dcrat | 0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a.exe
Size

1.3MB
MD5

b06c822d2a7b27f04fd6c8716345f8cd
SHA1

3a4ae683ce1ffc2b59df8a42fbb3e8aeb6d7d66e
SHA256

0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a
SHA512

58352add0bd03f43f91bae84456e2a9cd9ee0f194a82c7d0cdf52b31f1c489efb352a1157aac4dd21938a87d232117d75c3e459ab2cf6ab7ce1040cbd7adfff6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2796	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000f000000018662-9.dat	dcrat
behavioral1/memory/2628-13-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/960-136-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2376-196-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/3040-316-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2088-376-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/2624-436-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/1928-615-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/1624-675-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/2476-736-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
900	powershell.exe
2104	powershell.exe
2324	powershell.exe
2752	powershell.exe
2856	powershell.exe
3052	powershell.exe
2196	powershell.exe
2188	powershell.exe
2876	powershell.exe
1576	powershell.exe
2516	powershell.exe
1648	powershell.exe
904	powershell.exe
2132	powershell.exe
2504	powershell.exe
1808	powershell.exe
2976	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2628	DllCommonsvc.exe
960	sppsvc.exe
2376	sppsvc.exe
2980	sppsvc.exe
3040	sppsvc.exe
2088	sppsvc.exe
2624	sppsvc.exe
1684	sppsvc.exe
2800	sppsvc.exe
1928	sppsvc.exe
1624	sppsvc.exe
2476	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	cmd.exe
2872	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
38	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Java\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0006\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Help\Corporate\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Help\Corporate\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\SchCache\services.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1644	schtasks.exe
1972	schtasks.exe
2436	schtasks.exe
1868	schtasks.exe
2484	schtasks.exe
2804	schtasks.exe
2848	schtasks.exe
1096	schtasks.exe
1512	schtasks.exe
1620	schtasks.exe
2712	schtasks.exe
2552	schtasks.exe
2296	schtasks.exe
2396	schtasks.exe
1428	schtasks.exe
1776	schtasks.exe
2412	schtasks.exe
2288	schtasks.exe
2672	schtasks.exe
2824	schtasks.exe
1624	schtasks.exe
608	schtasks.exe
2304	schtasks.exe
1552	schtasks.exe
2292	schtasks.exe
2744	schtasks.exe
2592	schtasks.exe
1820	schtasks.exe
2156	schtasks.exe
844	schtasks.exe
1112	schtasks.exe
2192	schtasks.exe
1328	schtasks.exe
1608	schtasks.exe
1032	schtasks.exe
1336	schtasks.exe
2248	schtasks.exe
1540	schtasks.exe
3020	schtasks.exe
2348	schtasks.exe
2668	schtasks.exe
1704	schtasks.exe
1724	schtasks.exe
1488	schtasks.exe
2364	schtasks.exe
1652	schtasks.exe
2864	schtasks.exe
1732	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
960	sppsvc.exe
2376	sppsvc.exe
2980	sppsvc.exe
3040	sppsvc.exe
2088	sppsvc.exe
2624	sppsvc.exe
1684	sppsvc.exe
2800	sppsvc.exe
1928	sppsvc.exe
1624	sppsvc.exe
2476	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2188	powershell.exe
900	powershell.exe
2876	powershell.exe
2856	powershell.exe
1808	powershell.exe
2752	powershell.exe
904	powershell.exe
2976	powershell.exe
1648	powershell.exe
2104	powershell.exe
2196	powershell.exe
1576	powershell.exe
2504	powershell.exe
2516	powershell.exe
2132	powershell.exe
2324	powershell.exe
960	sppsvc.exe
2376	sppsvc.exe
2980	sppsvc.exe
3040	sppsvc.exe
2088	sppsvc.exe
2624	sppsvc.exe
1684	sppsvc.exe
2800	sppsvc.exe
1928	sppsvc.exe
1624	sppsvc.exe
2476	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	DllCommonsvc.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	960	sppsvc.exe
Token: SeDebugPrivilege	2376	sppsvc.exe
Token: SeDebugPrivilege	2980	sppsvc.exe
Token: SeDebugPrivilege	3040	sppsvc.exe
Token: SeDebugPrivilege	2088	sppsvc.exe
Token: SeDebugPrivilege	2624	sppsvc.exe
Token: SeDebugPrivilege	1684	sppsvc.exe
Token: SeDebugPrivilege	2800	sppsvc.exe
Token: SeDebugPrivilege	1928	sppsvc.exe
