dcrat | 88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe
Size

1.3MB
MD5

f668dc616f071b2c96af3e0d2b9a867b
SHA1

2c063fed00886dc3be0018698066c93fb14e9b57
SHA256

88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a
SHA512

ab40d505c5627d32091d6a982207b7080a0cbc2d3b19beee794f82a96aecc1b0da87c3bfb77a27ccdca515e4009cbd7207691be2a8e5bfcb4e27cd475b431460
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1780	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000195ab-10.dat	dcrat
behavioral1/memory/2204-13-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/2068-104-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1908-223-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/2364-283-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/1584-402-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/1228-462-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe
552	powershell.exe
2644	powershell.exe
908	powershell.exe
2820	powershell.exe
2412	powershell.exe
1648	powershell.exe
876	powershell.exe
2652	powershell.exe
2920	powershell.exe
2636	powershell.exe
2572	powershell.exe
2888	powershell.exe
1672	powershell.exe
2688	powershell.exe
1620	powershell.exe
576	powershell.exe
2580	powershell.exe
2892	powershell.exe
2308	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2204	DllCommonsvc.exe
2068	csrss.exe
1908	csrss.exe
2364	csrss.exe
1508	csrss.exe
1584	csrss.exe
1228	csrss.exe
584	csrss.exe
2804	csrss.exe
2012	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	cmd.exe
2164	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Common Files\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\schemas\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Web\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\schemas\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\Common\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\security\audit\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\security\audit\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Web\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1156	schtasks.exe
1688	schtasks.exe
1332	schtasks.exe
2220	schtasks.exe
2508	schtasks.exe
2712	schtasks.exe
2340	schtasks.exe
1220	schtasks.exe
1624	schtasks.exe
1944	schtasks.exe
2660	schtasks.exe
2912	schtasks.exe
1776	schtasks.exe
1724	schtasks.exe
1468	schtasks.exe
2576	schtasks.exe
1188	schtasks.exe
2464	schtasks.exe
1384	schtasks.exe
2324	schtasks.exe
2792	schtasks.exe
684	schtasks.exe
2568	schtasks.exe
2840	schtasks.exe
2724	schtasks.exe
3008	schtasks.exe
2768	schtasks.exe
2312	schtasks.exe
2440	schtasks.exe
1528	schtasks.exe
1404	schtasks.exe
1236	schtasks.exe
2644	schtasks.exe
2884	schtasks.exe
2168	schtasks.exe
2496	schtasks.exe
2140	schtasks.exe
1700	schtasks.exe
3056	schtasks.exe
1436	schtasks.exe
1636	schtasks.exe
3000	schtasks.exe
1216	schtasks.exe
2084	schtasks.exe
2148	schtasks.exe
964	schtasks.exe
1616	schtasks.exe
1588	schtasks.exe
844	schtasks.exe
2136	schtasks.exe
1480	schtasks.exe
2932	schtasks.exe
524	schtasks.exe
388	schtasks.exe
1152	schtasks.exe
2024	schtasks.exe
1748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2204	DllCommonsvc.exe
2068	csrss.exe
1620	powershell.exe
1956	powershell.exe
2636	powershell.exe
2920	powershell.exe
2652	powershell.exe
1648	powershell.exe
2892	powershell.exe
576	powershell.exe
552	powershell.exe
2820	powershell.exe
876	powershell.exe
2412	powershell.exe
2572	powershell.exe
2644	powershell.exe
908	powershell.exe
2580	powershell.exe
1672	powershell.exe
2888	powershell.exe
2688	powershell.exe
2308	powershell.exe
1908	csrss.exe
2364	csrss.exe
1508	csrss.exe
1584	csrss.exe
1228	csrss.exe
584	csrss.exe
2804	csrss.exe
2012	csrss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	DllCommonsvc.exe
Token: SeDebugPrivilege	2068	csrss.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1908	csrss.exe
Token: SeDebugPrivilege	2364	csrss.exe
Token: SeDebugPrivilege	1508	csrss.exe
Token: SeDebugPrivilege	1584	csrss.exe
Token: SeDebugPrivilege	1228	csrss.exe
Token: SeDebugPrivilege	584	csrss.exe
Token: SeDebugPrivilege	2804	csrss.exe
