dcrat | aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a.exe
Size

1.3MB
MD5

02ef7c17bc2341758b222193660ecf4d
SHA1

1d58e1e8c28cfc5b98f961f079262adfb6d60960
SHA256

aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a
SHA512

573c6129ba11877874dca0aff1fa2118a1ffadf495d929efe82c49b101f241b61f226b7c1716a5f727b127f7278c6adf114863eea1b3988e384891d088277c73
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3208	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	3208	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001ac21-280.dat	dcrat
behavioral1/files/0x000700000001ac21-281.dat	dcrat
behavioral1/memory/4676-282-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac34-320.dat	dcrat
behavioral1/files/0x000600000001ac34-321.dat	dcrat
behavioral1/files/0x000600000001ac34-680.dat	dcrat
behavioral1/files/0x000600000001ac34-686.dat	dcrat
behavioral1/files/0x000600000001ac34-692.dat	dcrat
behavioral1/files/0x000600000001ac34-697.dat	dcrat
behavioral1/files/0x000600000001ac34-703.dat	dcrat
behavioral1/files/0x000600000001ac34-709.dat	dcrat
behavioral1/files/0x000600000001ac34-714.dat	dcrat
behavioral1/files/0x000600000001ac34-719.dat	dcrat
behavioral1/files/0x000600000001ac34-724.dat	dcrat
behavioral1/files/0x000600000001ac34-729.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4676	DllCommonsvc.exe
4912	lsass.exe
1776	lsass.exe
1264	lsass.exe
4692	lsass.exe
4340	lsass.exe
4472	lsass.exe
4604	lsass.exe
3848	lsass.exe
4092	lsass.exe
5060	lsass.exe
4804	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\fontdrvhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Migration\WTR\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service.resources_31bf3856ad364e35_10.0.15063.0_de-de_cb57f479f5342bfa\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\twain_32\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1212	schtasks.exe
1148	schtasks.exe
4792	schtasks.exe
4840	schtasks.exe
4664	schtasks.exe
4804	schtasks.exe
5076	schtasks.exe
356	schtasks.exe
656	schtasks.exe
640	schtasks.exe
4264	schtasks.exe
4724	schtasks.exe
744	schtasks.exe
700	schtasks.exe
1184	schtasks.exe
4340	schtasks.exe
3064	schtasks.exe
4144	schtasks.exe
4824	schtasks.exe
3948	schtasks.exe
960	schtasks.exe
4464	schtasks.exe
1172	schtasks.exe
4820	schtasks.exe
4644	schtasks.exe
4616	schtasks.exe
1608	schtasks.exe
4320	schtasks.exe
4596	schtasks.exe
4828	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	lsass.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
4676	DllCommonsvc.exe
4676	DllCommonsvc.exe
4676	DllCommonsvc.exe
4676	DllCommonsvc.exe
4676	DllCommonsvc.exe
4676	DllCommonsvc.exe
4676	DllCommonsvc.exe
1208	powershell.exe
776	powershell.exe
420	powershell.exe
3304	powershell.exe
160	powershell.exe
2208	powershell.exe
420	powershell.exe
4848	powershell.exe
2312	powershell.exe
5072	powershell.exe
5072	powershell.exe
3304	powershell.exe
3304	powershell.exe
2732	powershell.exe
2732	powershell.exe
2700	powershell.exe
2700	powershell.exe
4912	lsass.exe
4912	lsass.exe
420	powershell.exe
420	powershell.exe
2700	powershell.exe
2732	powershell.exe
3304	powershell.exe
1208	powershell.exe
1208	powershell.exe
776	powershell.exe
776	powershell.exe
160	powershell.exe
160	powershell.exe
2700	powershell.exe
2208	powershell.exe
2208	powershell.exe
