dc

SHA1
0fd275fabe832f970813c845d9b8def8f7d1da2a

SHA256
38afab84c31e4f98c479695348520d5a5b1b15672da9b992c01cb667bd37e42c

SHA512
308955271e3935f09e4b6a9b8fe8cf3e592b4c87a317ff1378a9461536df395bf830f72fc9453c9fa82f2a754f8b1615c58d3da4f1c11b5204820d82e4c4d35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oy0hf3ja.1tk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

Filesize
233B

MD5
7bde9172437490b2dba96a735843adb3

SHA1
73f2fd35297d0d42dace7fa3a6e7264f7cdd542c

SHA256
c40bb302be4d7c527abcf6fffc03dcef03f31ae49f6c509916d09ed2a23f9c97

SHA512
d6c6ff15ea172e6dc11f7878c551aa5972916c04cb6db3c540da52d927b483f8e326f8b3393078233b97cd8a8ced39e2f40ee22fd8d33137450fafa940ce57c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwg06dQqhn.bat

Filesize
233B

MD5
0ae9a4d17626a58213c9dc3468d4e66f

SHA1
fc2ec6023a57f97a4f565d68aedaaee864adae17

SHA256
813b7447dee545588ac2643323043fcacf9e0c24cd91b6900b8f664353ab79b2

SHA512
9841278fd608ade1e95ba6af03b2e0c5d7d4163d676126586b23c71a4a52c630b6f21d9252eb0f6512247294c3776d0b14d6200afeaa37236bea83e4cfc6967a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
233B

MD5
dbb604443c1e3cd370fc7d58cfe217f2

SHA1
b38765f5babbe77d260d4cebe9ad88548a650c0a

SHA256
b7ba2e6b3a8e208c98282bd8c3ec11c9616db20715f9033bd66ff609dde6c821

SHA512
3623ce0943afcfa6ada00f1b459e9b57ad2ff255612196423ddfcc2de94b70eb19863108c1bd5d2432de735f3f272baea60b968a960a24e52e6716db17058ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
233B

MD5
1cbd9e5e2002daf3a868eae03528b03f

SHA1
7db92eb856f10104612abad42043cc6e22f20af0

SHA256
8c6ce419aab3b35c6d4048153cf69ae39d8675b90d0a25de87ef04c7f89e91ee

SHA512
f2a423d53eee3a05c6cc57ab4b9ed876d8f897142e2f3d8688c9f673e109bf9d6bdb956a1790c31bed1e1c49d3fb5b0be0400e5cfe3af978800605f1abb7e333

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/384-226-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/1364-193-0x000002059F800000-0x000002059F94E000-memory.dmp

Filesize
1.3MB

Download
memory/2392-172-0x00000226A7150000-0x00000226A729E000-memory.dmp

Filesize
1.3MB

Download
memory/3096-171-0x00000242C8120000-0x00000242C826E000-memory.dmp

Filesize
1.3MB

Download
memory/3336-17-0x00000000028F0000-0x00000000028FC000-memory.dmp

Filesize
48KB

Download
memory/3336-16-0x00000000028D0000-0x00000000028DC000-memory.dmp

Filesize
48KB

Download
memory/3336-15-0x00000000028E0000-0x00000000028EC000-memory.dmp

Filesize
48KB

Download
memory/3336-14-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

Filesize
72KB

Download
memory/3336-13-0x0000000000700000-0x0000000000810000-memory.dmp

Filesize
1.1MB

Download
memory/3336-12-0x00007FFD7E9F3000-0x00007FFD7E9F5000-memory.dmp

Filesize
8KB

Download
memory/3588-245-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/3592-190-0x00000242F1EE0000-0x00000242F202E000-memory.dmp

Filesize
1.3MB

Download
memory/3844-183-0x000002197AA10000-0x000002197AB5E000-memory.dmp

Filesize
1.3MB

Download
memory/4148-175-0x000002041FFE0000-0x000002042012E000-memory.dmp

Filesize
1.3MB

Download
memory/4168-162-0x00000205F5DE0000-0x00000205F5F2E000-memory.dmp

Filesize
1.3MB

Download
memory/4384-163-0x00000229C84B0000-0x00000229C85FE000-memory.dmp

Filesize
1.3MB

Download
memory/4384-71-0x00000229C82C0000-0x00000229C82E2000-memory.dmp

Filesize
136KB

Download
memory/4388-178-0x0000021875A10000-0x0000021875B5E000-memory.dmp

Filesize
1.3MB

Download
memory/4392-184-0x000002359FD20000-0x000002359FE6E000-memory.dmp

Filesize
1.3MB

Download
memory/4448-170-0x0000022579790000-0x00000225798DE000-memory.dmp

Filesize
1.3MB

Download
memory/4932-189-0x0000022FFF7E0000-0x0000022FFF92E000-memory.dmp

Filesize
1.3MB

Download
memory/5480-197-0x000000001C3D0000-0x000000001C3E2000-memory.dmp

Filesize
72KB

Download
memory/5752-206-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/5952-213-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download