dcrat | 5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2

Analysis

max time kernel
147s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe
Size

1.3MB
MD5

bdd6e6123895841fad06a85488a939d8
SHA1

23d39f7a34945aff2e66751aaef6f798f7663c81
SHA256

5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2
SHA512

d70f43f1c917b94c91a52c1c011eea806384ed312d228446766fde2a31792c1a79e82fb4ac3b6810e8feb2c1d1cb4adb778d511979eb2b79e47eb11d72ce8b01
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4792	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	4792	schtasks.exe	70

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000400000001ac49-283.dat	dcrat
behavioral1/files/0x000400000001ac49-284.dat	dcrat
behavioral1/memory/4068-285-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac5d-323.dat	dcrat
behavioral1/files/0x000600000001ac5d-322.dat	dcrat
behavioral1/files/0x000600000001ac5d-685.dat	dcrat
behavioral1/files/0x000600000001ac5d-692.dat	dcrat
behavioral1/files/0x000600000001ac5d-697.dat	dcrat
behavioral1/files/0x000600000001ac5d-703.dat	dcrat
behavioral1/files/0x000600000001ac5d-709.dat	dcrat
behavioral1/files/0x000600000001ac5d-714.dat	dcrat
behavioral1/files/0x000600000001ac5d-719.dat	dcrat
behavioral1/files/0x000600000001ac5d-724.dat	dcrat
behavioral1/files/0x000600000001ac5d-730.dat	dcrat
behavioral1/files/0x000600000001ac5d-735.dat	dcrat
behavioral1/files/0x000600000001ac5d-740.dat	dcrat
behavioral1/files/0x000600000001ac5d-745.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
4068	DllCommonsvc.exe
3868	dwm.exe
3860	dwm.exe
1528	dwm.exe
4688	dwm.exe
4480	dwm.exe
4024	dwm.exe
364	dwm.exe
5068	dwm.exe
2496	dwm.exe
4052	dwm.exe
4780	dwm.exe
3196	dwm.exe
5032	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office16\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\e6c9b481da804f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\SchCache\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4460	schtasks.exe
4916	schtasks.exe
916	schtasks.exe
1044	schtasks.exe
424	schtasks.exe
4484	schtasks.exe
4244	schtasks.exe
4912	schtasks.exe
4696	schtasks.exe
1556	schtasks.exe
1620	schtasks.exe
3060	schtasks.exe
864	schtasks.exe
2024	schtasks.exe
1528	schtasks.exe
3864	schtasks.exe
4684	schtasks.exe
3672	schtasks.exe
4000	schtasks.exe
4676	schtasks.exe
1356	schtasks.exe
4900	schtasks.exe
512	schtasks.exe
696	schtasks.exe
912	schtasks.exe
4104	schtasks.exe
3236	schtasks.exe
4732	schtasks.exe
1696	schtasks.exe
2052	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe
2364	powershell.exe
2364	powershell.exe
1192	powershell.exe
1192	powershell.exe
2364	powershell.exe
1192	powershell.exe
3400	powershell.exe
3400	powershell.exe
3380	powershell.exe
3380	powershell.exe
1048	powershell.exe
3356	powershell.exe
3356	powershell.exe
2364	powershell.exe
308	powershell.exe
308	powershell.exe
2720	powershell.exe
2720	powershell.exe
2464	powershell.exe
2464	powershell.exe
3868	dwm.exe
3868	dwm.exe
2496	powershell.exe
2496	powershell.exe
3400	powershell.exe
1192	powershell.exe
4980	powershell.exe
4980	powershell.exe
3380	powershell.exe
2720	powershell.exe
3400	powershell.exe
3356	powershell.exe
3380	powershell.exe
2720	powershell.exe
3356	powershell.exe
