dcrat | b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2022 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4.exe
Size

1.3MB
MD5

ad8a4b0552982f74a59679f30e1c45ef
SHA1

fc317c84013299846699af85b6b0502f59b407a4
SHA256

b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4
SHA512

2d2e577d9a515b1fa429165a4a13169c31ddb2fe7448bb6fa9afd0514efc0b7ab38283ebbb3eedb4bc4106c197a76c33541c275873bc49f3a27dfeac48ed7345
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	644	schtasks.exe	82

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000022f67-137.dat	dcrat
behavioral1/files/0x0007000000022f67-138.dat	dcrat
behavioral1/memory/4520-139-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/files/0x0006000000022f90-156.dat	dcrat
behavioral1/files/0x0006000000022f90-157.dat	dcrat
behavioral1/files/0x0006000000022f90-204.dat	dcrat
behavioral1/files/0x0006000000022f90-212.dat	dcrat
behavioral1/files/0x0006000000022f90-219.dat	dcrat
behavioral1/files/0x0006000000022f90-226.dat	dcrat
behavioral1/files/0x0006000000022f90-233.dat	dcrat
behavioral1/files/0x0006000000022f90-240.dat	dcrat
behavioral1/files/0x0006000000022f90-247.dat	dcrat
behavioral1/files/0x0006000000022f90-254.dat	dcrat
behavioral1/files/0x0006000000022f90-261.dat	dcrat