Token: SeDebugPrivilege	2012	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2696	2536	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe	30
PID 2536 wrote to memory of 2696	2536	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe	30
PID 2536 wrote to memory of 2696	2536	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe	30
PID 2536 wrote to memory of 2696	2536	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe	30
PID 2696 wrote to memory of 2164	2696	WScript.exe	31
PID 2696 wrote to memory of 2164	2696	WScript.exe	31
PID 2696 wrote to memory of 2164	2696	WScript.exe	31
PID 2696 wrote to memory of 2164	2696	WScript.exe	31
PID 2164 wrote to memory of 2204	2164	cmd.exe	33
PID 2164 wrote to memory of 2204	2164	cmd.exe	33
PID 2164 wrote to memory of 2204	2164	cmd.exe	33
PID 2164 wrote to memory of 2204	2164	cmd.exe	33
PID 2204 wrote to memory of 2636	2204	DllCommonsvc.exe	92
PID 2204 wrote to memory of 2636	2204	DllCommonsvc.exe	92
PID 2204 wrote to memory of 2636	2204	DllCommonsvc.exe	92
PID 2204 wrote to memory of 2820	2204	DllCommonsvc.exe	93
PID 2204 wrote to memory of 2820	2204	DllCommonsvc.exe	93
PID 2204 wrote to memory of 2820	2204	DllCommonsvc.exe	93
PID 2204 wrote to memory of 1620	2204	DllCommonsvc.exe	95
PID 2204 wrote to memory of 1620	2204	DllCommonsvc.exe	95
PID 2204 wrote to memory of 1620	2204	DllCommonsvc.exe	95
PID 2204 wrote to memory of 2412	2204	DllCommonsvc.exe	96
PID 2204 wrote to memory of 2412	2204	DllCommonsvc.exe	96
PID 2204 wrote to memory of 2412	2204	DllCommonsvc.exe	96
PID 2204 wrote to memory of 2308	2204	DllCommonsvc.exe	97
PID 2204 wrote to memory of 2308	2204	DllCommonsvc.exe	97
PID 2204 wrote to memory of 2308	2204	DllCommonsvc.exe	97
PID 2204 wrote to memory of 1648	2204	DllCommonsvc.exe	98
PID 2204 wrote to memory of 1648	2204	DllCommonsvc.exe	98
PID 2204 wrote to memory of 1648	2204	DllCommonsvc.exe	98
PID 2204 wrote to memory of 908	2204	DllCommonsvc.exe	99
PID 2204 wrote to memory of 908	2204	DllCommonsvc.exe	99
PID 2204 wrote to memory of 908	2204	DllCommonsvc.exe	99
PID 2204 wrote to memory of 2688	2204	DllCommonsvc.exe	100
PID 2204 wrote to memory of 2688	2204	DllCommonsvc.exe	100
PID 2204 wrote to memory of 2688	2204	DllCommonsvc.exe	100
PID 2204 wrote to memory of 2644	2204	DllCommonsvc.exe	101
PID 2204 wrote to memory of 2644	2204	DllCommonsvc.exe	101
PID 2204 wrote to memory of 2644	2204	DllCommonsvc.exe	101
PID 2204 wrote to memory of 1672	2204	DllCommonsvc.exe	103
PID 2204 wrote to memory of 1672	2204	DllCommonsvc.exe	103
PID 2204 wrote to memory of 1672	2204	DllCommonsvc.exe	103
PID 2204 wrote to memory of 2888	2204	DllCommonsvc.exe	104
PID 2204 wrote to memory of 2888	2204	DllCommonsvc.exe	104
PID 2204 wrote to memory of 2888	2204	DllCommonsvc.exe	104
PID 2204 wrote to memory of 2892	2204	DllCommonsvc.exe	105
PID 2204 wrote to memory of 2892	2204	DllCommonsvc.exe	105
PID 2204 wrote to memory of 2892	2204	DllCommonsvc.exe	105
PID 2204 wrote to memory of 2920	2204	DllCommonsvc.exe	107
PID 2204 wrote to memory of 2920	2204	DllCommonsvc.exe	107
PID 2204 wrote to memory of 2920	2204	DllCommonsvc.exe	107
PID 2204 wrote to memory of 2580	2204	DllCommonsvc.exe	108
PID 2204 wrote to memory of 2580	2204	DllCommonsvc.exe	108
PID 2204 wrote to memory of 2580	2204	DllCommonsvc.exe	108
PID 2204 wrote to memory of 2652	2204	DllCommonsvc.exe	109
PID 2204 wrote to memory of 2652	2204	DllCommonsvc.exe	109
PID 2204 wrote to memory of 2652	2204	DllCommonsvc.exe	109
PID 2204 wrote to memory of 2572	2204	DllCommonsvc.exe	110
PID 2204 wrote to memory of 2572	2204	DllCommonsvc.exe	110
PID 2204 wrote to memory of 2572	2204	DllCommonsvc.exe	110
PID 2204 wrote to memory of 552	2204	DllCommonsvc.exe	111
PID 2204 wrote to memory of 552	2204	DllCommonsvc.exe	111
PID 2204 wrote to memory of 552	2204	DllCommonsvc.exe	111
PID 2204 wrote to memory of 876	2204	DllCommonsvc.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe
"C:\Users\Admin\AppData\Local\Temp\88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\audit\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        6⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2460
        