308	powershell.exe
2496	powershell.exe
4980	powershell.exe
2464	powershell.exe
308	powershell.exe
2496	powershell.exe
4980	powershell.exe
2464	powershell.exe
3860	dwm.exe
1528	dwm.exe
4688	dwm.exe
4480	dwm.exe
4024	dwm.exe
364	dwm.exe
5068	dwm.exe
2496	dwm.exe
4052	dwm.exe
4780	dwm.exe
3196	dwm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	DllCommonsvc.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	3868	dwm.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeIncreaseQuotaPrivilege	1048	powershell.exe
Token: SeSecurityPrivilege	1048	powershell.exe
Token: SeTakeOwnershipPrivilege	1048	powershell.exe
Token: SeLoadDriverPrivilege	1048	powershell.exe
Token: SeSystemProfilePrivilege	1048	powershell.exe
Token: SeSystemtimePrivilege	1048	powershell.exe
Token: SeProfSingleProcessPrivilege	1048	powershell.exe
Token: SeIncBasePriorityPrivilege	1048	powershell.exe
Token: SeCreatePagefilePrivilege	1048	powershell.exe
Token: SeBackupPrivilege	1048	powershell.exe
Token: SeRestorePrivilege	1048	powershell.exe
Token: SeShutdownPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeSystemEnvironmentPrivilege	1048	powershell.exe
Token: SeRemoteShutdownPrivilege	1048	powershell.exe
Token: SeUndockPrivilege	1048	powershell.exe
Token: SeManageVolumePrivilege	1048	powershell.exe
Token: 33	1048	powershell.exe
Token: 34	1048	powershell.exe
Token: 35	1048	powershell.exe
Token: 36	1048	powershell.exe
Token: SeIncreaseQuotaPrivilege	2364	powershell.exe
Token: SeSecurityPrivilege	2364	powershell.exe
Token: SeTakeOwnershipPrivilege	2364	powershell.exe
Token: SeLoadDriverPrivilege	2364	powershell.exe
Token: SeSystemProfilePrivilege	2364	powershell.exe
Token: SeSystemtimePrivilege	2364	powershell.exe
Token: SeProfSingleProcessPrivilege	2364	powershell.exe
Token: SeIncBasePriorityPrivilege	2364	powershell.exe
Token: SeCreatePagefilePrivilege	2364	powershell.exe
Token: SeBackupPrivilege	2364	powershell.exe
Token: SeRestorePrivilege	2364	powershell.exe
Token: SeShutdownPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeSystemEnvironmentPrivilege	2364	powershell.exe
Token: SeRemoteShutdownPrivilege	2364	powershell.exe
Token: SeUndockPrivilege	2364	powershell.exe
Token: SeManageVolumePrivilege	2364	powershell.exe
Token: 33	2364	powershell.exe
Token: 34	2364	powershell.exe
Token: 35	2364	powershell.exe
Token: 36	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	1192	powershell.exe
Token: SeSecurityPrivilege	1192	powershell.exe
Token: SeTakeOwnershipPrivilege	1192	powershell.exe
Token: SeLoadDriverPrivilege	1192	powershell.exe
Token: SeSystemProfilePrivilege	1192	powershell.exe
Token: SeSystemtimePrivilege	1192	powershell.exe
Token: SeProfSingleProcessPrivilege	1192	powershell.exe
Token: SeIncBasePriorityPrivilege	1192	powershell.exe
Token: SeCreatePagefilePrivilege	1192	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3724	4248	5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe	66
PID 4248 wrote to memory of 3724	4248	5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe	66
PID 4248 wrote to memory of 3724	4248	5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe	66
PID 3724 wrote to memory of 4736	3724	WScript.exe	67
