dcrat | b1304c0e84874b14b78436e3ca39321a10f1b6c67743a74eacd59e435be09292

Analysis

max time kernel
115s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2023 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P3MKL.exe
Size

1.7MB
MD5

f812dea5ffd8ac4eb11cf366b7baccca
SHA1

f16dd261312b338f6a23b5a8a29ca649d9e36c4e
SHA256

b1304c0e84874b14b78436e3ca39321a10f1b6c67743a74eacd59e435be09292
SHA512

c22750b31fae4389e69d715d5ffbbb7e79c7d8294cc3ac9f40a6bdb1921517cb52eed4e8bad5535bf20d3527ba468a845e50f081ba9360f753969025c80d8237
SSDEEP

24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2588	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4700-132-0x00000000007D0000-0x0000000000986000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\P3MKL.exe	dcrat
C:\Program Files\Windows NT\Accessories\en-US\System.exe	dcrat
C:\Program Files\Windows NT\Accessories\en-US\System.exe	dcrat
C:\Program Files\Windows NT\Accessories\en-US\System.exe	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

P3MKL.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts P3MKL.exe
Executes dropped EXE 3 IoCs

Processes:

P3MKL.exeSystem.exeSystem.exe

pid process

1404 P3MKL.exe
1344 System.exe
1000 System.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	P3MKL.exe

pid	process
1404	P3MKL.exe
1344	System.exe
1000	System.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

P3MKL.exeP3MKL.exeSystem.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	P3MKL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	P3MKL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	System.exe

Drops file in Program Files directory 26 IoCs

Processes:

P3MKL.exeP3MKL.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX8B24.tmp	P3MKL.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Registry.exe	P3MKL.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9123.tmp	P3MKL.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX9432.tmp	P3MKL.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe	P3MKL.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e	P3MKL.exe
File created	C:\Program Files\Google\Chrome\5940a34987c991	P3MKL.exe
File opened for modification	C:\Program Files (x86)\Google\RCX842C.tmp	P3MKL.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX91B1.tmp	P3MKL.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\27d1bcfc3c54e0	P3MKL.exe
File created	C:\Program Files (x86)\Google\6203df4a6bafc7	P3MKL.exe
File opened for modification	C:\Program Files (x86)\Google\RCX83AE.tmp	P3MKL.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX8BA2.tmp	P3MKL.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX94C0.tmp	P3MKL.exe
File opened for modification	C:\Program Files\Google\Chrome\dllhost.exe	P3MKL.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\38384e6a620884	P3MKL.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\System.exe	P3MKL.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe	P3MKL.exe
File opened for modification	C:\Program Files (x86)\Google\lsass.exe	P3MKL.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Registry.exe	P3MKL.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ee2ad38f3d4382	P3MKL.exe
File created	C:\Program Files\Google\Chrome\dllhost.exe	P3MKL.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe	P3MKL.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe	P3MKL.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\System.exe	P3MKL.exe
File created	C:\Program Files (x86)\Google\lsass.exe	P3MKL.exe

Drops file in Windows directory 10 IoCs

Processes:

P3MKL.exeP3MKL.exe

description	ioc	process
File created	C:\Windows\ja-JP\OfficeClickToRun.exe	P3MKL.exe
File created	C:\Windows\ja-JP\e6c9b481da804f	P3MKL.exe
File opened for modification	C:\Windows\ja-JP\OfficeClickToRun.exe	P3MKL.exe
File created	C:\Windows\ServiceProfiles\LocalService\Favorites\wininit.exe	P3MKL.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Favorites\RCX874A.tmp	P3MKL.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Favorites\RCX88A2.tmp	P3MKL.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Favorites\wininit.exe	P3MKL.exe
File created	C:\Windows\SystemResources\Windows.UI.Logon\fontdrvhost.exe	P3MKL.exe
File created	C:\Windows\ServiceProfiles\LocalService\Favorites\56085415360792	P3MKL.exe
File created	C:\Windows\WinSxS\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3e3835d16b3a75c\smss.exe	P3MKL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4276	schtasks.exe
2468	schtasks.exe
4828	schtasks.exe
4408	schtasks.exe
1616	schtasks.exe
5040	schtasks.exe
3116	schtasks.exe
4204	schtasks.exe
1428	schtasks.exe
2172	schtasks.exe
4332	schtasks.exe
4988	schtasks.exe
372	schtasks.exe
1828	schtasks.exe
2644	schtasks.exe
3996	schtasks.exe
4312	schtasks.exe
836	schtasks.exe
2480	schtasks.exe
4536	schtasks.exe
800	schtasks.exe
3692	schtasks.exe
1368	schtasks.exe
1824	schtasks.exe
984	schtasks.exe
800	schtasks.exe
2856	schtasks.exe
1432	schtasks.exe
2896	schtasks.exe
812	schtasks.exe
2084	schtasks.exe
1344	schtasks.exe
2264	schtasks.exe
2964	schtasks.exe
944	schtasks.exe
3920	schtasks.exe
2292	schtasks.exe
3372	schtasks.exe
4468	schtasks.exe
2604	schtasks.exe
1328	schtasks.exe
2420	schtasks.exe
2160	schtasks.exe
4496	schtasks.exe
4356	schtasks.exe

