dcrat | 70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37

Analysis

max time kernel
144s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37.exe
Size

1.3MB
MD5

65a97d9947b66654ef1058dfb377c146
SHA1

dbf98cbb44fef156cd340adee3eae116840613df
SHA256

70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37
SHA512

5468dbacea6fc528240b6676ba632bfa0449967b97d46849d08db1671b76c296098e690894305bd00b758541a878f3b497db49824b31db864968b5001a96e12b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1932	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1932	schtasks.exe	81

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022e2f-137.dat	dcrat
behavioral1/files/0x0006000000022e2f-138.dat	dcrat
behavioral1/memory/4264-139-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/files/0x0006000000022e42-192.dat	dcrat
behavioral1/files/0x0006000000022e42-191.dat	dcrat
behavioral1/files/0x0006000000022e42-199.dat	dcrat
behavioral1/files/0x0006000000022e42-207.dat	dcrat
behavioral1/files/0x0006000000022e42-214.dat	dcrat
behavioral1/files/0x0006000000022e42-221.dat	dcrat
behavioral1/files/0x0006000000022e42-228.dat	dcrat
behavioral1/files/0x0006000000022e42-231.dat	dcrat
behavioral1/files/0x0006000000022e42-238.dat	dcrat
behavioral1/files/0x0006000000022e42-245.dat	dcrat
behavioral1/files/0x0006000000022e42-252.dat	dcrat
behavioral1/files/0x0006000000022e42-259.dat	dcrat
behavioral1/files/0x0006000000022e42-266.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
4264	DllCommonsvc.exe
2896	SppExtComObj.exe
4460	SppExtComObj.exe
3944	SppExtComObj.exe
3928	SppExtComObj.exe
1068	SppExtComObj.exe
3500	SppExtComObj.exe
4972	SppExtComObj.exe
4008	SppExtComObj.exe
1716	SppExtComObj.exe
1560	SppExtComObj.exe
4372	SppExtComObj.exe
692	SppExtComObj.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3624	schtasks.exe
3836	schtasks.exe
4864	schtasks.exe
4468	schtasks.exe
4056	schtasks.exe
4896	schtasks.exe
1304	schtasks.exe
4496	schtasks.exe
4820	schtasks.exe
3272	schtasks.exe
3860	schtasks.exe
4336	schtasks.exe
1948	schtasks.exe
2892	schtasks.exe
4788	schtasks.exe
532	schtasks.exe
4036	schtasks.exe
2908	schtasks.exe
2204	schtasks.exe
3472	schtasks.exe
4916	schtasks.exe
404	schtasks.exe
1156	schtasks.exe
4640	schtasks.exe
592	schtasks.exe
4040	schtasks.exe
3632	schtasks.exe
1716	schtasks.exe
448	schtasks.exe
1724	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SppExtComObj.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
1252	powershell.exe
1252	powershell.exe
2836	powershell.exe
2836	powershell.exe
1136	powershell.exe
1136	powershell.exe
1444	powershell.exe
1444	powershell.exe
2100	powershell.exe
2100	powershell.exe
1916	powershell.exe
1916	powershell.exe
3200	powershell.exe
3200	powershell.exe
228	powershell.exe
228	powershell.exe
4192	powershell.exe
4192	powershell.exe
3244	powershell.exe
3244	powershell.exe
3708	powershell.exe
3708	powershell.exe
3200	powershell.exe
4192	powershell.exe
1136	powershell.exe
1252	powershell.exe
3708	powershell.exe
2836	powershell.exe
1444	powershell.exe
2100	powershell.exe
1916	powershell.exe
228	powershell.exe
3244	powershell.exe
2896	SppExtComObj.exe
4460	SppExtComObj.exe
3944	SppExtComObj.exe
3928	SppExtComObj.exe
1068	SppExtComObj.exe
4972	SppExtComObj.exe
4008	SppExtComObj.exe
1716	SppExtComObj.exe
1560	SppExtComObj.exe
4372	SppExtComObj.exe
692	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	DllCommonsvc.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	2896	SppExtComObj.exe
Token: SeDebugPrivilege	4460	SppExtComObj.exe
Token: SeDebugPrivilege	3944	SppExtComObj.exe
Token: SeDebugPrivilege	3928	SppExtComObj.exe
Token: SeDebugPrivilege	1068	SppExtComObj.exe
Token: SeDebugPrivilege	4972	SppExtComObj.exe
Token: SeDebugPrivilege	4008	SppExtComObj.exe
Token: SeDebugPrivilege	1716	SppExtComObj.exe