4848	powershell.exe
4848	powershell.exe
5072	powershell.exe
2312	powershell.exe
2312	powershell.exe
2732	powershell.exe
776	powershell.exe
1208	powershell.exe
160	powershell.exe
2208	powershell.exe
4848	powershell.exe
5072	powershell.exe
2312	powershell.exe
1776	lsass.exe
1264	lsass.exe
4692	lsass.exe
4340	lsass.exe
4472	lsass.exe
4604	lsass.exe
3848	lsass.exe
4092	lsass.exe
5060	lsass.exe
4804	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	DllCommonsvc.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	160	powershell.exe
Token: SeDebugPrivilege	4912	lsass.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeIncreaseQuotaPrivilege	3304	powershell.exe
Token: SeSecurityPrivilege	3304	powershell.exe
Token: SeTakeOwnershipPrivilege	3304	powershell.exe
Token: SeLoadDriverPrivilege	3304	powershell.exe
Token: SeSystemProfilePrivilege	3304	powershell.exe
Token: SeSystemtimePrivilege	3304	powershell.exe
Token: SeProfSingleProcessPrivilege	3304	powershell.exe
Token: SeIncBasePriorityPrivilege	3304	powershell.exe
Token: SeCreatePagefilePrivilege	3304	powershell.exe
Token: SeBackupPrivilege	3304	powershell.exe
Token: SeRestorePrivilege	3304	powershell.exe
Token: SeShutdownPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeSystemEnvironmentPrivilege	3304	powershell.exe
Token: SeRemoteShutdownPrivilege	3304	powershell.exe
Token: SeUndockPrivilege	3304	powershell.exe
Token: SeManageVolumePrivilege	3304	powershell.exe
Token: 33	3304	powershell.exe
Token: 34	3304	powershell.exe
Token: 35	3304	powershell.exe
Token: 36	3304	powershell.exe
Token: SeIncreaseQuotaPrivilege	420	powershell.exe
Token: SeSecurityPrivilege	420	powershell.exe
Token: SeTakeOwnershipPrivilege	420	powershell.exe
Token: SeLoadDriverPrivilege	420	powershell.exe
Token: SeSystemProfilePrivilege	420	powershell.exe
Token: SeSystemtimePrivilege	420	powershell.exe
Token: SeProfSingleProcessPrivilege	420	powershell.exe
Token: SeIncBasePriorityPrivilege	420	powershell.exe
Token: SeCreatePagefilePrivilege	420	powershell.exe
Token: SeBackupPrivilege	420	powershell.exe
Token: SeRestorePrivilege	420	powershell.exe
Token: SeShutdownPrivilege	420	powershell.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeSystemEnvironmentPrivilege	420	powershell.exe
Token: SeRemoteShutdownPrivilege	420	powershell.exe
Token: SeUndockPrivilege	420	powershell.exe
Token: SeManageVolumePrivilege	420	powershell.exe
Token: 33	420	powershell.exe
Token: 34	420	powershell.exe
Token: 35	420	powershell.exe
Token: 36	420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2700	powershell.exe
Token: SeSecurityPrivilege	2700	powershell.exe
Token: SeTakeOwnershipPrivilege	2700	powershell.exe
Token: SeLoadDriverPrivilege	2700	powershell.exe
Token: SeSystemProfilePrivilege	2700	powershell.exe
Token: SeSystemtimePrivilege	2700	powershell.exe
Token: SeProfSingleProcessPrivilege	2700	powershell.exe
Token: SeIncBasePriorityPrivilege	2700	powershell.exe
Token: SeCreatePagefilePrivilege	2700	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 5020	3516	aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a.exe	66
PID 3516 wrote to memory of 5020	3516	aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a.exe	66
PID 3516 wrote to memory of 5020	3516	aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a.exe	66