Token: SeDebugPrivilege	1624	sppsvc.exe
Token: SeDebugPrivilege	2476	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2480	2976	0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a.exe	30
PID 2976 wrote to memory of 2480	2976	0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a.exe	30
PID 2976 wrote to memory of 2480	2976	0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a.exe	30
PID 2976 wrote to memory of 2480	2976	0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a.exe	30
PID 2480 wrote to memory of 2872	2480	WScript.exe	31
PID 2480 wrote to memory of 2872	2480	WScript.exe	31
PID 2480 wrote to memory of 2872	2480	WScript.exe	31
PID 2480 wrote to memory of 2872	2480	WScript.exe	31
PID 2872 wrote to memory of 2628	2872	cmd.exe	33
PID 2872 wrote to memory of 2628	2872	cmd.exe	33
PID 2872 wrote to memory of 2628	2872	cmd.exe	33
PID 2872 wrote to memory of 2628	2872	cmd.exe	33
PID 2628 wrote to memory of 904	2628	DllCommonsvc.exe	83
PID 2628 wrote to memory of 904	2628	DllCommonsvc.exe	83
PID 2628 wrote to memory of 904	2628	DllCommonsvc.exe	83
PID 2628 wrote to memory of 900	2628	DllCommonsvc.exe	84
PID 2628 wrote to memory of 900	2628	DllCommonsvc.exe	84
PID 2628 wrote to memory of 900	2628	DllCommonsvc.exe	84
PID 2628 wrote to memory of 2188	2628	DllCommonsvc.exe	85
PID 2628 wrote to memory of 2188	2628	DllCommonsvc.exe	85
PID 2628 wrote to memory of 2188	2628	DllCommonsvc.exe	85
PID 2628 wrote to memory of 2876	2628	DllCommonsvc.exe	86
PID 2628 wrote to memory of 2876	2628	DllCommonsvc.exe	86
PID 2628 wrote to memory of 2876	2628	DllCommonsvc.exe	86
PID 2628 wrote to memory of 3052	2628	DllCommonsvc.exe	89
PID 2628 wrote to memory of 3052	2628	DllCommonsvc.exe	89
PID 2628 wrote to memory of 3052	2628	DllCommonsvc.exe	89
PID 2628 wrote to memory of 1576	2628	DllCommonsvc.exe	90
PID 2628 wrote to memory of 1576	2628	DllCommonsvc.exe	90
PID 2628 wrote to memory of 1576	2628	DllCommonsvc.exe	90
PID 2628 wrote to memory of 1648	2628	DllCommonsvc.exe	92
PID 2628 wrote to memory of 1648	2628	DllCommonsvc.exe	92
PID 2628 wrote to memory of 1648	2628	DllCommonsvc.exe	92
PID 2628 wrote to memory of 2196	2628	DllCommonsvc.exe	94
PID 2628 wrote to memory of 2196	2628	DllCommonsvc.exe	94
PID 2628 wrote to memory of 2196	2628	DllCommonsvc.exe	94
PID 2628 wrote to memory of 2324	2628	DllCommonsvc.exe	96
PID 2628 wrote to memory of 2324	2628	DllCommonsvc.exe	96
PID 2628 wrote to memory of 2324	2628	DllCommonsvc.exe	96
PID 2628 wrote to memory of 2104	2628	DllCommonsvc.exe	98
PID 2628 wrote to memory of 2104	2628	DllCommonsvc.exe	98
PID 2628 wrote to memory of 2104	2628	DllCommonsvc.exe	98
PID 2628 wrote to memory of 2976	2628	DllCommonsvc.exe	100
PID 2628 wrote to memory of 2976	2628	DllCommonsvc.exe	100
PID 2628 wrote to memory of 2976	2628	DllCommonsvc.exe	100
PID 2628 wrote to memory of 2516	2628	DllCommonsvc.exe	101
PID 2628 wrote to memory of 2516	2628	DllCommonsvc.exe	101
PID 2628 wrote to memory of 2516	2628	DllCommonsvc.exe	101
PID 2628 wrote to memory of 1808	2628	DllCommonsvc.exe	103
PID 2628 wrote to memory of 1808	2628	DllCommonsvc.exe	103
PID 2628 wrote to memory of 1808	2628	DllCommonsvc.exe	103
PID 2628 wrote to memory of 2504	2628	DllCommonsvc.exe	104
PID 2628 wrote to memory of 2504	2628	DllCommonsvc.exe	104
PID 2628 wrote to memory of 2504	2628	DllCommonsvc.exe	104
PID 2628 wrote to memory of 2132	2628	DllCommonsvc.exe	105
PID 2628 wrote to memory of 2132	2628	DllCommonsvc.exe	105
PID 2628 wrote to memory of 2132	2628	DllCommonsvc.exe	105
PID 2628 wrote to memory of 2752	2628	DllCommonsvc.exe	106
PID 2628 wrote to memory of 2752	2628	DllCommonsvc.exe	106
PID 2628 wrote to memory of 2752	2628	DllCommonsvc.exe	106
PID 2628 wrote to memory of 2856	2628	DllCommonsvc.exe	107
PID 2628 wrote to memory of 2856	2628	DllCommonsvc.exe	107
PID 2628 wrote to memory of 2856	2628	DllCommonsvc.exe	107
PID 2628 wrote to memory of 1984	2628	DllCommonsvc.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a.exe
"C:\Users\Admin\AppData\Local\Temp\0bf7a174df6da07fc3e5d33e91e30b61b7482b88657e47e258236e1722cadd8a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Corporate\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCmM9kmlmd.bat"
        5⤵
        
