dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Size

1.3MB
MD5

adde6baef89ebb01b5e60f15610ba470
SHA1

edc49b43aa822b754ee617db11c3ffc1a3e79ec1
SHA256

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
SHA512

89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4456	schtasks.exe

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral10/memory/5044-286-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	dcrat

Executes dropped EXE 13 IoCs

Processes:

DllCommonsvc.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exe

pid	process
5044	DllCommonsvc.exe
216	ShellExperienceHost.exe
4156	ShellExperienceHost.exe
4068	ShellExperienceHost.exe
4284	ShellExperienceHost.exe
4676	ShellExperienceHost.exe
1640	ShellExperienceHost.exe
2316	ShellExperienceHost.exe
164	ShellExperienceHost.exe
1248	ShellExperienceHost.exe
4760	ShellExperienceHost.exe
5072	ShellExperienceHost.exe
2932	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\Cursors\fontdrvhost.exe DllCommonsvc.exe
File created C:\Windows\Cursors\5b884080fd4f94 DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Cursors\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\5b884080fd4f94	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4728	schtasks.exe
3536	schtasks.exe
4552	schtasks.exe
3024	schtasks.exe
4652	schtasks.exe
4928	schtasks.exe
4912	schtasks.exe
4724	schtasks.exe
4748	schtasks.exe
4756	schtasks.exe
3976	schtasks.exe
4908	schtasks.exe
4936	schtasks.exe
4204	schtasks.exe
3752	schtasks.exe
3584	schtasks.exe
4212	schtasks.exe
3884	schtasks.exe

Modifies registry class 13 IoCs

Processes:

ShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exee6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exe

pid	process
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
5044	DllCommonsvc.exe
4800	powershell.exe
4680	powershell.exe
4640	powershell.exe
4864	powershell.exe
912	powershell.exe
1864	powershell.exe
1864	powershell.exe
4100	powershell.exe
912	powershell.exe
216	ShellExperienceHost.exe
4680	powershell.exe
4800	powershell.exe
4864	powershell.exe
4640	powershell.exe
4100	powershell.exe
912	powershell.exe
1864	powershell.exe
4680	powershell.exe
4800	powershell.exe
4864	powershell.exe
4640	powershell.exe
4100	powershell.exe
4156	ShellExperienceHost.exe
4068	ShellExperienceHost.exe
4284	ShellExperienceHost.exe
4676	ShellExperienceHost.exe
1640	ShellExperienceHost.exe
2316	ShellExperienceHost.exe
164	ShellExperienceHost.exe
1248	ShellExperienceHost.exe
4760	ShellExperienceHost.exe
5072	ShellExperienceHost.exe
2932	ShellExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exeShellExperienceHost.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5044	DllCommonsvc.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	216	ShellExperienceHost.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeIncreaseQuotaPrivilege	1864	powershell.exe
Token: SeSecurityPrivilege	1864	powershell.exe
Token: SeTakeOwnershipPrivilege	1864	powershell.exe
Token: SeLoadDriverPrivilege	1864	powershell.exe
Token: SeSystemProfilePrivilege	1864	powershell.exe
Token: SeSystemtimePrivilege	1864	powershell.exe
Token: SeProfSingleProcessPrivilege	1864	powershell.exe
Token: SeIncBasePriorityPrivilege	1864	powershell.exe
Token: SeCreatePagefilePrivilege	1864	powershell.exe
Token: SeBackupPrivilege	1864	powershell.exe
Token: SeRestorePrivilege	1864	powershell.exe
Token: SeShutdownPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeSystemEnvironmentPrivilege	1864	powershell.exe
Token: SeRemoteShutdownPrivilege	1864	powershell.exe
Token: SeUndockPrivilege	1864	powershell.exe
Token: SeManageVolumePrivilege	1864	powershell.exe
Token: 33	1864	powershell.exe
Token: 34	1864	powershell.exe
Token: 35	1864	powershell.exe
Token: 36	1864	powershell.exe
Token: SeIncreaseQuotaPrivilege	912	powershell.exe
Token: SeSecurityPrivilege	912	powershell.exe
Token: SeTakeOwnershipPrivilege	912	powershell.exe
Token: SeLoadDriverPrivilege	912	powershell.exe
Token: SeSystemProfilePrivilege	912	powershell.exe
Token: SeSystemtimePrivilege	912	powershell.exe
Token: SeProfSingleProcessPrivilege	912	powershell.exe
Token: SeIncBasePriorityPrivilege	912	powershell.exe
Token: SeCreatePagefilePrivilege	912	powershell.exe
Token: SeBackupPrivilege	912	powershell.exe
Token: SeRestorePrivilege	912	powershell.exe
Token: SeShutdownPrivilege	912	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeSystemEnvironmentPrivilege	912	powershell.exe
Token: SeRemoteShutdownPrivilege	912	powershell.exe
Token: SeUndockPrivilege	912	powershell.exe
Token: SeManageVolumePrivilege	912	powershell.exe
Token: 33	912	powershell.exe
Token: 34	912	powershell.exe
Token: 35	912	powershell.exe
Token: 36	912	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exeWScript.execmd.exeDllCommonsvc.exeShellExperienceHost.execmd.exeShellExperienceHost.execmd.exeShellExperienceHost.execmd.exeShellExperienceHost.execmd.exeShellExperienceHost.execmd.exeShellExperienceHost.execmd.exeShellExperienceHost.execmd.exe