PID 5020 wrote to memory of 3640	5020	WScript.exe	67
PID 5020 wrote to memory of 3640	5020	WScript.exe	67
PID 5020 wrote to memory of 3640	5020	WScript.exe	67
PID 3640 wrote to memory of 4676	3640	cmd.exe	69
PID 3640 wrote to memory of 4676	3640	cmd.exe	69
PID 4676 wrote to memory of 1208	4676	DllCommonsvc.exe	101
PID 4676 wrote to memory of 1208	4676	DllCommonsvc.exe	101
PID 4676 wrote to memory of 776	4676	DllCommonsvc.exe	103
PID 4676 wrote to memory of 776	4676	DllCommonsvc.exe	103
PID 4676 wrote to memory of 420	4676	DllCommonsvc.exe	104
PID 4676 wrote to memory of 420	4676	DllCommonsvc.exe	104
PID 4676 wrote to memory of 3304	4676	DllCommonsvc.exe	122
PID 4676 wrote to memory of 3304	4676	DllCommonsvc.exe	122
PID 4676 wrote to memory of 160	4676	DllCommonsvc.exe	106
PID 4676 wrote to memory of 160	4676	DllCommonsvc.exe	106
PID 4676 wrote to memory of 4848	4676	DllCommonsvc.exe	107
PID 4676 wrote to memory of 4848	4676	DllCommonsvc.exe	107
PID 4676 wrote to memory of 2208	4676	DllCommonsvc.exe	108
PID 4676 wrote to memory of 2208	4676	DllCommonsvc.exe	108
PID 4676 wrote to memory of 5072	4676	DllCommonsvc.exe	109
PID 4676 wrote to memory of 5072	4676	DllCommonsvc.exe	109
PID 4676 wrote to memory of 2312	4676	DllCommonsvc.exe	110
PID 4676 wrote to memory of 2312	4676	DllCommonsvc.exe	110
PID 4676 wrote to memory of 2732	4676	DllCommonsvc.exe	113
PID 4676 wrote to memory of 2732	4676	DllCommonsvc.exe	113
PID 4676 wrote to memory of 2700	4676	DllCommonsvc.exe	111
PID 4676 wrote to memory of 2700	4676	DllCommonsvc.exe	111
PID 4676 wrote to memory of 4912	4676	DllCommonsvc.exe	116
PID 4676 wrote to memory of 4912	4676	DllCommonsvc.exe	116
PID 4912 wrote to memory of 700	4912	lsass.exe	125
PID 4912 wrote to memory of 700	4912	lsass.exe	125
PID 700 wrote to memory of 692	700	cmd.exe	127
PID 700 wrote to memory of 692	700	cmd.exe	127
PID 700 wrote to memory of 1776	700	cmd.exe	128
PID 700 wrote to memory of 1776	700	cmd.exe	128
PID 1776 wrote to memory of 2232	1776	lsass.exe	129
PID 1776 wrote to memory of 2232	1776	lsass.exe	129
PID 2232 wrote to memory of 1324	2232	cmd.exe	131
PID 2232 wrote to memory of 1324	2232	cmd.exe	131
PID 2232 wrote to memory of 1264	2232	cmd.exe	132
PID 2232 wrote to memory of 1264	2232	cmd.exe	132
PID 1264 wrote to memory of 3620	1264	lsass.exe	133
PID 1264 wrote to memory of 3620	1264	lsass.exe	133
PID 3620 wrote to memory of 3176	3620	cmd.exe	135
PID 3620 wrote to memory of 3176	3620	cmd.exe	135
PID 3620 wrote to memory of 4692	3620	cmd.exe	136
PID 3620 wrote to memory of 4692	3620	cmd.exe	136
PID 4692 wrote to memory of 1116	4692	lsass.exe	137
PID 4692 wrote to memory of 1116	4692	lsass.exe	137
PID 1116 wrote to memory of 2280	1116	cmd.exe	139
PID 1116 wrote to memory of 2280	1116	cmd.exe	139
PID 1116 wrote to memory of 4340	1116	cmd.exe	140
PID 1116 wrote to memory of 4340	1116	cmd.exe	140
PID 4340 wrote to memory of 3932	4340	lsass.exe	141
PID 4340 wrote to memory of 3932	4340	lsass.exe	141
PID 3932 wrote to memory of 3816	3932	cmd.exe	143
PID 3932 wrote to memory of 3816	3932	cmd.exe	143
PID 3932 wrote to memory of 4472	3932	cmd.exe	144
PID 3932 wrote to memory of 4472	3932	cmd.exe	144
PID 4472 wrote to memory of 4744	4472	lsass.exe	145
PID 4472 wrote to memory of 4744	4472	lsass.exe	145