Modifies registry class 3 IoCs

Processes:

P3MKL.exeP3MKL.exeSystem.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	P3MKL.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	P3MKL.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	System.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

P3MKL.exepowershell.exe

pid	process
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe
4620	powershell.exe
4620	powershell.exe
4700	P3MKL.exe
4700	P3MKL.exe
4700	P3MKL.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

P3MKL.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeP3MKL.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exeSystem.exe

description	pid	process
Token: SeDebugPrivilege	4700	P3MKL.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1404	P3MKL.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1344	System.exe
Token: SeDebugPrivilege	1000	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

P3MKL.execmd.exeP3MKL.execmd.exeSystem.exe

description	pid	process	target process
PID 4700 wrote to memory of 4620	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 4620	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 4596	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 4596	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 4536	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 4536	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 4056	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 4056	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 3492	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 3492	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 2732	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 2732	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 3648	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 3648	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 5116	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 5116	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 2872	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 2872	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 3856	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 3856	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 1704	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 1704	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 1924	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 1924	4700	P3MKL.exe	powershell.exe
PID 4700 wrote to memory of 4576	4700	P3MKL.exe	cmd.exe
PID 4700 wrote to memory of 4576	4700	P3MKL.exe	cmd.exe
PID 4576 wrote to memory of 5104	4576	cmd.exe	w32tm.exe
PID 4576 wrote to memory of 5104	4576	cmd.exe	w32tm.exe
PID 4576 wrote to memory of 1404	4576	cmd.exe	P3MKL.exe
PID 4576 wrote to memory of 1404	4576	cmd.exe	P3MKL.exe
PID 1404 wrote to memory of 4228	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4228	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 2864	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 2864	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4804	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4804	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 2092	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 2092	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 1780	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 1780	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 2132	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 2132	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 5116	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 5116	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4208	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4208	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4124	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4124	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4932	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4932	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4732	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 4732	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 1376	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 1376	1404	P3MKL.exe	powershell.exe
PID 1404 wrote to memory of 1820	1404	P3MKL.exe	cmd.exe
PID 1404 wrote to memory of 1820	1404	P3MKL.exe	cmd.exe
PID 1820 wrote to memory of 1252	1820	cmd.exe	w32tm.exe
PID 1820 wrote to memory of 1252	1820	cmd.exe	w32tm.exe
PID 1820 wrote to memory of 1344	1820	cmd.exe	System.exe
PID 1820 wrote to memory of 1344	1820	cmd.exe	System.exe
PID 1344 wrote to memory of 4596	1344	System.exe	WScript.exe
PID 1344 wrote to memory of 4596	1344	System.exe	WScript.exe
PID 1344 wrote to memory of 4696	1344	System.exe	WScript.exe
PID 1344 wrote to memory of 4696	1344	System.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\P3MKL.exe
"C:\Users\Admin\AppData\Local\Temp\P3MKL.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CHhgdBbwK0.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\P3MKL.exe
"C:\Users\Admin\AppData\Local\Temp\P3MKL.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sOdT1nlBuB.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:1252

C:\Program Files\Windows NT\Accessories\en-US\System.exe
"C:\Program Files\Windows NT\Accessories\en-US\System.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c3b95a0-8b05-4b7e-ad00-e2a3128081fe.vbs"
6⤵
PID:4596