PID 3724 wrote to memory of 4736	3724	WScript.exe	67
PID 3724 wrote to memory of 4736	3724	WScript.exe	67
PID 4736 wrote to memory of 4068	4736	cmd.exe	69
PID 4736 wrote to memory of 4068	4736	cmd.exe	69
PID 4068 wrote to memory of 2364	4068	DllCommonsvc.exe	101
PID 4068 wrote to memory of 2364	4068	DllCommonsvc.exe	101
PID 4068 wrote to memory of 1048	4068	DllCommonsvc.exe	109
PID 4068 wrote to memory of 1048	4068	DllCommonsvc.exe	109
PID 4068 wrote to memory of 1192	4068	DllCommonsvc.exe	103
PID 4068 wrote to memory of 1192	4068	DllCommonsvc.exe	103
PID 4068 wrote to memory of 3400	4068	DllCommonsvc.exe	104
PID 4068 wrote to memory of 3400	4068	DllCommonsvc.exe	104
PID 4068 wrote to memory of 3380	4068	DllCommonsvc.exe	106
PID 4068 wrote to memory of 3380	4068	DllCommonsvc.exe	106
PID 4068 wrote to memory of 3356	4068	DllCommonsvc.exe	110
PID 4068 wrote to memory of 3356	4068	DllCommonsvc.exe	110
PID 4068 wrote to memory of 308	4068	DllCommonsvc.exe	113
PID 4068 wrote to memory of 308	4068	DllCommonsvc.exe	113
PID 4068 wrote to memory of 2720	4068	DllCommonsvc.exe	111
PID 4068 wrote to memory of 2720	4068	DllCommonsvc.exe	111
PID 4068 wrote to memory of 2464	4068	DllCommonsvc.exe	115
PID 4068 wrote to memory of 2464	4068	DllCommonsvc.exe	115
PID 4068 wrote to memory of 2496	4068	DllCommonsvc.exe	116
PID 4068 wrote to memory of 2496	4068	DllCommonsvc.exe	116
PID 4068 wrote to memory of 4980	4068	DllCommonsvc.exe	117
PID 4068 wrote to memory of 4980	4068	DllCommonsvc.exe	117
PID 4068 wrote to memory of 3868	4068	DllCommonsvc.exe	120
PID 4068 wrote to memory of 3868	4068	DllCommonsvc.exe	120
PID 3868 wrote to memory of 2968	3868	dwm.exe	125
PID 3868 wrote to memory of 2968	3868	dwm.exe	125
PID 2968 wrote to memory of 1996	2968	cmd.exe	127
PID 2968 wrote to memory of 1996	2968	cmd.exe	127
PID 2968 wrote to memory of 3860	2968	cmd.exe	128
PID 2968 wrote to memory of 3860	2968	cmd.exe	128
PID 3860 wrote to memory of 2380	3860	dwm.exe	129
PID 3860 wrote to memory of 2380	3860	dwm.exe	129
PID 2380 wrote to memory of 1740	2380	cmd.exe	131
PID 2380 wrote to memory of 1740	2380	cmd.exe	131
PID 2380 wrote to memory of 1528	2380	cmd.exe	132
PID 2380 wrote to memory of 1528	2380	cmd.exe	132
PID 1528 wrote to memory of 4600	1528	dwm.exe	133
PID 1528 wrote to memory of 4600	1528	dwm.exe	133
PID 4600 wrote to memory of 1352	4600	cmd.exe	135
PID 4600 wrote to memory of 1352	4600	cmd.exe	135
PID 4600 wrote to memory of 4688	4600	cmd.exe	136
PID 4600 wrote to memory of 4688	4600	cmd.exe	136
PID 4688 wrote to memory of 2316	4688	dwm.exe	137
PID 4688 wrote to memory of 2316	4688	dwm.exe	137
PID 2316 wrote to memory of 3684	2316	cmd.exe	139
PID 2316 wrote to memory of 3684	2316	cmd.exe	139
PID 2316 wrote to memory of 4480	2316	cmd.exe	140
PID 2316 wrote to memory of 4480	2316	cmd.exe	140
PID 4480 wrote to memory of 5044	4480	dwm.exe	141
PID 4480 wrote to memory of 5044	4480	dwm.exe	141
PID 5044 wrote to memory of 4400	5044	cmd.exe	143
PID 5044 wrote to memory of 4400	5044	cmd.exe	143
PID 5044 wrote to memory of 4024	5044	cmd.exe	144
PID 5044 wrote to memory of 4024	5044	cmd.exe	144
PID 4024 wrote to memory of 4072	4024	dwm.exe	145
PID 4024 wrote to memory of 4072	4024	dwm.exe	145