C:\Users\Admin\AppData\Local\Temp\aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a.exe
"C:\Users\Admin\AppData\Local\Temp\aaba51a3d3b44f791f3dd6a9d85ea91c543d7c4dacdadfaac4eaef96663d2b9a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:692
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1324
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3176
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2280
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3816
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
        16⤵
        
        PID:4744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4412
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        18⤵
        
        PID:3796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:776
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        20⤵
        
        PID:5084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1752
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        22⤵
        
        PID:4668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4896
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        24⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4588
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\twain_32\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36b430642214d110d1148b8c514fd5fe

SHA1
10456a35e69ad2a7d2dd0dbe61bf484be20ba513

SHA256
212cc55ff1814a42bab398592d1ab42b4cd3319cf7e69a7a7b3ba6bdddf3e9fb

SHA512
52d6a4979c8b7be50c66cff28f1f533686a6786eb8c0ee35f625b6187014cc947ec1e526df22bf955384b3a609acf0524670f562ba42be595164f89cfa0acddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dac8d82d4e4f2dd0716e684adbda26fe

SHA1
65bee82618f1c525b8014e033b32b1f43517b563

SHA256
7c45fe4606d9c653dc1e3a229fcbfb3c48c279c8123d7b3e341f2898e7eb5920

SHA512
9cf6122e75ab86676c0a051084e64b51c8836be3221a6a3e58ab0919b3cf74acd2ce05c0586e7eaa27638d045a75f6a7f100a807800a114c8638de220a45ea0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0764e0e9847ca92224eb0c8f0c07c36

SHA1
23065d4f9cf584db63c8bd54d3e96511267b5e9f

SHA256
743ce4cff555fa6a53fb5b8fda2cd76b4a1f9eeeafbe9d18296944df67a56ef3

SHA512
3e0c2a23031a091cb19f9306e80cfb9abf8ded22c1ad613bf381dfb0bf1bf53ce9ff802e95868f524f680ac5a4ecbb0adb39e1480d0fcf94dd8f1f6ae68f07b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0764e0e9847ca92224eb0c8f0c07c36

SHA1
23065d4f9cf584db63c8bd54d3e96511267b5e9f

SHA256
743ce4cff555fa6a53fb5b8fda2cd76b4a1f9eeeafbe9d18296944df67a56ef3

SHA512
3e0c2a23031a091cb19f9306e80cfb9abf8ded22c1ad613bf381dfb0bf1bf53ce9ff802e95868f524f680ac5a4ecbb0adb39e1480d0fcf94dd8f1f6ae68f07b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb3593459cc6f68e1d937bb3dd8170b0

SHA1
d91f40f0428832330a2daed88b4e62acde53a9d4

SHA256
434bbb4b9c8c9005a6b05881de4d3724c9c104ee6c1b73b657b10bd826f90bfb

SHA512
d5107f4815760d5f840a872b3435257e2046a10673ac23d05e736a6f8687aa8706a97d779b69596e3866ef2d772561d5c95c90114e336ad2849338113619e24f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb3593459cc6f68e1d937bb3dd8170b0

SHA1
d91f40f0428832330a2daed88b4e62acde53a9d4

SHA256
434bbb4b9c8c9005a6b05881de4d3724c9c104ee6c1b73b657b10bd826f90bfb

SHA512
d5107f4815760d5f840a872b3435257e2046a10673ac23d05e736a6f8687aa8706a97d779b69596e3866ef2d772561d5c95c90114e336ad2849338113619e24f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f18c06f44f7cb816e2d6e277aae5731a