description	pid	process	target process
PID 2368 wrote to memory of 3840	2368	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 2368 wrote to memory of 3840	2368	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 2368 wrote to memory of 3840	2368	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 3840 wrote to memory of 5052	3840	WScript.exe	cmd.exe
PID 3840 wrote to memory of 5052	3840	WScript.exe	cmd.exe
PID 3840 wrote to memory of 5052	3840	WScript.exe	cmd.exe
PID 5052 wrote to memory of 5044	5052	cmd.exe	DllCommonsvc.exe
PID 5052 wrote to memory of 5044	5052	cmd.exe	DllCommonsvc.exe
PID 5044 wrote to memory of 4680	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4680	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4800	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4800	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4864	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4864	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 1864	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 1864	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4100	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4100	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4640	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 4640	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 912	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 912	5044	DllCommonsvc.exe	powershell.exe
PID 5044 wrote to memory of 216	5044	DllCommonsvc.exe	ShellExperienceHost.exe
PID 5044 wrote to memory of 216	5044	DllCommonsvc.exe	ShellExperienceHost.exe
PID 216 wrote to memory of 4208	216	ShellExperienceHost.exe	cmd.exe
PID 216 wrote to memory of 4208	216	ShellExperienceHost.exe	cmd.exe
PID 4208 wrote to memory of 1800	4208	cmd.exe	w32tm.exe
PID 4208 wrote to memory of 1800	4208	cmd.exe	w32tm.exe
PID 4208 wrote to memory of 4156	4208	cmd.exe	ShellExperienceHost.exe
PID 4208 wrote to memory of 4156	4208	cmd.exe	ShellExperienceHost.exe
PID 4156 wrote to memory of 4544	4156	ShellExperienceHost.exe	cmd.exe
PID 4156 wrote to memory of 4544	4156	ShellExperienceHost.exe	cmd.exe
PID 4544 wrote to memory of 764	4544	cmd.exe	w32tm.exe
PID 4544 wrote to memory of 764	4544	cmd.exe	w32tm.exe
PID 4544 wrote to memory of 4068	4544	cmd.exe	ShellExperienceHost.exe
PID 4544 wrote to memory of 4068	4544	cmd.exe	ShellExperienceHost.exe
PID 4068 wrote to memory of 3216	4068	ShellExperienceHost.exe	cmd.exe
PID 4068 wrote to memory of 3216	4068	ShellExperienceHost.exe	cmd.exe
PID 3216 wrote to memory of 4256	3216	cmd.exe	w32tm.exe
PID 3216 wrote to memory of 4256	3216	cmd.exe	w32tm.exe
PID 3216 wrote to memory of 4284	3216	cmd.exe	ShellExperienceHost.exe
PID 3216 wrote to memory of 4284	3216	cmd.exe	ShellExperienceHost.exe
PID 4284 wrote to memory of 4744	4284	ShellExperienceHost.exe	cmd.exe
PID 4284 wrote to memory of 4744	4284	ShellExperienceHost.exe	cmd.exe
PID 4744 wrote to memory of 4912	4744	cmd.exe	w32tm.exe
PID 4744 wrote to memory of 4912	4744	cmd.exe	w32tm.exe
PID 4744 wrote to memory of 4676	4744	cmd.exe	ShellExperienceHost.exe
PID 4744 wrote to memory of 4676	4744	cmd.exe	ShellExperienceHost.exe
PID 4676 wrote to memory of 4888	4676	ShellExperienceHost.exe	cmd.exe
PID 4676 wrote to memory of 4888	4676	ShellExperienceHost.exe	cmd.exe
PID 4888 wrote to memory of 4756	4888	cmd.exe	w32tm.exe
PID 4888 wrote to memory of 4756	4888	cmd.exe	w32tm.exe
PID 4888 wrote to memory of 1640	4888	cmd.exe	ShellExperienceHost.exe
PID 4888 wrote to memory of 1640	4888	cmd.exe	ShellExperienceHost.exe
PID 1640 wrote to memory of 2232	1640	ShellExperienceHost.exe	cmd.exe
PID 1640 wrote to memory of 2232	1640	ShellExperienceHost.exe	cmd.exe
PID 2232 wrote to memory of 1456	2232	cmd.exe	w32tm.exe
PID 2232 wrote to memory of 1456	2232	cmd.exe	w32tm.exe
PID 2232 wrote to memory of 2316	2232	cmd.exe	ShellExperienceHost.exe
PID 2232 wrote to memory of 2316	2232	cmd.exe	ShellExperienceHost.exe
PID 2316 wrote to memory of 2968	2316	ShellExperienceHost.exe	cmd.exe
PID 2316 wrote to memory of 2968	2316	ShellExperienceHost.exe	cmd.exe
PID 2968 wrote to memory of 1676	2968	cmd.exe	w32tm.exe
PID 2968 wrote to memory of 1676	2968	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
"C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\taskhostw.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:1800

