dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Size

1.3MB
MD5

e1e945f04fbbeab2efa06d16d21e4c22
SHA1

54037b5b03272d255ab875b5791f87902c5b9457
SHA256

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69
SHA512

61dfbe4d1803ba11f7318b1338343529be925bd84ba107bccb9d7c3f8175a012ea877a613946419f8486cd1c1606d7433c07342278a8c670a5013e999308ae41
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	256	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1324	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral3/memory/4396-139-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat
C:\Recovery\WindowsRE\WaaSMedicAgent.exe	dcrat

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exe

pid	process
4396	DllCommonsvc.exe
2004	WaaSMedicAgent.exe
3712	WaaSMedicAgent.exe
1700	WaaSMedicAgent.exe
2292	WaaSMedicAgent.exe
2976	WaaSMedicAgent.exe
724	WaaSMedicAgent.exe
4516	WaaSMedicAgent.exe
1660	WaaSMedicAgent.exe
3472	WaaSMedicAgent.exe
3924	WaaSMedicAgent.exe
4052	WaaSMedicAgent.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exe0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exeWScript.exeDllCommonsvc.exeWaaSMedicAgent.exeWaaSMedicAgent.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\Icons\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\RemotePackages\RemoteApps\SearchApp.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\38384e6a620884	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3480	schtasks.exe
2720	schtasks.exe
5112	schtasks.exe
2552	schtasks.exe
780	schtasks.exe
3344	schtasks.exe
2540	schtasks.exe
1840	schtasks.exe
4812	schtasks.exe
224	schtasks.exe
3568	schtasks.exe
2696	schtasks.exe
4928	schtasks.exe
1920	schtasks.exe
3556	schtasks.exe
2512	schtasks.exe
2508	schtasks.exe
2756	schtasks.exe
2040	schtasks.exe
1292	schtasks.exe
4108	schtasks.exe
4172	schtasks.exe
804	schtasks.exe
4012	schtasks.exe
1760	schtasks.exe
1576	schtasks.exe
2840	schtasks.exe
1804	schtasks.exe
256	schtasks.exe
2596	schtasks.exe

Modifies registry class 11 IoCs

Processes:

WaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exe0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exeWaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exe

pid	process
4396	DllCommonsvc.exe
4396	DllCommonsvc.exe
4396	DllCommonsvc.exe
4396	DllCommonsvc.exe
4396	DllCommonsvc.exe
1496	powershell.exe
1496	powershell.exe
3500	powershell.exe
3500	powershell.exe
912	powershell.exe
912	powershell.exe
2080	powershell.exe
2080	powershell.exe
948	powershell.exe
948	powershell.exe
4816	powershell.exe
4816	powershell.exe
4720	powershell.exe
4720	powershell.exe
4516	powershell.exe
4516	powershell.exe
4064	powershell.exe
4064	powershell.exe
3864	powershell.exe
3864	powershell.exe
1480	powershell.exe
1480	powershell.exe
2004	WaaSMedicAgent.exe
2004	WaaSMedicAgent.exe
1496	powershell.exe
1496	powershell.exe
3500	powershell.exe
912	powershell.exe
2080	powershell.exe
948	powershell.exe
4720	powershell.exe
4816	powershell.exe
4516	powershell.exe
3864	powershell.exe
1480	powershell.exe
4064	powershell.exe
3712	WaaSMedicAgent.exe
1700	WaaSMedicAgent.exe
2292	WaaSMedicAgent.exe
2976	WaaSMedicAgent.exe
724	WaaSMedicAgent.exe
4516	WaaSMedicAgent.exe
1660	WaaSMedicAgent.exe
3472	WaaSMedicAgent.exe
3924	WaaSMedicAgent.exe
4052	WaaSMedicAgent.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4396	DllCommonsvc.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2004	WaaSMedicAgent.exe
Token: SeDebugPrivilege	3712	WaaSMedicAgent.exe
Token: SeDebugPrivilege	1700	WaaSMedicAgent.exe
Token: SeDebugPrivilege	2292	WaaSMedicAgent.exe
Token: SeDebugPrivilege	2976	WaaSMedicAgent.exe
Token: SeDebugPrivilege	724	WaaSMedicAgent.exe
Token: SeDebugPrivilege	4516	WaaSMedicAgent.exe
Token: SeDebugPrivilege	1660	WaaSMedicAgent.exe
Token: SeDebugPrivilege	3472	WaaSMedicAgent.exe
Token: SeDebugPrivilege	3924	WaaSMedicAgent.exe
Token: SeDebugPrivilege	4052	WaaSMedicAgent.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exeWScript.execmd.exeDllCommonsvc.exeWaaSMedicAgent.execmd.exeWaaSMedicAgent.execmd.exeWaaSMedicAgent.execmd.exeWaaSMedicAgent.execmd.exeWaaSMedicAgent.execmd.exeWaaSMedicAgent.exe