SHA1
fa1f82bbf2a1e12e95b32ebca20e7db9a4eb7d87

SHA256
019730648001a98a431c3f9e16e08e47270e5cceb73b27b8272f26a192a95cc2

SHA512
35c988b1911ba8ec14e3a196acc186ab74aa95bdc9fe423c4f6fa40718ca1b2a105f652edebafbddfe14cdf4c87c9e545a7aad54e334f2544a54d1d2c1653628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f18c06f44f7cb816e2d6e277aae5731a

SHA1
fa1f82bbf2a1e12e95b32ebca20e7db9a4eb7d87

SHA256
019730648001a98a431c3f9e16e08e47270e5cceb73b27b8272f26a192a95cc2

SHA512
35c988b1911ba8ec14e3a196acc186ab74aa95bdc9fe423c4f6fa40718ca1b2a105f652edebafbddfe14cdf4c87c9e545a7aad54e334f2544a54d1d2c1653628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
657551894db8cfd1e8d0e10dcd56c187

SHA1
c66ea52271cca44782d9dd86d57154564ddbb7cd

SHA256
b2040014698794e19f5478b64c7b7f239c007fec8c50363336c5d4c902600e0b

SHA512
9219ab9cef0a25fc66216a8571bfc27714b260b6b0d51191bd654fba4d96883633c38d33eeb8d2acc20a2f4e1e365148949fa16bdeae49b13f729aa356552d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
192B

MD5
37024323684d9c186cd911b7da4a8c6f

SHA1
54e3fb9324589901dc3f9584beead9ba8925aeae

SHA256
11963b0404db7182f55459028d1e7c2641437122a55249322e443a99116b9d9e

SHA512
d7b1a3ca293c6d47be2a7131497e47c70261a63578c13ab024b095bdb3aa26d7a6fc6b7418a655832a006b7e053c31582ac8470a506faab44b3da7978ff115e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

Filesize
192B

MD5
283e77563899c2256013045ed9e743e4

SHA1
bbc681f24c660cfc496a3bb9908c98cb3df32129

SHA256
731a0453f64e992cb3d4fee7382a0a2d4fb155003027102682bc7aa1adc73a5e

SHA512
f23de1cba8dd238343f93fda03d11a71960057381219152bd07ac90ec8137b9fbe6ada075a0e550cc8924fcc1361a18ced1800e633b076f1c7b3bc10eab668c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
192B

MD5
475ff15ac45add378c6d95e670393b52

SHA1
7e91240e82f1a6befe79ba7f02e4773673904b88

SHA256
274bd24a811fb83cc48481ac2cc936abf2835a5178eced4a1931f73dbb509149

SHA512
d23b4b52a2b9f9cb0dc67677d59b61e96051fcc706f21b5aa56770df1fa5ee8d1d11141081fe646685f0f09c239aa2646443d4d23a60922a8b7f01193fde5e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
192B

MD5
8623ec031a47c6fae65469a64f62d159

SHA1
8e595bf2c47cb9d3a46701af48a8ac5b0e9a50b0

SHA256
b51396c1fda312ce71d976dd651830c4ad5e60659d63ed03af332e521d8b7342

SHA512
e21ee330c7fbaad8bf0f799138085fdfe52fe4918cb34f6657d0c1f4ed297f11f0437716158d0fa5693e984ff325ef7ad987f72a61e9a57343541d2f62876b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
192B

MD5
d1f69a93cf2279d1e57f070e4f29bac6

SHA1
562640fe80aed5dfba4ff3c8a7ff09d1f8680426

SHA256
8346b4294a34bb62cb8655077da80473bf6070b57269056c1106fa1445492bb9

SHA512
be2adbbbe5efcb9d69b319217920a4e8aa608f849a397326adb8f65192a85ed4498f092b68bb88095441b7fc926e65be4de5807f12f252236d8034a4cf49522b

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
192B

MD5
44687ca80b590e1bf234f70a644a4318

SHA1
4ddff79a594a5887ef62ad688173e945d94866ac

SHA256
0a7e6ee7d1a78e05101dddb5423c4c7063b7c0efb4ef0a13857483dfbbe3229b

SHA512
33c529972b6e65aecaa0cdf230d62fd9ffc02c24ae8208115e3e6f8907a6f7377accb9edb0e1f9c3f37ac574fd3b88c6a60e29e3a5720675ea2bfab25df03d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
192B