C:\Users\Admin\AppData\Local\Temp\5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe
"C:\Users\Admin\AppData\Local\Temp\5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
    - - C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1996
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1740
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1352
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3684
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4400
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
        16⤵
        
        PID:4072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2876
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        18⤵
        
        PID:4736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4940
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
        20⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2468
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        22⤵
        
        PID:4676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4068
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        24⤵
        
        PID:5096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3820
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        26⤵
        
        PID:4852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3580
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        28⤵
        
        PID:3920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1940
        
        C:\Program Files\Microsoft Office\Office16\dwm.exe
        
        "C:\Program Files\Microsoft Office\Office16\dwm.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        30⤵
        
        PID:4900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\Office16\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac0d21828bc80e8b74a8b614ae2181a

SHA1
815ace2e24a56479a36e77b8f5fa73529828cd14

SHA256
c9446bf0fe1a5f8370cab40d82b98a645aebe34d3a1270f9b869f491897b8454

SHA512
1eef5a4d7d04115fbc4b4b44a914155d675cb2deb0164751938ae9b01919e98e3548be20fdfeddff60134aa0a3bfcd7ec449731f43b5d16cd0ffbdd288926fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a6115a956c8fb8ceb21ae98a1a21122

SHA1
2125de356a675f1361137d21125f0a806c935de7

SHA256
da7f6ecbcd2f0be3df7a095163660d875e90fb70ce4300908fe0c48f0b742ad3

SHA512
60f56f492f5418fca4e7f849877b6b47d084a2d136681ae102c076dfb02a639fa242a79ba754c0cd6ba525669c03456edfc39268cb0df12bc681d895517fa54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f4cebace363955b5fb79b606d1252b9e

SHA1
f57eb08ca60074896c6d65c98e2f8b99450f7aee

SHA256
ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a

SHA512
5d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2424894e0df40c3f9d8b2bb410b24372

SHA1
5c1063ec9c3db1bd7f1a6efaf82b4035407d0047

SHA256
e518402a5e3d13a5feb3c8b7661b06d7eed4d9d9d52b69c77402b12712a8f8fb

SHA512
da88f28d4bbb966f8cda8e123b16dd76ab3e85c6e07e177d879f0eaa365aeffe013b56ea62659906bcbea2eaa41c03bff3ccb4cfe32b4ca33e39056212036bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2424894e0df40c3f9d8b2bb410b24372

SHA1
5c1063ec9c3db1bd7f1a6efaf82b4035407d0047

SHA256
e518402a5e3d13a5feb3c8b7661b06d7eed4d9d9d52b69c77402b12712a8f8fb

SHA512
da88f28d4bbb966f8cda8e123b16dd76ab3e85c6e07e177d879f0eaa365aeffe013b56ea62659906bcbea2eaa41c03bff3ccb4cfe32b4ca33e39056212036bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7340cf2954865be576a2aaba84f49378

SHA1
d8b8a6323826799bc54f67dd4955855ab5c8a56b

SHA256
53b3c77511641e1d0c62ccc9b1545a71b06b95532019ffc989033932d6c3a3a5

SHA512
c125b4b5c26086ce108da9a223a6a303b4bd990c5b52fa1ca10036bff623abf2b54ae71b9ace62edcbff9445a7618e3b8fe60e229c8403ab8c189076a803ab28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90efccf9231bfc0481a33b2b20464032

SHA1
2491bc513c40e427a3da6ba4f4379a078b727ae6

SHA256
3a466ef230cf129e1a05290dded96e382bd5365c2872fc80ed5a045ae442df1f

SHA512
07ac6ce3f218c6c4b50f0e19ef5acdc29b473a074e24ae04491bab00eb50fc650898218139da10a001758c0a6ea9ed680e8d33d26e56d60c60a70ba9b4d8c652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a601bbc5f491c2365dbdd33c75cb3d40

SHA1
db3cf42c718215bab69fb75c5d5c1904da9d8caf

SHA256
b38ab40ca42afcf1b8d08c1ef460d262c50aa3c9af9007417fbb7207e04c02fa

SHA512
aa85d5784311059dede37243bef02c0bcb2c42eb889b1b6d68ad3782147561932696c0e60c102736084d8f53be3f9f6de64b2a1e93382de7468b97a71a757311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
49f463126ea8f5fbf437da064127251b

SHA1
2c952a3123f62e02df30e88a093e4366bdffcc4b

SHA256
3f5f0443152d9a7da9eca9733b62ceaffb68ed1e01771885c9a7a4f9aa058cb9

SHA512
5fb1df1378a1bed254c193ed1b32c62819d42a1012e17e1161264a3b08dd47bc51c9d7cbf4c8ec234a5ad3afeda3035c2fc010bdd2954acbb17145354c621d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
730e21edcd445302b788f0c3c21bcfe1