description	pid	process	target process
PID 4368 wrote to memory of 5108	4368	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 4368 wrote to memory of 5108	4368	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 4368 wrote to memory of 5108	4368	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 5108 wrote to memory of 1236	5108	WScript.exe	cmd.exe
PID 5108 wrote to memory of 1236	5108	WScript.exe	cmd.exe
PID 5108 wrote to memory of 1236	5108	WScript.exe	cmd.exe
PID 1236 wrote to memory of 4396	1236	cmd.exe	DllCommonsvc.exe
PID 1236 wrote to memory of 4396	1236	cmd.exe	DllCommonsvc.exe
PID 4396 wrote to memory of 1496	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 1496	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 912	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 912	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 948	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 948	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 3500	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 3500	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 4720	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 4720	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 2080	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 2080	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 4816	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 4816	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 4516	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 4516	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 4064	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 4064	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 3864	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 3864	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 1480	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 1480	4396	DllCommonsvc.exe	powershell.exe
PID 4396 wrote to memory of 2004	4396	DllCommonsvc.exe	WaaSMedicAgent.exe
PID 4396 wrote to memory of 2004	4396	DllCommonsvc.exe	WaaSMedicAgent.exe
PID 2004 wrote to memory of 2020	2004	WaaSMedicAgent.exe	cmd.exe
PID 2004 wrote to memory of 2020	2004	WaaSMedicAgent.exe	cmd.exe
PID 2020 wrote to memory of 4248	2020	cmd.exe	w32tm.exe
PID 2020 wrote to memory of 4248	2020	cmd.exe	w32tm.exe
PID 2020 wrote to memory of 3712	2020	cmd.exe	WaaSMedicAgent.exe
PID 2020 wrote to memory of 3712	2020	cmd.exe	WaaSMedicAgent.exe
PID 3712 wrote to memory of 1148	3712	WaaSMedicAgent.exe	cmd.exe
PID 3712 wrote to memory of 1148	3712	WaaSMedicAgent.exe	cmd.exe
PID 1148 wrote to memory of 4464	1148	cmd.exe	w32tm.exe
PID 1148 wrote to memory of 4464	1148	cmd.exe	w32tm.exe
PID 1148 wrote to memory of 1700	1148	cmd.exe	WaaSMedicAgent.exe
PID 1148 wrote to memory of 1700	1148	cmd.exe	WaaSMedicAgent.exe
PID 1700 wrote to memory of 520	1700	WaaSMedicAgent.exe	cmd.exe
PID 1700 wrote to memory of 520	1700	WaaSMedicAgent.exe	cmd.exe
PID 520 wrote to memory of 3404	520	cmd.exe	w32tm.exe
PID 520 wrote to memory of 3404	520	cmd.exe	w32tm.exe
PID 520 wrote to memory of 2292	520	cmd.exe	WaaSMedicAgent.exe
PID 520 wrote to memory of 2292	520	cmd.exe	WaaSMedicAgent.exe
PID 2292 wrote to memory of 3568	2292	WaaSMedicAgent.exe	cmd.exe
PID 2292 wrote to memory of 3568	2292	WaaSMedicAgent.exe	cmd.exe
PID 3568 wrote to memory of 516	3568	cmd.exe	w32tm.exe
PID 3568 wrote to memory of 516	3568	cmd.exe	w32tm.exe
PID 3568 wrote to memory of 2976	3568	cmd.exe	WaaSMedicAgent.exe
PID 3568 wrote to memory of 2976	3568	cmd.exe	WaaSMedicAgent.exe
PID 2976 wrote to memory of 4856	2976	WaaSMedicAgent.exe	cmd.exe
PID 2976 wrote to memory of 4856	2976	WaaSMedicAgent.exe	cmd.exe
PID 4856 wrote to memory of 2040	4856	cmd.exe	w32tm.exe
PID 4856 wrote to memory of 2040	4856	cmd.exe	w32tm.exe
PID 4856 wrote to memory of 724	4856	cmd.exe	WaaSMedicAgent.exe
PID 4856 wrote to memory of 724	4856	cmd.exe	WaaSMedicAgent.exe
PID 724 wrote to memory of 1432	724	WaaSMedicAgent.exe	cmd.exe
PID 724 wrote to memory of 1432	724	WaaSMedicAgent.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
"C:\Users\Admin\AppData\Local\Temp\0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\SearchApp.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Registry.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4464

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:3404

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
11⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:516

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
13⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:2040

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
15⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
16⤵
PID:1432