        C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        8⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1548
        
        C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        10⤵
        
        PID:832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2316
        
        C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        12⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2696
        
        C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        14⤵
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1008
        
        C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
        16⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2064
        
        C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
        18⤵
        
        PID:1216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3012
        
        C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
        20⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2704
        
        C:\Program Files\Windows Sidebar\csrss.exe
        
        "C:\Program Files\Windows Sidebar\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        22⤵
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\security\audit\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\security\audit\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\security\audit\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Web\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c45dc12ade0be28dcc375f4e9495840

SHA1
08c985061eb3cae923e2b8bf4990287539bc4b53

SHA256
dc985d23a0356e202e154d5a7842c343b93c39d56db679441f162a3d8b0fb34c

SHA512
ac701c9601e541a9d9e47516844d0c78bab5ef62813c4645e79e16f7364ed7b7425443ee2b9cbb17bc0fe7a3a35132a9bdbe7e1d432dc5527958d7ce2bb15ebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efb02055de1af064610e2fa5b7d7d6d7

SHA1
7f88768444dd39dc9e047ee1056b8b5269b53f85

SHA256
e5e0079aa2a54349cd7104e05d51819e815a29c442fe1ad0c27c25f222b1ce47

SHA512
c9da3191ea28099f9449443b99cdf83c701d7707ae86816c73a68dbf2df4745aeed70f2b5f8e8a0ce1d29270b84bb1d7dd1e17a53ad62cfce6f06ddc5ef067f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
278b89f439db0bae0e8074427a09e808

SHA1
1950b486d33b61256eb43f96f289d5f716c817dd

SHA256
09f5ffe0a30fb93287f44390063f023bdcdf9194bb6eb75803f12792232de8e2

SHA512
0bae0d147c6a4aaa35f23acfb367528739bd9b7101314f6e65770ceea3078129b2c7436e5610cb5b6d6ba049b36f68e3cf6c80c87be8255720ea48cc3e9a235e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
862d1c68066f7107b5ca73d4dfc0020f

SHA1
402a2ed037ce0d849c730f6beb659058df053301

SHA256
e866d579d877da2a54dd02ae227a28bab2661786cb38b376b39cbe4d66dd909d

SHA512
2d8cc31404fc70a5603c059d9923185736662118d4ba3d25f4aa963be03fa33d4d3277c948d0014d2bcbc1627fd47b145663414372298845a5139099a8192861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
476a3a24b9ae3bc709e937125ac1919d

SHA1
54a1eac2fb1ed66447bbb23c9d0673dbc746b82e

SHA256
bf90b473863a5b4692d7b87886da872a517e4bef1d97b237903cff3f26951632

SHA512
f2356b4794a1b2a956c06f9063ce2eca129f23a2f44c68a81ae7a721325a1ba38362af38a3661c869b72becaf6778292d3492bfc701f5c2b9e4d486b6403df91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c62710a77b97708009245fed399db04d

SHA1
0c02b92c8ad0d14a6eb30550cd65e4d46dade694

SHA256
6656055fe61a2efcdf235f3cd480038a1edb2f33c554ffcae6ed3058d06ae913

SHA512
96315a511e4c21aaa60b3c583c7f318c83197526caed20435b5078c9638d5e57a7d2123c6f19ac2152c6deb109564791d70e2347cc8a196a9615c9841e77d1de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24cdb89a44117a85ae4d6a4249434667

SHA1
b1757ed413220e60932c0d408db489fe9ca3bc96

SHA256
55538d392f6190ade997cf81efc2338f9d79184debf07d59e8704938203e764c

SHA512
452c847d18989c848a14a61b7e696573033aa84b2aea7ef9fd681cec0ed833a3a2480b67d8f126b0a8811570eab1ef0268f82bab135dbf5ee6924eef7775c1a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f38711c09e9eac11193f56b0632d28e

SHA1
63afac2f0eedde504150d30f10bae5436ef2483c

SHA256
f250c0eacb881bde092414d2f50c0eac21c9584278158062217c46b7a307cf73

SHA512
de0ffd0aeeb2d750e2eb51a3bac74987b2ac35dc334a40b828c1b88d2799d30c033e84244d364917b15b6a7ccef2c769135f2ddfffc0d9bf43c12bcf3cdffd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7DAA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
207B

MD5
d5e3ffa87f203084768973da3f424145

SHA1
c21fe0bb57adb6227911a251d9c4677c29d2ecb2

SHA256
e15053c9f7c1520d398417662174652a7b3755f894cee4642df9b99911b569d1

SHA512
f5e32133d40c1a92e449f8e0556a4ce9cdf12ea5ddde52d8e9b5122231788fd013128f6f5376109cd500e1a1a9f3616e65c8ab13c202fe961b57b8c588a31262