SHA1
c50466acad6ee1aaf92f1b13cd932299de0b07b6

SHA256
2f4b002756fee6069ac19e6307a457c68a75011b83341468b4b46e1d3eaedb41

SHA512
4cd837f925d0b5f56bd3e418a8fc88ddb153fe27e0e41434fd00aca912af2e5026b9fc30811376b50f6def1f9fbe39efb8222e21d486f41451766a2d785a6c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

Filesize
215B

MD5
ecf7e51026ef2cf4b552b29d840d9384

SHA1
e8a867779a74358255c5dcdb155e6699c96b2304

SHA256
8691013f802abc3db2a484d6c773855f7c4f79d98fad200469da1aaa26bc539d

SHA512
26d351417b5498b48b6ffa85b3582ff7e1b4b216536de7acadbc063cc5f3374128ce1821b898c72d7105aa1eabc114fd76f87ca1b7566ac4744714fab77eea41

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
215B

MD5
7f0a5c496fc4beb813ee224c2bb1f5d6

SHA1
c2f0600740976b8e40019248169bc77feae3b4d1

SHA256
cd8d486e512a4047f862fcbf15eb4c63e34b96e64bd8cbeda813661c6b9ae60e

SHA512
739d406b9a38307be967c0a018da7b6602bf677b1fa20000db2d7872a63fa36d35fac3d797c0545ddef7249b6603fcc95c6e87f1ead9eac2ed3f3f9d98cca34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
215B

MD5
1d429224c36a674a8013274684ae2159

SHA1
754b831a23a01464d9f1af44dbef6f9d42640059

SHA256
d2bc01deb0a039bda1f639df0b6e40b7bf8d770d58ed028499ae1414d957d2f4

SHA512
145f0b406550e3bdfd1b49ab361ba1d3503240cf0981cf3fc2258b3db0c6eb5ce60de6ef23d6f930f1f0a3a07ccbc39eae0085697100b4afe9792077094258af

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

Filesize
215B

MD5
4895d78da64f726fa01aa98478276f34

SHA1
e0a106b1b4c6b00d357e90fb89c4ff27c12cc03f

SHA256
42ad4e28cb03acd14a3b76a076dc071d99925df617048b99693ee1974a0344c9

SHA512
2073b3a16ed58a6b3f99096827f183b5b41f55fc3dcf12a20e49783721708034fbab4d2db05c2b8dda84320daf8adf224af33c3df3f54d225b1774da892907b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
215B

MD5
123df20c0306b5114cdeeef6ccc26bad

SHA1
cccffa5ab170a8219a6ce002d1182025fa8af625

SHA256
d8bf7a31102c11a47d83844c37946bdfd6239d60e6d0fdf925fb529da084d793

SHA512
1a821441c62e5ea339f5d707289ca15895c9be0126f5e5d532b102ff5843cec88329d0c4776d3e60683fd48cefd43d23cfb930b255ca024670f9e893998db473

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
215B

MD5
4f40380268be2c839eae02aaf01869cc

SHA1
46aeaa02d8f1e16cf30ce0dda686513e4e98460a

SHA256
6be02d425f570a261164f444d9a942da6f9839b6e9acbad97cf3b914b1a54b67

SHA512
e8c0226346e23c7a1921bc4b5ff48721d327efa80f5116e284c1e1da92decf1b4a39ff85af71be01446926b8bedadd90346a347b306bc9813c7815691ec2fbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
215B

MD5
9c54e27457be84f4aa6697927c9634f8

SHA1
62ec55b0e07f191e0e93ff00468426ef89213331

SHA256
24aea579e2526d45bd2635dba6bf158345d83be5a5902ec6a8c23ca2f945e969

SHA512
6624f800b0e851403d47c1f90ae4f9a375d7f705a2d57f35ef10c759996af662452c3b62f14763021872681be990ee99eaf2cb6dd4c9d4c2ec84e4f53a492149

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

Filesize
215B

MD5
33299661f688879fce4173b5240b234b

SHA1
0b30dbfd77f612caafe353e34a6b99d46f50c7c0

SHA256
57eb29886b0f4df8f94180b35d2980476bcba1acff5daf5c1fc60dc20394feb0

SHA512
36ef5166229266d17eb07f5e8ae5ec8f13888052d8476b6f3cc6bae0019c4e1729c4ed11fc6eb9bca834b8b70e4f575de3fd1490c26619d7ad22610633bc135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
215B