Executes dropped EXE 11 IoCs

pid	Process
4520	DllCommonsvc.exe
2360	taskhostw.exe
2352	taskhostw.exe
4588	taskhostw.exe
4124	taskhostw.exe
2920	taskhostw.exe
2604	taskhostw.exe
432	taskhostw.exe
1224	taskhostw.exe
2412	taskhostw.exe
4416	taskhostw.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
924	schtasks.exe
2416	schtasks.exe
4524	schtasks.exe
4880	schtasks.exe
2276	schtasks.exe
2544	schtasks.exe
4428	schtasks.exe
4672	schtasks.exe
2500	schtasks.exe
5004	schtasks.exe
1472	schtasks.exe
3008	schtasks.exe
1148	schtasks.exe
3948	schtasks.exe
3288	schtasks.exe
2424	schtasks.exe
5072	schtasks.exe
1752	schtasks.exe
4280	schtasks.exe
4472	schtasks.exe
4140	schtasks.exe
2824	schtasks.exe
2384	schtasks.exe
2496	schtasks.exe
2816	schtasks.exe
1444	schtasks.exe
544	schtasks.exe
4736	schtasks.exe
2540	schtasks.exe
508	schtasks.exe
4676	schtasks.exe
3900	schtasks.exe
2800	schtasks.exe
1740	schtasks.exe
1684	schtasks.exe
804	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4520	DllCommonsvc.exe
4052	powershell.exe
4052	powershell.exe
4720	powershell.exe
4720	powershell.exe
4972	powershell.exe
4972	powershell.exe
2552	powershell.exe
2552	powershell.exe
2272	powershell.exe
2272	powershell.exe
3820	powershell.exe
3820	powershell.exe
432	powershell.exe
432	powershell.exe
3504	powershell.exe
3504	powershell.exe
1836	powershell.exe
1836	powershell.exe
3092	powershell.exe
3092	powershell.exe
3100	powershell.exe
3100	powershell.exe
4080	powershell.exe
4080	powershell.exe
3680	powershell.exe
3680	powershell.exe
2360	taskhostw.exe
2360	taskhostw.exe
4052	powershell.exe
4972	powershell.exe
4052	powershell.exe
4972	powershell.exe
4720	powershell.exe
4720	powershell.exe
2272	powershell.exe
3820	powershell.exe
2552	powershell.exe
2552	powershell.exe
432	powershell.exe
3092	powershell.exe
1836	powershell.exe
3100	powershell.exe
3504	powershell.exe
4080	powershell.exe
3680	powershell.exe
2352	taskhostw.exe
4588	taskhostw.exe
4124	taskhostw.exe
2920	taskhostw.exe
2604	taskhostw.exe
432	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	DllCommonsvc.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	2360	taskhostw.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	2352	taskhostw.exe
Token: SeDebugPrivilege	4588	taskhostw.exe
Token: SeDebugPrivilege	4124	taskhostw.exe
Token: SeDebugPrivilege	2920	taskhostw.exe
Token: SeDebugPrivilege	2604	taskhostw.exe
Token: SeDebugPrivilege	432	taskhostw.exe
Token: SeDebugPrivilege	1224	taskhostw.exe
Token: SeDebugPrivilege	2412	taskhostw.exe
Token: SeDebugPrivilege	4416	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2828	904	b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4.exe	78
PID 904 wrote to memory of 2828	904	b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4.exe	78
PID 904 wrote to memory of 2828	904	b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4.exe	78
PID 2828 wrote to memory of 856	2828	WScript.exe	83
PID 2828 wrote to memory of 856	2828	WScript.exe	83
PID 2828 wrote to memory of 856	2828	WScript.exe	83
PID 856 wrote to memory of 4520	856	cmd.exe	85
PID 856 wrote to memory of 4520	856	cmd.exe	85
PID 4520 wrote to memory of 3092	4520	DllCommonsvc.exe	123
PID 4520 wrote to memory of 3092	4520	DllCommonsvc.exe	123
PID 4520 wrote to memory of 4052	4520	DllCommonsvc.exe	124
PID 4520 wrote to memory of 4052	4520	DllCommonsvc.exe	124
PID 4520 wrote to memory of 4720	4520	DllCommonsvc.exe	125
PID 4520 wrote to memory of 4720	4520	DllCommonsvc.exe	125
PID 4520 wrote to memory of 4972	4520	DllCommonsvc.exe	127
PID 4520 wrote to memory of 4972	4520	DllCommonsvc.exe	127
PID 4520 wrote to memory of 3820	4520	DllCommonsvc.exe	129
PID 4520 wrote to memory of 3820	4520	DllCommonsvc.exe	129
PID 4520 wrote to memory of 2552	4520	DllCommonsvc.exe	130
PID 4520 wrote to memory of 2552	4520	DllCommonsvc.exe	130
PID 4520 wrote to memory of 2272	4520	DllCommonsvc.exe	131
PID 4520 wrote to memory of 2272	4520	DllCommonsvc.exe	131
PID 4520 wrote to memory of 432	4520	DllCommonsvc.exe	133
PID 4520 wrote to memory of 432	4520	DllCommonsvc.exe	133
PID 4520 wrote to memory of 3504	4520	DllCommonsvc.exe	134
PID 4520 wrote to memory of 3504	4520	DllCommonsvc.exe	134
PID 4520 wrote to memory of 1836	4520	DllCommonsvc.exe	139
PID 4520 wrote to memory of 1836	4520	DllCommonsvc.exe	139
PID 4520 wrote to memory of 3100	4520	DllCommonsvc.exe	145
PID 4520 wrote to memory of 3100	4520	DllCommonsvc.exe	145
PID 4520 wrote to memory of 4080	4520	DllCommonsvc.exe	142
PID 4520 wrote to memory of 4080	4520	DllCommonsvc.exe	142
PID 4520 wrote to memory of 3680	4520	DllCommonsvc.exe	144
PID 4520 wrote to memory of 3680	4520	DllCommonsvc.exe	144
PID 4520 wrote to memory of 2360	4520	DllCommonsvc.exe	149
PID 4520 wrote to memory of 2360	4520	DllCommonsvc.exe	149
PID 2360 wrote to memory of 924	2360	taskhostw.exe	153
PID 2360 wrote to memory of 924	2360	taskhostw.exe	153
PID 924 wrote to memory of 4436	924	cmd.exe	155
PID 924 wrote to memory of 4436	924	cmd.exe	155
PID 924 wrote to memory of 2352	924	cmd.exe	156
PID 924 wrote to memory of 2352	924	cmd.exe	156
PID 2352 wrote to memory of 2100	2352	taskhostw.exe	157
PID 2352 wrote to memory of 2100	2352	taskhostw.exe	157
PID 2100 wrote to memory of 2356	2100	cmd.exe	159
PID 2100 wrote to memory of 2356	2100	cmd.exe	159
PID 2100 wrote to memory of 4588	2100	cmd.exe	160
PID 2100 wrote to memory of 4588	2100	cmd.exe	160
PID 4588 wrote to memory of 2268	4588	taskhostw.exe	161
PID 4588 wrote to memory of 2268	4588	taskhostw.exe	161
PID 2268 wrote to memory of 2492	2268	cmd.exe	163
PID 2268 wrote to memory of 2492	2268	cmd.exe	163
PID 2268 wrote to memory of 4124	2268	cmd.exe	164
PID 2268 wrote to memory of 4124	2268	cmd.exe	164
PID 4124 wrote to memory of 3576	4124	taskhostw.exe	165
PID 4124 wrote to memory of 3576	4124	taskhostw.exe	165
PID 3576 wrote to memory of 4960	3576	cmd.exe	167
PID 3576 wrote to memory of 4960	3576	cmd.exe	167
PID 3576 wrote to memory of 2920	3576	cmd.exe	168
PID 3576 wrote to memory of 2920	3576	cmd.exe	168
PID 2920 wrote to memory of 4920	2920	taskhostw.exe	169
PID 2920 wrote to memory of 4920	2920	taskhostw.exe	169
PID 4920 wrote to memory of 2808	4920	cmd.exe	171
PID 4920 wrote to memory of 2808	4920	cmd.exe	171