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:764

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:4256

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
18⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
20⤵
PID:1840

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
22⤵
PID:2584

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:4780

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
24⤵
PID:3632

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:4892

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
26⤵
PID:3312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:5112

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
"C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe"
27⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
28⤵
PID:3388

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
29⤵
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\services.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Cursors\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\images\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\SendTo\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4912

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4756

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1456

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1676

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
841ce374d9a41fd15030ea5863514f08

SHA1
7cbcd1f4095a5815cd6ff0b03034a114a4a03c24

SHA256
83a696fd1d6387cff1c6fc58cc3e87ab40a5a4ae0d220d8152c525c13d4e7bf6

SHA512
fce7885884ac5976f923384d103b3c349ceb4174925145139b97eb79fc539748ca01e2f2fa797dc4704db16d6b6d8850aef0c36d92641e4e2524c6d9ec47a20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
841ce374d9a41fd15030ea5863514f08

SHA1
7cbcd1f4095a5815cd6ff0b03034a114a4a03c24

SHA256
83a696fd1d6387cff1c6fc58cc3e87ab40a5a4ae0d220d8152c525c13d4e7bf6

SHA512
fce7885884ac5976f923384d103b3c349ceb4174925145139b97eb79fc539748ca01e2f2fa797dc4704db16d6b6d8850aef0c36d92641e4e2524c6d9ec47a20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b5e462e7f3e3ad6e5ac2a6d347a44208