MD5
25ba83ae88a5fc79f80b0312a42cc603

SHA1
062d0738b3b8238b6bc8e00faf2fe7a4ae7f7257

SHA256
f6954d3b9e4e5edbcde863ad0c03efe44651bb045982cec3b78d5f0ef0cafe92

SHA512
1dfa8ea9040caaa1702432459cd30aa2a1db8c45310c3c051f1475cd3b3dbacabb7704abb1b74ba2b33c23d4af0865e9e23791038374962f49938e01fe12cc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

Filesize
192B

MD5
f242d6b0857572739f491bcf5662b313

SHA1
d8cc0c6196f8bfa2bf32f65214060ea156f3495d

SHA256
5d0daba2b5ef31038e7b252e1264d974314ad31e44ef3fa8958a8d6d3402420d

SHA512
87efe5483d8a6cbc6d9bb262190015dfb56c487667abfe4c59d57df961c1e68ab648c593a92091b74ed0c41168b539aadf200e6d065fa01fcb85290013793837

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
192B

MD5
3ba9decee5fc724dc8767e6631b59817

SHA1
b39a9fbaaf080bccb5d54f8f00ea3bf9e350bc7c

SHA256
db525f1c021b91c109b62717a1dec862ed8e42bc9e66e8fc3f32a25689d4a79d

SHA512
2cffb6866d198d1ac1818e3172fd461fbe92da55c064a7e19ba3b8c063b046341f7abb77cb9aaabac6f3d8dfd7a1315da78eb9df79589e59a0126c00998d6782

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

Filesize
192B

MD5
3b87aa8b5347f650a9cd53eb5c428aa1

SHA1
a1dbbfa2bd8fe92adb18d19514d4bd5117db0d16

SHA256
bee5e0ef6b644c9936deea3060293afd59e572e6ba265d4ea2df4e6155a0fc9a

SHA512
722b6a2202badc3f39319a0f0bbfa1d686248a59f143d48380cd9491c69970c0f7237e1fb131f9545eb656f5b5d198b09ebbb450f5d8750dbfe73f660a4b92f1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/420-345-0x00000210F1400000-0x00000210F1422000-memory.dmp

Filesize
136KB

Download
memory/420-348-0x00000210F1760000-0x00000210F17D6000-memory.dmp

Filesize
472KB

Download
memory/1264-687-0x0000000001250000-0x0000000001262000-memory.dmp

Filesize
72KB

Download
memory/3516-145-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-170-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-117-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-118-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-177-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-176-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-119-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-121-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-175-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-174-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-122-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-124-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-125-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-126-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-127-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-173-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-128-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-172-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-171-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-130-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-178-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-168-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-169-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-167-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-129-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-166-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-179-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-165-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-164-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-163-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-162-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-161-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-160-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-159-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-158-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-157-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-156-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-155-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-154-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-153-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-152-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-151-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-150-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-149-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-148-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-147-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-131-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-144-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-146-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-143-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-142-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-141-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-140-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-132-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-139-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-116-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-133-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-138-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-137-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-136-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-135-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-134-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4340-698-0x00000000014C0000-0x00000000014D2000-memory.dmp

Filesize
72KB

Download
memory/4472-704-0x00000000014F0000-0x0000000001502000-memory.dmp

Filesize
72KB

Download
memory/4676-282-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/4676-283-0x0000000001400000-0x0000000001412000-memory.dmp

Filesize
72KB

Download
memory/4676-285-0x0000000001410000-0x000000000141C000-memory.dmp

Filesize
48KB

Download
memory/4676-284-0x0000000002B80000-0x0000000002B8C000-memory.dmp

Filesize
48KB

Download
memory/4676-286-0x0000000002B90000-0x0000000002B9C000-memory.dmp

Filesize
48KB

Download
memory/5020-182-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/5020-181-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download