Token: SeDebugPrivilege	1560	SppExtComObj.exe
Token: SeDebugPrivilege	4372	SppExtComObj.exe
Token: SeDebugPrivilege	692	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4624	1048	70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37.exe	77
PID 1048 wrote to memory of 4624	1048	70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37.exe	77
PID 1048 wrote to memory of 4624	1048	70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37.exe	77
PID 4624 wrote to memory of 3412	4624	WScript.exe	82
PID 4624 wrote to memory of 3412	4624	WScript.exe	82
PID 4624 wrote to memory of 3412	4624	WScript.exe	82
PID 3412 wrote to memory of 4264	3412	cmd.exe	84
PID 3412 wrote to memory of 4264	3412	cmd.exe	84
PID 4264 wrote to memory of 2836	4264	DllCommonsvc.exe	133
PID 4264 wrote to memory of 2836	4264	DllCommonsvc.exe	133
PID 4264 wrote to memory of 1136	4264	DllCommonsvc.exe	132
PID 4264 wrote to memory of 1136	4264	DllCommonsvc.exe	132
PID 4264 wrote to memory of 1252	4264	DllCommonsvc.exe	130
PID 4264 wrote to memory of 1252	4264	DllCommonsvc.exe	130
PID 4264 wrote to memory of 1444	4264	DllCommonsvc.exe	128
PID 4264 wrote to memory of 1444	4264	DllCommonsvc.exe	128
PID 4264 wrote to memory of 2100	4264	DllCommonsvc.exe	116
PID 4264 wrote to memory of 2100	4264	DllCommonsvc.exe	116
PID 4264 wrote to memory of 1916	4264	DllCommonsvc.exe	117
PID 4264 wrote to memory of 1916	4264	DllCommonsvc.exe	117
PID 4264 wrote to memory of 3200	4264	DllCommonsvc.exe	125
PID 4264 wrote to memory of 3200	4264	DllCommonsvc.exe	125
PID 4264 wrote to memory of 228	4264	DllCommonsvc.exe	123
PID 4264 wrote to memory of 228	4264	DllCommonsvc.exe	123
PID 4264 wrote to memory of 4192	4264	DllCommonsvc.exe	119
PID 4264 wrote to memory of 4192	4264	DllCommonsvc.exe	119
PID 4264 wrote to memory of 3244	4264	DllCommonsvc.exe	121
PID 4264 wrote to memory of 3244	4264	DllCommonsvc.exe	121
PID 4264 wrote to memory of 3708	4264	DllCommonsvc.exe	137
PID 4264 wrote to memory of 3708	4264	DllCommonsvc.exe	137
PID 4264 wrote to memory of 3028	4264	DllCommonsvc.exe	138
PID 4264 wrote to memory of 3028	4264	DllCommonsvc.exe	138
PID 3028 wrote to memory of 1720	3028	cmd.exe	140
PID 3028 wrote to memory of 1720	3028	cmd.exe	140
PID 3028 wrote to memory of 2896	3028	cmd.exe	144
PID 3028 wrote to memory of 2896	3028	cmd.exe	144
PID 2896 wrote to memory of 4520	2896	SppExtComObj.exe	145
PID 2896 wrote to memory of 4520	2896	SppExtComObj.exe	145
PID 4520 wrote to memory of 4324	4520	cmd.exe	147
PID 4520 wrote to memory of 4324	4520	cmd.exe	147
PID 4520 wrote to memory of 4460	4520	cmd.exe	148
PID 4520 wrote to memory of 4460	4520	cmd.exe	148
PID 4460 wrote to memory of 1284	4460	SppExtComObj.exe	150
PID 4460 wrote to memory of 1284	4460	SppExtComObj.exe	150
PID 1284 wrote to memory of 2880	1284	cmd.exe	152
PID 1284 wrote to memory of 2880	1284	cmd.exe	152
PID 1284 wrote to memory of 3944	1284	cmd.exe	153
PID 1284 wrote to memory of 3944	1284	cmd.exe	153
PID 3944 wrote to memory of 4320	3944	SppExtComObj.exe	154
PID 3944 wrote to memory of 4320	3944	SppExtComObj.exe	154
PID 4320 wrote to memory of 420	4320	cmd.exe	156
PID 4320 wrote to memory of 420	4320	cmd.exe	156
PID 4320 wrote to memory of 3928	4320	cmd.exe	157
PID 4320 wrote to memory of 3928	4320	cmd.exe	157
PID 3928 wrote to memory of 428	3928	SppExtComObj.exe	158
PID 3928 wrote to memory of 428	3928	SppExtComObj.exe	158
PID 428 wrote to memory of 3868	428	cmd.exe	160
PID 428 wrote to memory of 3868	428	cmd.exe	160
PID 428 wrote to memory of 1068	428	cmd.exe	161
PID 428 wrote to memory of 1068	428	cmd.exe	161
PID 1068 wrote to memory of 1256	1068	SppExtComObj.exe	162
PID 1068 wrote to memory of 1256	1068	SppExtComObj.exe	162
PID 1256 wrote to memory of 1888	1256	cmd.exe	164
PID 1256 wrote to memory of 1888	1256	cmd.exe	164