SHA1
9365e88573a4283529456f1593d513373e870001

SHA256
7ddd39d0206aece6ec1fd6afc43c60ce10f83369c130fccdcbe1886628ac258f

SHA512
4f9b5cd9e46d49b5c5e765274c59036303c3c6146452d65aa0b6ec311884c084b4f1e7172d84334865eeb98239f2341e01ab3d0f01848efa6fcfb80a248c2c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
65ff5ed2618392564bf9c2fcf7542be2

SHA1
62fbedd8d9081d27e4b655fe836489fbf243922f

SHA256
026dab33ca8cc5555a69f92abe0c9eb6b13cd24a633bfe44d46547547800b476

SHA512
c9c9fa5ad288caf9c674a57755fdb4df324a73a4feada8107b9c0b4070ea93ac4a6c46791243f4d8699d1d7bceef37f0db02af8f73ab4a5ec8e487387ff88c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1ba758909561f0b381129b127297ae3c

SHA1
14dd599c23e1afe818afbd941bcc04c571edcfb9

SHA256
ec638408c3af97bbef812e57996a86dec83f0f707fe6b091e97adec8def67691

SHA512
ddab93a044a63ec012d09813d74a9e4479481e946da371cec264ed32965e57f4c9e5c33b95a09a08dce4a8e54d490459228f4ecac1aded31d0c93fc565cafe52

Download Submit
C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat
Filesize
233B

MD5
bc19fe2ee24d6a79e8543e8748aae7c7

SHA1
b7db542e7157f668620a8132ff63fa030ca2acd1

SHA256
4acdd989f97812430569baab408a0d90ca61dc7c90de395d430b52ef8271e4f6

SHA512
cbda4b322fa98a1f571929eb682eee888a3da908c7aff8f6eeea04e7415fdf3dd4eaa71dac14126b4d700893ff5b0cfe66253a20e6a545b39324fd9516213293

Download Submit
C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat
Filesize
233B

MD5
ef902ce0102b5144a11c726f2eeae1fe

SHA1
dd5054b0e37a04a5758de263538a5ba0c19daa54

SHA256
9930a85f1b17d1db643570dd3a0403f814eb5c3f61ce3d85bb9751e7262dc9f7

SHA512
b8ad3d683f17558211cfb70a376cef598d0ee84040be8dcceb8cfd8bea356f3cfec24046e90aa75161adde9888a56f1f27c7cab5833e92d6eeaf214c9bca46ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat
Filesize
233B

MD5
7e2cf6c1283e247fc19c5b029bef688a

SHA1
38c44ed05868b536f2c1fc0af898201835251adc

SHA256
a5e89dbe4d7079e45da70329c5682cc090fd02a8bceef18266c030bcbba68b47

SHA512
24ce80900f88dea24999106bb922623bf0469ac2a1c83aba6928f59f44209059f66819fc0ca58bfae94118a40f019643054b0816faae61d77a36ba3bd28d57ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat
Filesize
233B

MD5
e8d0ab84d6af27c8f12851379885b4c4

SHA1
36fceaa84e27e67eb94ef0dfd44fa7ac81817a86

SHA256
2a55a7d9b32d8d5b4a83f464f832c2aaddc7d25a9395fae088543f959254b7c1

SHA512
db63712264da9ce46b91e98f6aa83d59fd20f328d1059b8dbf5ce52b4745e58c2ae63a96eb0fc4d5cc6250b512a702807b45d9b693708dfdc8533ffe2da9f039

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat
Filesize
233B

MD5
3c7ee22e3ad5625e1baac2eab815c6a5

SHA1
7093c280c2fc10d17da4a16096a8b61c1c76a8f3

SHA256
c2e36bac9ba9527886b745826421ed83982e86d6441a1279cb219cf18bc1e69d

SHA512
d8a29abf52a13e31de66769f7280a24adec32fda7ea14ac93cdc290152053bff1f7bb76b978d9b9d325362c364e3f1671a7a7b7122c72cd82e725f18ac3f4e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat
Filesize
233B