C:\Program Files\Windows NT\Accessories\en-US\System.exe
"C:\Program Files\Windows NT\Accessories\en-US\System.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df14140f-e4bd-4a88-b006-9e22d1c323b4.vbs"
6⤵
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\Logs\User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Default\PrintHood\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\Accessories\en-US\System.exe
Filesize
1.7MB

MD5
f812dea5ffd8ac4eb11cf366b7baccca

SHA1
f16dd261312b338f6a23b5a8a29ca649d9e36c4e

SHA256
b1304c0e84874b14b78436e3ca39321a10f1b6c67743a74eacd59e435be09292

SHA512
c22750b31fae4389e69d715d5ffbbb7e79c7d8294cc3ac9f40a6bdb1921517cb52eed4e8bad5535bf20d3527ba468a845e50f081ba9360f753969025c80d8237

Download Submit
C:\Program Files\Windows NT\Accessories\en-US\System.exe
Filesize
1.7MB

MD5
f812dea5ffd8ac4eb11cf366b7baccca

SHA1
f16dd261312b338f6a23b5a8a29ca649d9e36c4e

SHA256
b1304c0e84874b14b78436e3ca39321a10f1b6c67743a74eacd59e435be09292

SHA512
c22750b31fae4389e69d715d5ffbbb7e79c7d8294cc3ac9f40a6bdb1921517cb52eed4e8bad5535bf20d3527ba468a845e50f081ba9360f753969025c80d8237

Download Submit
C:\Program Files\Windows NT\Accessories\en-US\System.exe
Filesize
1.7MB

MD5
f812dea5ffd8ac4eb11cf366b7baccca

SHA1
f16dd261312b338f6a23b5a8a29ca649d9e36c4e

SHA256
b1304c0e84874b14b78436e3ca39321a10f1b6c67743a74eacd59e435be09292

SHA512
c22750b31fae4389e69d715d5ffbbb7e79c7d8294cc3ac9f40a6bdb1921517cb52eed4e8bad5535bf20d3527ba468a845e50f081ba9360f753969025c80d8237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\P3MKL.exe.log
Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log
Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e3b6cc0fbea08a0831f0026a696db8b8

SHA1
4e32202d4700061cfd80d55e42798131c9f530d4

SHA256
3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

SHA512
6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e3b6cc0fbea08a0831f0026a696db8b8

SHA1
4e32202d4700061cfd80d55e42798131c9f530d4

SHA256
3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

SHA512
6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7222264b1e63b6fcc9c66d78879da1f0

SHA1
43537ec2758ae7a438430a30690cb7ff5f3cb138

SHA256
42622b208d82db86460a66502f6005b91ffd9917d9c2d7ccffca0a83a583d838

SHA512
04c8ec00d4828deabe786b99e16230a48230abb1fcb8bce77a8558d152887aa8f73ce1b16325261d230588470d52d3df74b488303659c335424c3e36f8e4164a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4c513fe7261cbb0fd7ec5d03873693d6

SHA1
360d69bf9f5ba328d5f039f4802b2546ac346c4b

SHA256
4dc40c8efd2b217c5552937c9fd2b7ac00bc30ac50a81526ab6655278c5a4dc9

SHA512
8c0fbffdfc5003e06c7ae0b53052b3478fbd7e2e1b9028db12248383535d04dcfeb80069295e48c5e0ec60504f45610b7bd944b8852cada005a590660caa04d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4c60463b0551abf52d31bc311e50c789

SHA1
59c839439e2b520bf1dc6c9872c03fef8eb85aa0

SHA256
31a2eaf3b166c43b57b902ed91ef7ac522724a679b82a31f8bdb5a6a35f76a4f

SHA512
b6b7b22f70f930f8ccf619b06f2e31903034774beee22fac8fb507e44352f74fba7ee03380a94ff988d7697ce467216e5ab7f9791c85628fe4afaa4871770676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4c60463b0551abf52d31bc311e50c789