C:\Users\Admin\AppData\Local\Temp\70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37.exe
"C:\Users\Admin\AppData\Local\Temp\70458531c09e7ff4eeba43a0e4abac91e7bf0e01bdc61f6d8a07c8110ddd1a37.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0amT0ExOAS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1720
      - C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4324
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2880
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:420
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3868
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1888
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:3500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
        17⤵
        
        PID:344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3348
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
        19⤵
        
        PID:3244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4332
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"
        21⤵
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4700
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
        23⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4060
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        25⤵
        
        PID:4844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4256
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
        27⤵
        
        PID:4624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4260
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\providercommon\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\0amT0ExOAS.bat

Filesize
203B

MD5
4e7f0aa92ea4b034703148453a3ccac4

SHA1
cade98ef3808a3f363eb73b5228de56aec448a88

SHA256
0c9f98eb30515e73a6152bedb1d3f89c75631c2cbc0af9d93237703363f7cb16

SHA512
46eead8d7b3435a679790425d2b7e7ed89aed4a576411dfcc7c0581a7c34d98d2ed102e4be787d5d81e98b9d33e9e0cb3e3dd9a5a84d72741a77f16cabd4dfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

Filesize
203B

MD5
6569ee122bf1092a40cf9066e2d7e9ee

SHA1
b7fa08dde2135be0d36390de504855fd12b6baa8

SHA256
2998ab42a9bfda16a8566af48593061467bfdb4b8879d67885bf6de5367f0098

SHA512
70a775f902cd1ff4f0befacce8906fa5ba932e7455bce3ca4c3f6e4b97d61c9097fcf1eb0db2ff6ef5a3afacd96e89e9c5c6afa99200610229c911f233945fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
203B

MD5
4f56231b5d7ab9de083793579c9e152d

SHA1
bb7651d5deb1489999a38d7e659c04da90c795eb

SHA256
9e14b856412eb7950d061213e0befb5b4f113b90027b12d8daa6d267e6e7685c

SHA512
84c60892dad5b89306046ec25581b87a77f9f2f84296fdd5d22f72e5825d35cdf4b5765e0d20e13d2c686f04816238e0bb87b3c4b10eed4115feb46b73ac99f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
203B

MD5
9c11f0768f8a15a220b9ccad6383b0cc

SHA1
5a6698f2647e4d9c757c763310ef9ab6142bb592

SHA256
9f969d733958bc76c75748ad61e18aae2ec1dc58f1300418bdff01172eb2e398

SHA512
4c529eaf12eea9fe36f4211b967a9c4bc3a93a04d97cdba78dc989e36f65d84af5e390fc71b754eae8e352dda4c43d0d6425346fbd027631fd0fe04d7509a88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
203B

MD5
4467bd54cff4c8ba7396d86a1d03dcac

SHA1
2650b6566906785a3221912fdf9c4bfb2c10ec99

SHA256
29048716e0e6198cc25c0e7c0f59b258dba8e802672230ff5f587d83560fe02f

SHA512
7fcfc2ea80305c0971aa894773c7109a2ffcdd2704506ca3f8e936c01f409a5e42ea9f60bacf2494311856cb6a5bd9224fc23bcb6c42c5e140d4805dbe7b5beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