MD5
9bf7cadfbad7d7c1947fbe324343a0e6

SHA1
deda1f3c44eae224aef045a9bce270648189f164

SHA256
c75fd5118984ab6808614bb07809ca4895d45f39eb433d78b5ff91b96a1fe9bd

SHA512
ff43043460080b6eedd2233069a2e4a6a96295c732e14efcd6e3fdcdf408d3b4fd2b1380b37c3d979f310e2ca3f756558c0dd04315fe2f537924a0c2a6f117a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat
Filesize
233B

MD5
2f3bc2e861504214c9ae2a2592b14500

SHA1
a32eb5678a8c10331f80d209a7b3f4448ba02c45

SHA256
ea261e13ecbde5b2a38ff216c3d3e2162a1a4cbc9971716c266ab85a98bca61d

SHA512
d333743b0416aa50b7c13c8a1ea9fc630493be992992095a3535b0f96090d17b18c058c4d5709cb297214639ca104ffa5ad708838e6b3f98a6215a89b062fde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat
Filesize
233B

MD5
28f01c5ffafe81e357224ffaa53cb7ff

SHA1
9587771392a10b870537d171da2dcd4a571ad130

SHA256
8e164afdc35085f68a55b3fd12de1fb58a6e2c80f880a12f2a43d0c5e9931502

SHA512
c2d068f07abd03e94319b2c45e03020eec1166305f500f824572c3a69dd0779d1a46554d5cff1fdc66930dd032fa22c2e4bc04e70f4e8a8b2ded26171a329f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat
Filesize
233B

MD5
12a1431b5ea5b1efaf75fc38e1ca25bc

SHA1
18154df7e97f095d09945d5d566489428cd3cb37

SHA256
e391c56cad1e0a57d38fa0bdd4417a57040822792f04da31f263549d7861bb85

SHA512
01423bd475cc21270c585b6c37b0f41b32eb9b99c0e614e29328395ebc0e66ece6c80b91bd8bcd3a915f7dcb5d8019506c2b1dc00332353334c4fbbeabfbe576

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat
Filesize
233B

MD5
ad4c6ebf8d0f054dd289c204039ba201

SHA1
61807fa43df5c86113e438f68f6cbf1786995d72

SHA256
1d0d18b77f030871778475318886586553a928441fb586d6bea32b4cbe4b83fe

SHA512
f8d2bd32fad6676f87e94688fb023bbd4138beb8cb67538198accfef5cd9e47de5c3306ec1ddd3b404b7ecea6c2c0362595c533de4225d406da3bfacf52dcdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat
Filesize
233B

MD5
30cb515c0982eb9b4a2c0d4f7aeb8845

SHA1
07e6d5e4f19a0fe30b45f80b4afe39307b10b75a

SHA256
42d9ad51dbf5c6bf521d6b26b1114ade68e16ff6eada05ba605c9317a7c11cb9

SHA512
232f52deb473c20991a01b075023de0966447b66e67cb3bf92fe0da0731a6ab9beb84ee980885e59fd50885d5e71598f769e63b06b28d9fc79d17953938227bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat
Filesize
233B

MD5
30cb515c0982eb9b4a2c0d4f7aeb8845

SHA1
07e6d5e4f19a0fe30b45f80b4afe39307b10b75a

SHA256
42d9ad51dbf5c6bf521d6b26b1114ade68e16ff6eada05ba605c9317a7c11cb9

SHA512
232f52deb473c20991a01b075023de0966447b66e67cb3bf92fe0da0731a6ab9beb84ee980885e59fd50885d5e71598f769e63b06b28d9fc79d17953938227bc

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/164-584-0x0000000000000000-mapping.dmp