MD5
532b5301a9208c53f7f872a63a97ec57

SHA1
2b9a35d9975820c0c9285a15ee6632ca63b26d83

SHA256
37e51aec12ad6c2ed8aaf638d31a1b84063f7b1856912d604b1a5781c05f9059

SHA512
b53a3e0c70c5e6ef6d1353909374ca04ea2aa4394593ecf18b976a8497ec984162aab16a98fd20f7722067c1bf20b980e5647e7b4ab08a9e77694f68caf26209

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
215B

MD5
0ef27021033d732527dd35e5040cec94

SHA1
2023ae7e0f5312e8644ea580fb1a188d37bf8328

SHA256
a9d591bc38b631588f0356c0915122f4ad8fdd40f5a28073f05bbccca049d4f7

SHA512
1ff1311740849b3ec00fdca5728647d7c7727adf4071ec8066685ceef3dfd0663e77665f267446dcb9e8d4357cb890e82667565535f9be9950b75ec5c8b6c241

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
215B

MD5
9efbd391c42fb31a049f05e7539431de

SHA1
fd27654b93437e680919329b57624c328ac76297

SHA256
618a9d2368ee8366d6c6eff9dc986df3f4ad654db78fa676de44d6e033b031b1

SHA512
23ae80c7bbaa9ed9be81d8aafa4f6d461a4e7f026b7350d63719b363bdb07ab8632bf589c932172057c4554edce8ea1e3dcecc91127adff2348a3b2aaa30f2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat

Filesize
215B

MD5
494551f3fc071e845a7f9b83743c7322

SHA1
1b2789aae46881097910310bb56dfa4bab64618e

SHA256
5f8b8a202dce7362610557565f48257256353c7ba46a84c0c87f473d15af9c2e

SHA512
d5c33cf4335e69cc3cd670b35e13785ddf1dbc34958b52fe838bca31ad1349e9869b8c33d76b2b78182eb5ebf7f0bf0144aa3af773bd74d401cbcf67efb1ff05

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat

Filesize
215B

MD5
494551f3fc071e845a7f9b83743c7322

SHA1
1b2789aae46881097910310bb56dfa4bab64618e

SHA256
5f8b8a202dce7362610557565f48257256353c7ba46a84c0c87f473d15af9c2e

SHA512
d5c33cf4335e69cc3cd670b35e13785ddf1dbc34958b52fe838bca31ad1349e9869b8c33d76b2b78182eb5ebf7f0bf0144aa3af773bd74d401cbcf67efb1ff05

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1048-348-0x000001F43CDB0000-0x000001F43CDD2000-memory.dmp

Filesize
136KB

Download
memory/1048-352-0x000001F456D50000-0x000001F456DC6000-memory.dmp

Filesize
472KB

Download
memory/2496-725-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/3724-185-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/3724-184-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/3860-687-0x0000000001420000-0x0000000001432000-memory.dmp

Filesize
72KB

Download
memory/3868-354-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/4068-289-0x0000000003050000-0x000000000305C000-memory.dmp

Filesize
48KB

Download
memory/4068-288-0x0000000003040000-0x000000000304C000-memory.dmp

Filesize
48KB

Download
memory/4068-287-0x00000000018D0000-0x00000000018DC000-memory.dmp

Filesize
48KB

Download
memory/4068-286-0x00000000015E0000-0x00000000015F2000-memory.dmp

Filesize
72KB

Download
memory/4068-285-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/4248-164-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-151-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-181-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-180-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-179-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-178-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-177-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-175-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-176-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-174-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-173-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-172-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-171-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-170-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-169-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-168-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-167-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-166-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-165-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-119-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-163-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-162-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-161-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-160-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-159-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-158-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-157-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-156-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-120-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-155-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-121-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-154-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-122-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-124-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-125-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-127-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-128-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-129-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-153-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-130-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-152-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-182-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-150-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-149-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-148-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-147-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-146-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-131-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-145-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-132-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-133-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-144-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-142-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-143-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-141-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-139-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-140-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-138-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-134-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-137-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-136-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-135-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4480-704-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/4688-698-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/5032-746-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download