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
207B

MD5
9a0f123724918616cf91b2404208a87c

SHA1
7db0511953e5a02961f6e4b1129edaa6fb637ba0

SHA256
40f1b8e5c2eb1ed713894c3efe4f6199f59c1971f31d23ed5c0316dfeb65bc28

SHA512
64f292a2c94f312c0997d9d44ddd71ccac8c595d0ce4e8a7eefe8880111027544be51ffd30b307b446421538983493c83273cf67b82a9894df5ee965d2c27595

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7EB6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
207B

MD5
9957a2544489e62bc1b66df6fc96efd7

SHA1
4b5a29417eecd90dd531bcbb15d4bd5a00d0b440

SHA256
3ed9218a55bfd4c44954f242a9f2b2bd2eace7f63b102a16b78b71346b0073d8

SHA512
3a63069ea99b4147a44188a8d8ec64339db310c5d8f79657fe50d2bf3f69fbf4d40d15a553a03a9268b8b89062085a1efc19076d2ad3c8271518552ad6c36b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
207B

MD5
af9edbb3fca07760d39a220c2e672dcb

SHA1
5a9bb603a1e8dd5f252a2b99a16fac35b40e1579

SHA256
b57cc42194d93f06125cda5551f9708267eadacb3408edf88ca772c8b07c088c

SHA512
76ab2e0966df4d63301c96faa06928d5ed1b0aae434849aa2e6130f33daf2651a0849ef23beb14287ce1de641ddfd43afb85e53a643d10f7abd0b9b657fdd15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

Filesize
207B

MD5
edf01196175d65a96dfc2f6067383d77

SHA1
43b758ce4d1847242c5fe7324b7df42e129e8f58

SHA256
bd4805c07e61a6d9e82e47fa06d4a578152e8073283c235b6d72a58cd4aa7383

SHA512
512ea31ac914ea9c73c359462f32a1b307182b0d47607ee84f49101e41961925835bfd16130659c1c5258973c865e33cfb60c31b069246f840300a5d161bdff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat

Filesize
207B

MD5
a519849adf707c36ccf29cf5e86b5856

SHA1
85ffa585a0d676e80c4003c38e518a3ed66d781b

SHA256
cf2c00058aac62d91c52f8226f89b5c67f0877278975a0a5c379601fc0ba43ed

SHA512
986ac37128af7d00cae8f78fed6ae30d181e194b2ed6ad1c0818cbab8ff3f4ac3590e41ed9cb7128f696b0a9e24afe7baef709b82098fe5a1a5605fd90f44469

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
207B

MD5
ee9ded0244ad2562597d473950e835fc

SHA1
23c7a9699fc6c91fd3dfaa162994132189a19b0f

SHA256
13ca5580e67c4ebd3e4f8941d7864de883a559c77af98c51488e08863e0d3475

SHA512
899f960d473c89f4d6bb02fd1640648bcf99a750dd1214968214f79e7034a7624cc22b06892e52f6cc651698c80ab749cb910c5979ecdce19c8ee4e41867f475

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
207B

MD5
ad9919e8d54cc345e63cc898a2adac9a

SHA1
c95598c684536a70b53a0e74a6ff73a559d80a9b

SHA256
6ceb7896c0e10884ce41348e064308e473765cfa10cd34f75eff12ecd4ff4027

SHA512
9bedcabdd8fe513c395c982ad61640019b4b17d9fc315794b09803456f80a8a0ca784cb6dd61245a1a1349f6021237c6cd8a4f8cc394474add35710ff53c3bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

Filesize
207B

MD5
e894d3629e6af82fadcfea2ad151e6d7

SHA1
02216905a4987dec9ec7f53bb2c6e9fb2b3d899e

SHA256
6e4859878b8873267a84522da250f0d5c7b41d44109e874a37e1402086f72f25

SHA512
b5499351b6210c389c39cdd2ef67e109e785205668a6bec2a2e52ebdebbf2a03ce1a0a9b4b5a3e55e2e0d734301138593a9a4deaf3f0debfe0f1ad801d2f036e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63449e1cd3a0d6116f90db9044e776ef

SHA1
76993e0ce40b6eabec3cc449e6008331d8e5712f

SHA256
04b2ad10148d3216bd7a2906ee2dc2cef386d3de1e91ca57d8e9133276458674

SHA512
a5c6d9e521df8269027c6781d03c16dcd8cc1c336860d14e602ba5d96e6239c4522cb5655717f1e7f3f0a338169e303487a4e01e762068d74bc1e39a937a3c48

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1228-462-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1228-463-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1584-402-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/1620-126-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/1620-129-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/1908-223-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/2068-125-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2068-104-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2204-17-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2204-16-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2204-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2204-14-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2204-13-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/2364-283-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2804-582-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download