        PID:1984
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2824
      - C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"
        7⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2520
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        9⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2472
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"
        11⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2180
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        13⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:236
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
        15⤵
        
        PID:864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2756
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"
        17⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2876
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
        19⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1660
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
        21⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:776
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        23⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1964
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
        25⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2836
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        27⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Java\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Corporate\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\Corporate\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23c755e850c1969e2860cf6dce765c15

SHA1
e71524410feba04b93e8046fd6170441f494b72b

SHA256
359e5037fcde43bccefe38d730210eb4881e206f1a9e5282d37f1cc48e370325

SHA512
e229873b1878d5cabd26ee4358975f1f1de1501401e53510b8407f8220672e6cf946997810905867f141007a00acfe186ed0569ca8fdede6ea24409476999ca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b81b33dcbf0f98c7f6dac497dc24939

SHA1
c4a24463c0da179820f091669043736c5c3a1f8b

SHA256
11f33cea0599b08e484b2c8012c4166186c74c50c753880a39a693a0a888d988

SHA512
649577faa6c565aa83da93058f8d618456e80f683e1b59ff5688e32072770b3e3f4434be150e1b1549c3e08421461810b40d1670d12a135bd00dddce3fd1fb54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7877c3579cb6f72005cc036726ae46d7

SHA1
e2f7411cc85fe73a1f1041135c8e496a4acf1bb4

SHA256
5b3255e25d2d23e43e5930dc7f0df417f9c62876bbfd17f2d0901bebe9de49e4

SHA512
af381cd7def8b670814f1549cce61b5c130d28230e1fd5e2173211afe385448d37239e6f5447af216c58eea59c203dd933fc80eaeb93c0168d162fdddb4e1738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d0029959a794571ef068f1e0d93cf49

SHA1
cdc12fa837ce3d92721f1f224552215b177b92cd

SHA256
130b1e2c41d32fbf82cca7a519fa90ca313e591279a92dd42c2c901895fcd690

SHA512
400ed1c6268efc07a1f98625ebeccde3b109b3c8db71bf4ccdf0d233eb5bbfccd78b3b0fa9aa384ba8ed2b7568909d7c22b6305a254736a41dd7928c7a4ed5d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9971c039d606166305caaa9a2de86afd

SHA1
74e7c07119e7ba494dcfc048be668aecc9a23c7e

SHA256
70026d9979bde2a706ccbfa53fe3c03f36713b434cc1b9432188a4e267ab7b2c

SHA512
5dc536d6f7e6684e594766cbc3e8504e3373c10f5fbb0cebc46cdad415eb5c9bc5f1024496af737f512018fc4fbdd66844ddb39ea4f6e49e30dcf085c9083157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8808b344a86bba10bf0d95765dea354

SHA1
ef0011d262e1a15b9b76d95203e1751c746d5c30

SHA256
9823cc931a06368f3a8704ab2c18017c7daf47c388c8f80a689c891b46329d71

SHA512
466101c0ed0758cda960faafe5b5459d8039e448d19a0eb9c7ae106d879ad83503d6acdf0fd4f3bc81221dc63fec6d5a82e1ad5ff1bf9a8ea9c0a986e8eac3ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3d779e22595ccf6b6a67d90245617cc