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:4964

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
17⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
18⤵
PID:3916

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:1380

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
19⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
20⤵
PID:3396

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:1048

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
21⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
22⤵
PID:3464

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:1820

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
23⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
24⤵
PID:4008

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:984

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WaaSMedicAgent.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WaaSMedicAgent.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat
Filesize
205B

MD5
83cd46f6aa3c169c12b650f09ac0de47

SHA1
200e695b1fc76bab3c4247aaac2962b275f35e46

SHA256
bb82b38107a986aa03740878b3fe16952f07ddbdcfef2b9212d6217c0a21dc78

SHA512
d7829406f88d9439dce15e3938df231df907471b289515b93497a0d5dee48a19a8e9b5a47a6172b18ad62c7933d4202693a30a338b1e34aa59cf694788543c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat
Filesize
205B

MD5
7ccb64cc30b8f2b0be1ae8cb471eac35

SHA1
0a10c52b436c06dbb4a585649da01ec8583cfc2e

SHA256
48d3da84511a0e5ef9ae16f6f4061e4b0f1d368010701cced63bd3a8a4aabc99

SHA512
35757c5e4526b3e14020a0f66f6eca1a3dd0a09da180016a8ce9d24ff8bd5ffb87eaa03d326c201aa90b1d0ead55398e37977e60b800eefdc227eed811ee74b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat
Filesize
205B

MD5
1a226ed5023ca17d48be91ca1910a68e

SHA1
b3e31155330848c011ed8ab4026dba2deb9a3be7

SHA256
2aedf6d77196f3fa7cb3421c9b210512eebee837d69e1df4de085f2fd4004270

SHA512
2d8524aa74c39462c3ac38a9f10eadeb9d2101cdf06019c3a3fd051e18f6f228e65c050f389c6a6192d2aeffae3a9c61e8fda635695ceef565ccb38d7e4015ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat
Filesize
205B

MD5
4a77c3c65d1a513438145e1d2e005100

SHA1
361d035b660732d548080c603215801c53a87945

SHA256
a4c9c0e07d6043069259bdff19f16b590e4fab4387f6f19efd3b61e54111eb9f

SHA512
562ace7cb6ae7f1586d9c12ca11a60802dfbcc2eff7281a0df3951b8a86eabc038a12252e331932cf518628a668cc40521b6fcc25a92cf4250aa2111db546a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat
Filesize
205B

MD5
36de4c2ccabe37dda97da37d870ab9aa

SHA1
d99c1117d41aa7c1ee4171d00acdb79a556b1110

SHA256
e33f4cfb3910ecd7a85b5b33b5bdd0367af1b36dfa3e8ff62df418ad7c8049e6

SHA512
422b8cc155aa0bcf22d939c63143508781ff4aa6c08d26843d60ec7c6944f3fc8acbc7c588dd8780b2f1e8fc8b8b8aa6c4a82b80a5914d69b1c5fac89bed60b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat
Filesize
205B

MD5
723ab2537c4fd5c152be2bba218980d4

SHA1
d86ebfa105aafe28dcabdcca3a04d9f27a053dac

SHA256
5e663e14ceeb57a1a4ab23a70441a08200fb9537e2242b6657b84f70955fdbed

SHA512
9644732106d7de73f855a9827e0891fb3d229963af1b62be97e86939f6fbfd6fa30eff3917418d7debab3a5b21089a1e4d8bfc0e688e4c3f920200d5bc6df38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat
Filesize
205B

MD5
8f1dce7537472ea920b206e19bd5d37d

SHA1
1b71656742dc276f98108fa28322d6f434206606

SHA256
04142cd02620f907ad97dda2f54fe0e879b99742e45d4099e9ba8c1b8cd039c5

SHA512
18c69b8a1715c9fec4d2bbf4737684e1128a5ff0cb45bb3b6cb5d2db360ed2f52d8adb489f745c6d0eebc9784cef2d29e5f2f8d853bb07096e1ca95d6bdcaa98

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat
Filesize
205B

MD5
be71124e6a5f7c8ab828dd8bcd6e9be2

SHA1
54f0a1110bcca1915197c1c355ff502c28d8e72d

SHA256
63f3086147266c34d7c834e481bff408967df12af5aebd30395a70f497795766

SHA512
b8c0e8d76ec78886091e8f333eef428fd3326a2a9cc228f2856b224e357954e033240e9c8f1e7c1b382793c8b8d0c43d9e98db2fa5c2d840e2aee6a178972b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat
Filesize
205B