Filesize
203B

MD5
9777ac238b2b8a459e1282a56d7e7eef

SHA1
418bc8f6dffa5cdd5fc90c25aba574ead554d17b

SHA256
39d4a0f67d5e8d820353164f617c9929edaf6b23cd099a925a8917f246ee0abd

SHA512
371750d8ceaeba40c3b2178f0998d1b9a90cf6f8282b5fb1b4b52f2adadae69bb9ef63bacc0f3fc6d644ae63f25be7b9e0cd5d3196cfaca9b5ad287c369d2b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat

Filesize
203B

MD5
a3880a9708f1b6badc987974a23a4bf7

SHA1
595b1bd479850229f7e53af7b0672774943501e2

SHA256
309b2db2d93321a68bc709c4a5d15505975ab8645445c1c55ff62470e2d0db14

SHA512
211e095ef1d838e3b7083e36290539eafadec201869713b561a6b01843a7e6e90606530987bda7d6080d4c914cc19486781d339c186447355fe7110443b424a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat

Filesize
203B

MD5
06c11624a37af56fb15d753c21439a2f

SHA1
5d94c127c5ccf030622c298b3c4ea3845e178c07

SHA256
dd83632560173c20204abfc5d0e185422a9d2fe55cd554595ebf2481b2fb41e7

SHA512
89bb9fd79e25b9218b56c87a4a868a4449fdc39cc7300325479766f4940a4de6daea3318aa81595f57bb3a1f422a4440f638333a51c5ea3350d418a9ef8e80af

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat

Filesize
203B

MD5
c4e20a87c89ecc1c8dba303b15340033

SHA1
b6d1140f2148d6c35c6ff460abded58d587e6bc9

SHA256
205c4bba93969243b16d0d54db86ef42a03d6bf6ab7dc34b591660254e34b748

SHA512
9a76dd4a62f05517bfdda6497dcc6e9390b5f22278274c577e65841580c2cac82da0f765f94f02d3bca79b65752bce80d6d2b0bfe4cc4c8ca44bca207efdbf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

Filesize
203B

MD5
bc654289ceb3c57588970501d24ba2e3

SHA1
360aaca43b86f9a4051c3f9b914be7c0734cfd2f

SHA256
41f803cba998727fe8e5fb7af23e231b089295f24b7dc323138c02b97b986d2e

SHA512
f4ec2fc58473a6998813a83edd1102bbc8e7b1457fdc7952522deb03cbe3de11333c83f982580f94bd7c3dbec5b68468a231fb20329dbf3bc7d62ff93c14cc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat

Filesize
203B

MD5
49f4b712c023852bdd3b184443a88348

SHA1
82f2b3f8b7cddc82c0fbb194c3fc0908f9763f54

SHA256
4b044bec511738d2129c599901b0f41cacdb18bede2d048ae432560126e70926

SHA512
217c7b415ed91fbb7cc5fd3a10d3d69755ebd047a9e6a526322a562d65bd6cc4d4a8337cbda5807d706de09aa0083e45a9932f23cf9fdf20b89d2261d6352b7e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/228-187-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/228-160-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/692-267-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/1068-222-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1068-226-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1136-178-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1136-153-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1252-156-0x000001CFDD030000-0x000001CFDD052000-memory.dmp

Filesize
136KB

Download
memory/1252-176-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1252-155-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1444-185-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1444-166-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1560-253-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/1560-257-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/1716-246-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/1716-250-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-167-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-184-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/2100-186-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/2100-157-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/2836-179-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/2836-152-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/2896-195-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/2896-193-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3200-170-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3200-159-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-171-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-189-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3708-162-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3708-177-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3928-215-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3928-219-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-208-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-212-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-239-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-243-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/4192-161-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4192-165-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4264-139-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/4264-140-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4264-158-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-260-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-264-0x00007FFA05CE0000-0x00007FFA067A1000-memory.dmp

Filesize
10.8MB

Download
memory/4460-201-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4460-205-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-232-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-236-0x00007FFA05AE0000-0x00007FFA065A1000-memory.dmp

Filesize
10.8MB

Download