Download
memory/216-303-0x0000000000000000-mapping.dmp

Download
memory/216-331-0x0000000001680000-0x0000000001692000-memory.dmp

Filesize
72KB

Download
memory/396-611-0x0000000000000000-mapping.dmp

Download
memory/764-556-0x0000000000000000-mapping.dmp

Download
memory/912-297-0x0000000000000000-mapping.dmp

Download
memory/1248-591-0x0000000002FD0000-0x0000000002FE2000-memory.dmp

Filesize
72KB

Download
memory/1248-589-0x0000000000000000-mapping.dmp

Download
memory/1456-577-0x0000000000000000-mapping.dmp

Download
memory/1640-573-0x0000000000000000-mapping.dmp

Download
memory/1676-583-0x0000000000000000-mapping.dmp

Download
memory/1800-523-0x0000000000000000-mapping.dmp

Download
memory/1840-586-0x0000000000000000-mapping.dmp

Download
memory/1864-335-0x0000020549690000-0x0000020549706000-memory.dmp

Filesize
472KB

Download
memory/1864-294-0x0000000000000000-mapping.dmp

Download
memory/2232-575-0x0000000000000000-mapping.dmp

Download
memory/2316-578-0x0000000000000000-mapping.dmp

Download
memory/2316-580-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download
memory/2368-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-592-0x0000000000000000-mapping.dmp

Download
memory/2908-588-0x0000000000000000-mapping.dmp

Download
memory/2932-606-0x0000000000000000-mapping.dmp

Download
memory/2932-608-0x00000000017B0000-0x00000000017C2000-memory.dmp

Filesize
72KB

Download
memory/2968-581-0x0000000000000000-mapping.dmp

Download
memory/3216-559-0x0000000000000000-mapping.dmp

Download
memory/3312-603-0x0000000000000000-mapping.dmp

Download
memory/3388-609-0x0000000000000000-mapping.dmp

Download
memory/3632-598-0x0000000000000000-mapping.dmp

Download
memory/3840-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/3840-186-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/3840-184-0x0000000000000000-mapping.dmp

Download
memory/4068-557-0x0000000000000000-mapping.dmp

Download
memory/4100-295-0x0000000000000000-mapping.dmp

Download
memory/4156-551-0x0000000000000000-mapping.dmp

Download
memory/4208-470-0x0000000000000000-mapping.dmp

Download
memory/4256-561-0x0000000000000000-mapping.dmp

Download
memory/4284-562-0x0000000000000000-mapping.dmp

Download
memory/4284-564-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Filesize
72KB

Download
memory/4544-554-0x0000000000000000-mapping.dmp

Download
memory/4640-296-0x0000000000000000-mapping.dmp

Download
memory/4676-568-0x0000000000000000-mapping.dmp

Download
memory/4680-291-0x0000000000000000-mapping.dmp

Download
memory/4680-329-0x000001B27DB20000-0x000001B27DB42000-memory.dmp

Filesize
136KB

Download
memory/4744-565-0x0000000000000000-mapping.dmp

Download
memory/4756-572-0x0000000000000000-mapping.dmp

Download
memory/4760-595-0x0000000000000000-mapping.dmp

Download
memory/4760-597-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/4780-594-0x0000000000000000-mapping.dmp

Download
memory/4800-292-0x0000000000000000-mapping.dmp

Download
memory/4864-293-0x0000000000000000-mapping.dmp

Download
memory/4888-570-0x0000000000000000-mapping.dmp

Download
memory/4892-600-0x0000000000000000-mapping.dmp

Download
memory/4912-567-0x0000000000000000-mapping.dmp

Download
memory/5044-286-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/5044-283-0x0000000000000000-mapping.dmp

Download
memory/5044-287-0x0000000001360000-0x0000000001372000-memory.dmp

Filesize
72KB

Download
memory/5044-288-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download
memory/5044-289-0x0000000001370000-0x000000000137C000-memory.dmp

Filesize
48KB

Download
memory/5044-290-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

Filesize
48KB

Download
memory/5052-260-0x0000000000000000-mapping.dmp

Download
memory/5072-601-0x0000000000000000-mapping.dmp

Download
memory/5112-605-0x0000000000000000-mapping.dmp

Download