SHA1
eeb7583ebbe65f012aad2a24c0344642c963bf57

SHA256
4a4c7f32505d949230129c3b67330b459734e80a02324eac689bc8ee1a954f5f

SHA512
af624c7ad6ff58ff9060e7bfc445ed060e6fc9e1725555cf3b6e657b8cf0716c97282228268b0518d16a1892ef38942ffebdbc0a6f1d1073aafd3e869f43134a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6170c08f9af912394f25814439f4d3ba

SHA1
eb8bcd19578526c49473c10d6e0ec2f6a327162c

SHA256
1a81e264e1436ba86a5b232f374ed91415338fbdab6c4ca2201e64db152f9416

SHA512
6082dfafc956f122ece36342f7eaa5dceaff30026be7b919beef050e1850e4d834f275817dd81eb11b1115375fde5d55acf14b6f04cc8b27a4bde6b240f58a9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7ecf82ea25c1795fa0aa45f221942a0

SHA1
1bdb21b8c19ee6dfb2ed25981f78e2424b72b5b8

SHA256
50548db763bea745c4c7407987e657e4795f47e8dae4e68ac0d49ca634b39874

SHA512
694671182057f2c4ad92da29d4afa3c43def00747ec04b1bb6edd359f0fe685dc04a61aa0f8b044e056bb386b940c1c38c76136daeb5acf4b4ffcb2fffc13923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
377670d134c737a86dba58d432401857

SHA1
0213bd5183c607975c8c709c1b9ecd56c553fbe5

SHA256
ba2789e7451a2ab3a834045fbd3fc586445309699d312965bab31dd181be9f34

SHA512
3d42dc2cc54e1e5a6e1cd81067082a287317a416a965015f5ebfc7f48ba9a4fd01aeb99498d6ed7a77da52dd1df2c02f803dfe989f28f99a4b00fcb9deb365b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat

Filesize
224B

MD5
9fa890bff38bf8f52b5e96bfca96d9da

SHA1
ba042500ca3dc9d9c95af99f1599b3269455edf2

SHA256
c1bdf61a2cf39357731a44f83f03c9a1b73e0d0373746b0846f938aa74970823

SHA512
a4668649b5e4aed7b761f1f9fb6edc5ec595f5b29deb3cfd85ce7afa5da357e32b165794791be620d32675d38f6bcc184c52045ccd5f8211edd21e63d572cc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
224B

MD5
78b8a91f10fa2dce7a1525f37ffa6413

SHA1
cfc5ec22dc7c93010c46f2fc75b3b72ce9fa1677

SHA256
a73bd2e652783aeee67c2db631041d107e91f72a796a3fa6a88311c4da8f9183

SHA512
71f602eedc2f4e54a1bccd9fb32b374f9e6cfa8df1b0ef30a43952a7428b0d6586c41cd931a18509a3100b1d15122fab8690285424f955c29fb27917c2b9b679

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat

Filesize
224B

MD5
c639a8a13be62c6f4351b5e0a677e9b2

SHA1
5addc917744dca9e35c57ae69a77f3f74fdc5ba5

SHA256
c1e5dd41d873dd16e6dc6c2cad86fe88a511d951fcefe0090f3beb6971444f79

SHA512
b5500eaac89d848d563648ca86c11289dc3df272255d2bf3a8a0773b568c7f56afe1492759334b0301a90a563a63cdae054d4375f7243d3b99201dc8c86b6eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat

Filesize
224B

MD5
861623303140667c73d203c6d85287d5

SHA1
c887b5d27ef762cb55b5a49f285cfe746dd7f4a4

SHA256
0fbd6c57bb187b86fc94eb4c9fc70e151188ff81216f3b54e659c58864d6c42a

SHA512
c02fbd7ef588dbadf9493d1bd21e8ad0c00d0af63718dd586452aea16757543e26e67af57a1f9b97dfb958a14a9903e78e87503d02e2fd314a17f572178b1039

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
224B

MD5
63f32e035bf00ec9ea6e2eef34dab9b6

SHA1
37ff7f164c31eca88d6fb572d40031025f4f4834

SHA256
4aa2cc2cd01ea787bb344b8d8c089005efb050155c2f4092eab1109d8475e324

SHA512
0947e750797d19632d15a11ded080451b6c1352d961c82e6e63e641d4664d4d98f3d369d693c29179634756fd7ca01580e44fb7be4d8571c0acf8bb446e90a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF05A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat

Filesize
224B

MD5
fbd7a74df924b105680fb6e01aae8f1d

SHA1
10113e580af30bf77ddbb1ff87bd7954b0827fd5

SHA256
a672c991d900e01cc875bdc140b12ef8e600c2a4e88673983d685fa29d9d1681

SHA512
f4655fc1dba4a2e8aee2031a53f3a6bef84b796f4546fd9ffaaa9eb0b274cf7d7da1e72eb5b44b82342f188e96e81edd21d1ae8b84d4137560d782ea47c30150

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCmM9kmlmd.bat

Filesize
224B

MD5
d44d40abc7ed9bd3398fdd91582e9858

SHA1
a8b5b173cf2d309b568cdbe1708ce27b66b822f0

SHA256
083de4269a877d4c2e460724a03392f46f6c7c6d908a0fc846e50067170fc741

SHA512
2ed4480c5aa17c14cde7a5a5a69961c317e5a51a4f752aac48116c3023cb733bf8880aa635212add3c8cc5dacebab35e780b370cfa71c8a328571b3cec26e86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

Filesize
224B

MD5
a849812a9d91d6744cc624c1e0c49b74

SHA1
cae4526d5dbeb906fca67bf40bdf4702d014fb0d

SHA256
a437dee0b18aafabe2fa98c34a6fbcd4d70786eeb68215ecd43c01e58da33697

SHA512
bcb144846c0a7422d097ad38e9fc4358e7e888d0dd1ef004c4284cb62b5ad669cde5229b35947c29db5558000887b97fd3274dc77f5cb985ef58d2a821671065

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF07C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
224B

MD5
e8fe5097ed6b8d18de22bc20924a91f6

SHA1
2bcd1d16963818ff7a2c04be82017cc5cfe09129

SHA256
c9ba41ced0f13fae1cb255d3ea78e1ed8acaa8e9b93e39b8f213be3e186c632a

SHA512
fa76b5f3787fe6bb3c1f3d1c86c361ccbaf6ebbdf908b08416fc5dd7006483ba1619567dd0b0051caacda9796706458f32cf7d4efe64a8fc5d13b5f040802543

Download Submit
C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat

Filesize
224B

MD5
a689c7a24a6701c5ddb1cc2c75e1274b

SHA1
94c2f567336295f73cb9ea58718569c5d9c9adfc

SHA256
e5468195dc78bd4196a15c6beeaa6b825a5f625113a5ae7983e22f95958fb5e1

SHA512
38bca055362d6f117c533229cd4a26bc0aa573cfc6c2ccf1f31c3c842a27409123e1b68f887786b37da97af40cc10defa0ab8a8c0f0abbeccc6c18a9b24a698f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat

Filesize
224B

MD5
d49b2a6307a5d0f271720249c58f389b

SHA1
4912cff5f673ae4de7d86a86ab6409acab189596

SHA256
b90ed8f3ca13b6932bd364fb1a14d7b6568ee741f0944c9b84426e3791f16fc7

SHA512
cd764e45935ff900e1c3b297c2715f1acd87660803def5e77c3f0f826bab39a64a1ca6388fa1bd0dc84c1f9ad2a52a6e3e95ddfe7d6759c5e875190889add5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

Filesize
224B

MD5
168cdbcdbb3f36618c21654629373c91

SHA1
86cca74bc83d6e10340ea221490d77fd32818ba2

SHA256
5e404377b7e8b4464579346a98c9d9771f0779b234d0c9f45908611c4f6f107e

SHA512
b7894d6001ebed121e30105916121d862d30882fc6bf6a2008301041a22a49841a85c909b1731c488a1cabf016468f186456f1820865f3fd09b9668c7ea8c7c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
051cf9a8c321ec710f905f67437595e0

SHA1
140b3e5bbf62b4fde946449afd9f73c1592f5062

SHA256
423e217d156d1f75c57f95aeaa896326e9262e3a4b4a0e86e386e85900b9e844

SHA512
b5b71eb1e1b4b9d40b505ee732746a9961b0f846487a5a800e654a7644170bf497e3890e2446fa9cc6fb3826008a4a6f70b21604fefb055fec81c68f0b89f932

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/960-136-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/960-137-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/1624-675-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/1624-676-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1928-615-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2088-376-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/2188-75-0x0000000002030000-0x0000000002038000-memory.dmp

Filesize
32KB

Download
memory/2188-59-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2376-197-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2376-196-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/2476-736-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2624-436-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2628-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2628-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2628-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2628-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2628-13-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2800-555-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3040-316-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download