SHA1
59c839439e2b520bf1dc6c9872c03fef8eb85aa0

SHA256
31a2eaf3b166c43b57b902ed91ef7ac522724a679b82a31f8bdb5a6a35f76a4f

SHA512
b6b7b22f70f930f8ccf619b06f2e31903034774beee22fac8fb507e44352f74fba7ee03380a94ff988d7697ce467216e5ab7f9791c85628fe4afaa4871770676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4c60463b0551abf52d31bc311e50c789

SHA1
59c839439e2b520bf1dc6c9872c03fef8eb85aa0

SHA256
31a2eaf3b166c43b57b902ed91ef7ac522724a679b82a31f8bdb5a6a35f76a4f

SHA512
b6b7b22f70f930f8ccf619b06f2e31903034774beee22fac8fb507e44352f74fba7ee03380a94ff988d7697ce467216e5ab7f9791c85628fe4afaa4871770676

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c3b95a0-8b05-4b7e-ad00-e2a3128081fe.vbs
Filesize
732B

MD5
df7ea7f27180201deb4e66e429fd2040

SHA1
47ad4769c8c5809d0ab920e45490f405b19e8e91

SHA256
78284461518f09723251a49f8c2d87fd6257e1fa9e87b03ad9296dca94133a13

SHA512
8ee0ddcda61a3d5048aed9d7f2f51ca7a00b4229bf4d3c5f6a6635d9992a61401ad87e004e6a12cf072d41301389a5ac9027495e3319d6fa1cbf2d0b85cbb3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHhgdBbwK0.bat
Filesize
208B

MD5
f6183855ec7e5ea685a5d49eb68caa23

SHA1
e1e29f32a857d32cb07817ac3b3d290e3075d5a8

SHA256
96b1956910e43037c3decb5f9bcf587ecb8983fc6a7654548ae9f430219af6d4

SHA512
a82c6af0993e7327962a07a78a9ce188699b4de885d49459f16368cdf13af11c588a7388db61381bb297aaeef9a08561570c65cc2c977eb8fde35eb52719de7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P3MKL.exe
Filesize
1.7MB

MD5
f812dea5ffd8ac4eb11cf366b7baccca

SHA1
f16dd261312b338f6a23b5a8a29ca649d9e36c4e

SHA256
b1304c0e84874b14b78436e3ca39321a10f1b6c67743a74eacd59e435be09292

SHA512
c22750b31fae4389e69d715d5ffbbb7e79c7d8294cc3ac9f40a6bdb1921517cb52eed4e8bad5535bf20d3527ba468a845e50f081ba9360f753969025c80d8237

Download Submit
C:\Users\Admin\AppData\Local\Temp\df14140f-e4bd-4a88-b006-9e22d1c323b4.vbs
Filesize
508B

MD5
5ca25050f4059cf4592ec92ba2912605

SHA1
bf1457ed257584e8812287ff334f05c11dd58ac1

SHA256
e44cb189caf070a56dff17f19be04136017b53e0517ca29bbfab62b04ccb3b8f

SHA512
48bf1f25ed9daa3f5b99e0c5609de87c80e5647c6e4e2df0751b1f81b417e90316507ca520eaa13d891f5ffbaa9aa719f289bf7140c63fd241c8f3484a93d417

Download Submit
C:\Users\Admin\AppData\Local\Temp\sOdT1nlBuB.bat
Filesize
221B

MD5
a1e547bc6fd0771b5967503757071186

SHA1
249aec110a89a44aac4427ec08370dbcd5d2ee70

SHA256
fb0860e4df577f5c8010692bde6df4b64610ff8c7a500fdf7156d0f3a3d46197

SHA512
47f2c0df646ce2f8bcbf51808603117b677a8d3e34497ed6478c763ab2ac1c92a77c70cda2f5b27ba7e4c640e622c9ce9ea79127341a03ef9836deac531b1d4c

Download Submit
memory/1000-289-0x0000000000000000-mapping.dmp

Download
memory/1252-226-0x0000000000000000-mapping.dmp

Download
memory/1344-254-0x0000000000000000-mapping.dmp

Download
memory/1376-245-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/1376-211-0x0000000000000000-mapping.dmp

Download
memory/1376-225-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/1404-230-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/1404-194-0x0000000000000000-mapping.dmp

Download
memory/1404-197-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/1404-198-0x00000000013A9000-0x00000000013AF000-memory.dmp