MD5
43990b69516317384128e2de4e20e240

SHA1
a895de60b3c895ea056d98a0c5dc3688a92d503e

SHA256
53aacead6ca2af15d8d8f1017b065faebface88dac12e25d6bf144b885110b00

SHA512
9bbf24f1f76959092c3b5e97ca6fced78cab7716e93d4c766cfd85dd6692c3cd6cfc7c31e740932e513587ba1ad1fdbb40fdaf11b63f5a4aca2e6198ddf5a2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat
Filesize
205B

MD5
074b2672e64c930c37233a9619036fd3

SHA1
6de5501744bd4d929a130615fdf28f161041c38e

SHA256
6e5d69fc041948eefc0f950958be8b75d253426c8c355e472b449a8bcf978ea8

SHA512
9c4390bf278ce45d6b7c4dd188b4d8206de73f22b33ab5e596bf25a61f9d054fac27e358fe0eb7f618020f2b035340cb1fbb1092b90ac454e2780fff78c7e086

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/516-215-0x0000000000000000-mapping.dmp

Download
memory/520-206-0x0000000000000000-mapping.dmp

Download
memory/724-226-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/724-224-0x0000000000000000-mapping.dmp

Download
memory/724-230-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/912-158-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/912-176-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/912-142-0x0000000000000000-mapping.dmp

Download
memory/948-159-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/948-143-0x0000000000000000-mapping.dmp

Download
memory/948-179-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/984-258-0x0000000000000000-mapping.dmp

Download
memory/1048-244-0x0000000000000000-mapping.dmp

Download
memory/1148-199-0x0000000000000000-mapping.dmp

Download
memory/1236-135-0x0000000000000000-mapping.dmp

Download
memory/1380-237-0x0000000000000000-mapping.dmp

Download
memory/1432-227-0x0000000000000000-mapping.dmp

Download
memory/1480-188-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/1480-151-0x0000000000000000-mapping.dmp

Download
memory/1480-168-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/1496-141-0x0000000000000000-mapping.dmp

Download
memory/1496-174-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/1496-154-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/1660-245-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/1660-239-0x0000000000000000-mapping.dmp

Download
memory/1660-241-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-203-0x0000000000000000-mapping.dmp

Download
memory/1700-205-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-209-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/1820-252-0x0000000000000000-mapping.dmp

Download
memory/2004-166-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-194-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-153-0x0000000000000000-mapping.dmp

Download
memory/2020-191-0x0000000000000000-mapping.dmp

Download
memory/2040-222-0x0000000000000000-mapping.dmp

Download
memory/2080-146-0x0000000000000000-mapping.dmp

Download
memory/2080-161-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/2080-182-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-210-0x0000000000000000-mapping.dmp

Download
memory/2292-216-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-212-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/2976-223-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/2976-217-0x0000000000000000-mapping.dmp

Download
memory/2976-219-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3396-242-0x0000000000000000-mapping.dmp

Download
memory/3404-208-0x0000000000000000-mapping.dmp

Download
memory/3464-249-0x0000000000000000-mapping.dmp

Download
memory/3472-250-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-246-0x0000000000000000-mapping.dmp

Download
memory/3472-248-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-160-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-144-0x0000000000000000-mapping.dmp

Download
memory/3500-172-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-152-0x000002593E660000-0x000002593E682000-memory.dmp

Filesize
136KB

Download
memory/3568-213-0x0000000000000000-mapping.dmp

Download
memory/3712-202-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-195-0x0000000000000000-mapping.dmp

Download
memory/3712-198-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3864-167-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3864-186-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3864-150-0x0000000000000000-mapping.dmp

Download
memory/3916-235-0x0000000000000000-mapping.dmp

Download
memory/3924-259-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3924-255-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/3924-253-0x0000000000000000-mapping.dmp

Download
memory/4008-256-0x0000000000000000-mapping.dmp

Download
memory/4052-260-0x0000000000000000-mapping.dmp

Download
memory/4052-262-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-190-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-165-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-149-0x0000000000000000-mapping.dmp

Download
memory/4248-193-0x0000000000000000-mapping.dmp

Download
memory/4396-157-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-136-0x0000000000000000-mapping.dmp

Download
memory/4396-139-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/4396-140-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-201-0x0000000000000000-mapping.dmp

Download
memory/4516-233-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-185-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-148-0x0000000000000000-mapping.dmp

Download
memory/4516-231-0x0000000000000000-mapping.dmp

Download
memory/4516-238-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-164-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-234-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-181-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-145-0x0000000000000000-mapping.dmp

Download
memory/4720-162-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4816-175-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4816-147-0x0000000000000000-mapping.dmp

Download
memory/4816-163-0x00007FFAF2900000-0x00007FFAF33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-220-0x0000000000000000-mapping.dmp

Download
memory/4964-229-0x0000000000000000-mapping.dmp

Download
memory/5108-132-0x0000000000000000-mapping.dmp

Download