C:\Users\Admin\AppData\Local\Temp\b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4.exe
"C:\Users\Admin\AppData\Local\Temp\b04ca7eb4804ed47e5b4764f96b9cc7b6a2a04cb6817e3418ee09ba48b13e1d4.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\WaaSMedicAgent.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
    - - C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4436
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2356
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2492
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4960
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2808
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat"
        16⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:976
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
        18⤵
        
        PID:3240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3540
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        20⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2800
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        22⤵
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4884
        
        C:\Program Files (x86)\Common Files\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\taskhostw.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\odt\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\odt\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\odt\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eeb3d64208575f4d57e7d5f4975f432e

SHA1
518771c783208749779711985f3bac8f242d66cb

SHA256
274e9c421cb721c8151e27b096f8064fe91f94cfd5dea1515f0d3ef77d002ce9

SHA512
acc26d6ed86f201a956feb538d802f2edd2add3709d7aa8f1ec9ccddfb7bfdea3e47a99d2cc09f85e4d7449259cfb672ef5f7e1f589ae026590351d2415598e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

Filesize
214B

MD5
db4909ae6d3438c0b0f62aae1deb218e

SHA1
310c64da9cf320e3d0b7ce0051c2b3edc3e183b1

SHA256
36636a7ef71b36604df1c87470e3cc0411d2854c598abdfe39e834957545f7f6

SHA512
47e4866fe69eac83f16d70780ba35459aafeaa911b3fed078de0047d90f70ea6058021aa45c134279500d4c50d440ac3eebfbdb1896a981d6bffbcf1710bc809

Download Submit
C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

Filesize
214B

MD5
956061c0a169383aba548be3829c6367

SHA1
bad11771f4f7ed615d43220cfd129121b08a703c

SHA256
8f5e36088cbb43013f80291d9ae609e2340cd8e81363b7584ed19a7814d3c8eb

SHA512
c81f944369e825bf06c188e4891d13353eeb64185f6fad41324325497a967a97d0888bad18873e04196b731d200cea8a8157b081a352c3ccbc5b6ffe52c16a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

Filesize
214B

MD5
2a152889f93d2dd590a7fc0eeb113519

SHA1
d6ea6996304f84ac98d870f4a6866a1261217878

SHA256
f4daf5de7f8978b7b196dc22ac88d385f19a9939c2bb93719e25ddc916ed3c09

SHA512
6436a6327d1b6711e015cde5f0da7681e9b219f0b3d4c5c55047582738fe9650ebe9173b4c82b7bf0efe2f241721a65ea66d061d5da9aa39c5535a5565968109

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
214B

MD5
6b1b57eb63c58846ee0d3a37b74187d2

SHA1
2080f6b77514a0e53b27963c81fd04a660aa35dd

SHA256
a5477b3cabeb3bbbba115a599689299ef9ec402d571fcfe832a0e36d9bc7322e

SHA512
3f3bacae98db2be2c4c854f61f9246a6a5a260df6501576f23f40f252b4cc29b1d49d22adaf084999e649c721e691c7c039ecd85ac3f818bca53939857583c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat

Filesize
214B

MD5
3d38734f9ffa33d38ce90e7ecaa92c35

SHA1
6a3983b0bcbe2a4375555af1fd14a06a360abc15

SHA256
518086e2f25ee29600abfa7b4cdf5e1cac1ee798a68ef6a0531e55fb1457f0e4

SHA512
fcf02ebe89b43ab0b71699eef8452ad17a3fc8691c5693a340a0212c3454e8b0606fc04fcda30071498bf8fa74e1e1e7d8facfc4bb98ed281b039a52bb56138a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat

Filesize
214B

MD5
7fbc5217211419fa09ad5358e07d9988

SHA1
21753f8b03907e857af011a6ba392a909a55ada9

SHA256
4d79f315eaee12a21031cf7a57fdfc24546c9b5fd3c73360d6e9cc1fe3ca08b9

SHA512
1a3118d950247806c31bcdbd8b18c97b272038a39b15003f4bd354ebeb1457a61a1afc8f7109933e5aa918877c3f64802f7fa2960c61c24b9a435dc3d419698f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

Filesize
214B

MD5
d3c91323b377b70a6df86921aac86ad8

SHA1
a720b50ad50412ff6426e6acffb2fd2337ba3bb1

SHA256
f3f98e17749bb368193f14c1b5d0ca9d645a9ca40f0e519fab3e24eddc4857ea

SHA512
cfed632a99e1db2ce75367346287c0a4a901b412fbd520ea9f89def59eccdd793640995e032e2f226aad1270affe7a65070ef6dde987802f6b9a4a9de6ad8657

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
214B

MD5
767518d8cfdb204fd5ce80cb60c618c9

SHA1
80388129276b1c25770e0738d10f5f59381088cd

SHA256
59fecc8fc7f89d3b3a3d5d5a253076fbfb8dd0fe4655d2cf5209a6b342dbd568

SHA512
ce29fe1b82fff25ded39e5b8d0e0e2e7e2c113af118d54a2370c65568207552bf53b39806e9f430428175fde670c9405191bfa7c3c8f324486cf37294ae06568

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
214B

MD5
7c611e6b2db305b5220def87e4dce0a7

SHA1
36021e78ad58bf6f9e5c2f4b480e6c15067b9f05

SHA256
f79f947ec7495973acf23d6db5902bb11ce11b1214ec99e5994ec8f2072a2ac6

SHA512
6d4040f100432aa1239d2c43d4ecaea3fcbd0503595495e3f3558f8a02d211ff0792f38b961b13478421726418e91eea8d13301e9a0078e484673a7e88d8bfb6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/432-165-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/432-245-0x00007FF9F37D0000-0x00007FF9F4291000-memory.dmp

Filesize
10.8MB

Download
memory/432-192-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/432-241-0x00007FF9F37D0000-0x00007FF9F4291000-memory.dmp

Filesize
10.8MB

Download
memory/1224-248-0x00007FF9F37D0000-0x00007FF9F4291000-memory.dmp

Filesize
10.8MB

Download
memory/1224-252-0x00007FF9F37D0000-0x00007FF9F4291000-memory.dmp

Filesize
10.8MB

Download
memory/1836-168-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-189-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-164-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-187-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-210-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-206-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2360-175-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2360-171-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2412-255-0x00007FF9F37D0000-0x00007FF9F4291000-memory.dmp

Filesize
10.8MB

Download
memory/2412-259-0x00007FF9F37D0000-0x00007FF9F4291000-memory.dmp

Filesize
10.8MB

Download
memory/2552-199-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-162-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-234-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-238-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-231-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-227-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-167-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-190-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-169-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-191-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-166-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-202-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3680-172-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3680-194-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3820-163-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/3820-180-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-182-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-160-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-155-0x0000021C95A00000-0x0000021C95A22000-memory.dmp

Filesize
136KB

Download
memory/4080-170-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-201-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-224-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-220-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-158-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-139-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/4520-140-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4588-217-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4588-213-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-173-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-159-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-183-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-161-0x00007FF9F3720000-0x00007FF9F41E1000-memory.dmp

Filesize
10.8MB

Download