Filesize
24KB

Download
memory/1404-199-0x000000001D830000-0x000000001D834000-memory.dmp

Filesize
16KB

Download
memory/1404-228-0x000000001D834000-0x000000001D837000-memory.dmp

Filesize
12KB

Download
memory/1404-229-0x000000001D837000-0x000000001D83A000-memory.dmp

Filesize
12KB

Download
memory/1704-169-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/1704-149-0x0000000000000000-mapping.dmp

Download
memory/1704-193-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/1780-204-0x0000000000000000-mapping.dmp

Download
memory/1780-250-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/1780-217-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/1820-212-0x0000000000000000-mapping.dmp

Download
memory/1924-191-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-150-0x0000000000000000-mapping.dmp

Download
memory/1924-168-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/2092-239-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/2092-203-0x0000000000000000-mapping.dmp

Download
memory/2092-216-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/2132-205-0x0000000000000000-mapping.dmp

Download
memory/2132-231-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/2132-220-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/2732-170-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/2732-165-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/2732-144-0x0000000000000000-mapping.dmp

Download
memory/2864-214-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/2864-201-0x0000000000000000-mapping.dmp

Download
memory/2864-235-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/2872-147-0x0000000000000000-mapping.dmp

Download
memory/2872-166-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-187-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/3492-143-0x0000000000000000-mapping.dmp

Download
memory/3492-162-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/3492-181-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/3648-177-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/3648-145-0x0000000000000000-mapping.dmp

Download
memory/3648-163-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-192-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-167-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-148-0x0000000000000000-mapping.dmp

Download
memory/4056-161-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-142-0x0000000000000000-mapping.dmp

Download
memory/4056-183-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-222-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4124-208-0x0000000000000000-mapping.dmp

Download
memory/4124-247-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4208-249-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4208-221-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4208-207-0x0000000000000000-mapping.dmp

Download
memory/4228-234-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4228-213-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4228-200-0x0000000000000000-mapping.dmp

Download
memory/4536-141-0x0000000000000000-mapping.dmp

Download
memory/4536-158-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-175-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-152-0x0000000000000000-mapping.dmp

Download
memory/4596-140-0x0000000000000000-mapping.dmp

Download
memory/4596-184-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-258-0x0000000000000000-mapping.dmp

Download
memory/4596-157-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4620-173-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4620-151-0x000001A13DEE0000-0x000001A13DF02000-memory.dmp

Filesize
136KB

Download
memory/4620-139-0x0000000000000000-mapping.dmp

Download
memory/4620-156-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-260-0x0000000000000000-mapping.dmp

Download
memory/4700-153-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-137-0x000000001D5B0000-0x000000001D5B4000-memory.dmp

Filesize
16KB

Download
memory/4700-133-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-134-0x000000001CC60000-0x000000001CCB0000-memory.dmp

Filesize
320KB

Download
memory/4700-135-0x0000000002959000-0x000000000295F000-memory.dmp

Filesize
24KB

Download
memory/4700-136-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-138-0x0000000002959000-0x000000000295F000-memory.dmp

Filesize
24KB

Download
memory/4700-132-0x00000000007D0000-0x0000000000986000-memory.dmp

Filesize
1.7MB

Download
memory/4700-155-0x0000000002959000-0x000000000295F000-memory.dmp

Filesize
24KB

Download
memory/4700-154-0x000000001D5B0000-0x000000001D5B4000-memory.dmp

Filesize
16KB

Download
memory/4732-246-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4732-227-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4732-210-0x0000000000000000-mapping.dmp

Download
memory/4804-215-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4804-202-0x0000000000000000-mapping.dmp

Download
memory/4804-237-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4932-252-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4932-224-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/4932-209-0x0000000000000000-mapping.dmp

Download
memory/5104-160-0x0000000000000000-mapping.dmp

Download
memory/5116-186-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-146-0x0000000000000000-mapping.dmp

Download
memory/5116-206-0x0000000000000000-mapping.dmp

Download
memory/5116-218-0x00007FFA966B0000-0x00007FFA97171000-memory.dmp

Filesize
10.8MB

Download
memory/5116-164-0x00007FFA96AE0000-0x00007FFA975A1000-memory.dmp

Filesize
10.8MB

Download