dcrat | 5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exe
Size

1.3MB
MD5

db97d1279e082843c8de25e67b5e0a2f
SHA1

ab6055c6033f39aeaf4f0e639483173dc6836574
SHA256

5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af
SHA512

06a0dc5833ee0d08bcdda2c444dd4e2e1f0b71b7a4313457462877530177dc3934883fc4e3932fe6780510065c9bb0239cfcf12ffb7a711df22ce938e51e7d7b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1280	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/2164-139-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe	dcrat

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2164	DllCommonsvc.exe
4244	spoolsv.exe
1760	spoolsv.exe
332	spoolsv.exe
1884	spoolsv.exe
3132	spoolsv.exe
1016	spoolsv.exe
4116	spoolsv.exe
1476	spoolsv.exe
2512	spoolsv.exe
1652	spoolsv.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

spoolsv.exespoolsv.exespoolsv.exe5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exeDllCommonsvc.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeWScript.exespoolsv.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\IdentityCRL\INT\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\INT\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Windows\WaaS\services\SearchApp.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
828	schtasks.exe
1540	schtasks.exe
4104	schtasks.exe
456	schtasks.exe
1144	schtasks.exe
1292	schtasks.exe
2876	schtasks.exe
1132	schtasks.exe
4224	schtasks.exe
4728	schtasks.exe
1636	schtasks.exe
3408	schtasks.exe
5112	schtasks.exe
5000	schtasks.exe
3052	schtasks.exe
1892	schtasks.exe
1500	schtasks.exe
1660	schtasks.exe
3136	schtasks.exe
872	schtasks.exe
4428	schtasks.exe
1476	schtasks.exe
4308	schtasks.exe
1112	schtasks.exe
4196	schtasks.exe
216	schtasks.exe
228	schtasks.exe

Modifies registry class 11 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2164	DllCommonsvc.exe
3844	powershell.exe
3616	powershell.exe
3512	powershell.exe
3512	powershell.exe
3652	powershell.exe
3652	powershell.exe
3680	powershell.exe
3680	powershell.exe
2804	powershell.exe
2804	powershell.exe
4596	powershell.exe
4596	powershell.exe
3652	powershell.exe
3752	powershell.exe
3752	powershell.exe
4704	powershell.exe
4704	powershell.exe
1268	powershell.exe
1268	powershell.exe
4244	spoolsv.exe
4244	spoolsv.exe
3752	powershell.exe
3844	powershell.exe
3844	powershell.exe
3616	powershell.exe
3616	powershell.exe
3512	powershell.exe
3680	powershell.exe
4596	powershell.exe
2804	powershell.exe
4704	powershell.exe
1268	powershell.exe
1760	spoolsv.exe
332	spoolsv.exe
1884	spoolsv.exe
3132	spoolsv.exe
1016	spoolsv.exe
4116	spoolsv.exe
1476	spoolsv.exe
2512	spoolsv.exe
1652	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2164	DllCommonsvc.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4244	spoolsv.exe
Token: SeDebugPrivilege	1760	spoolsv.exe
Token: SeDebugPrivilege	332	spoolsv.exe
Token: SeDebugPrivilege	1884	spoolsv.exe
Token: SeDebugPrivilege	3132	spoolsv.exe
Token: SeDebugPrivilege	1016	spoolsv.exe
Token: SeDebugPrivilege	4116	spoolsv.exe
Token: SeDebugPrivilege	1476	spoolsv.exe
Token: SeDebugPrivilege	2512	spoolsv.exe
Token: SeDebugPrivilege	1652	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exeWScript.execmd.exeDllCommonsvc.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exe

description	pid	process	target process
PID 4280 wrote to memory of 4776	4280	5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exe	WScript.exe
PID 4280 wrote to memory of 4776	4280	5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exe	WScript.exe
PID 4280 wrote to memory of 4776	4280	5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exe	WScript.exe
PID 4776 wrote to memory of 4580	4776	WScript.exe	cmd.exe
PID 4776 wrote to memory of 4580	4776	WScript.exe	cmd.exe
PID 4776 wrote to memory of 4580	4776	WScript.exe	cmd.exe
PID 4580 wrote to memory of 2164	4580	cmd.exe	DllCommonsvc.exe
PID 4580 wrote to memory of 2164	4580	cmd.exe	DllCommonsvc.exe
PID 2164 wrote to memory of 3844	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3844	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3616	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3616	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3512	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3512	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3652	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3652	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3680	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3680	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 2804	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 2804	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 4596	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 4596	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 4704	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 4704	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3752	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 3752	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 1268	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 1268	2164	DllCommonsvc.exe	powershell.exe
PID 2164 wrote to memory of 4244	2164	DllCommonsvc.exe	spoolsv.exe
PID 2164 wrote to memory of 4244	2164	DllCommonsvc.exe	spoolsv.exe
PID 4244 wrote to memory of 1940	4244	spoolsv.exe	cmd.exe
PID 4244 wrote to memory of 1940	4244	spoolsv.exe	cmd.exe
PID 1940 wrote to memory of 548	1940	cmd.exe	w32tm.exe
PID 1940 wrote to memory of 548	1940	cmd.exe	w32tm.exe
PID 1940 wrote to memory of 1760	1940	cmd.exe	spoolsv.exe
PID 1940 wrote to memory of 1760	1940	cmd.exe	spoolsv.exe
PID 1760 wrote to memory of 4920	1760	spoolsv.exe	cmd.exe
PID 1760 wrote to memory of 4920	1760	spoolsv.exe	cmd.exe
PID 4920 wrote to memory of 1896	4920	cmd.exe	w32tm.exe
PID 4920 wrote to memory of 1896	4920	cmd.exe	w32tm.exe
PID 4920 wrote to memory of 332	4920	cmd.exe	spoolsv.exe
PID 4920 wrote to memory of 332	4920	cmd.exe	spoolsv.exe
PID 332 wrote to memory of 1780	332	spoolsv.exe	cmd.exe
PID 332 wrote to memory of 1780	332	spoolsv.exe	cmd.exe
PID 1780 wrote to memory of 1256	1780	cmd.exe	w32tm.exe
PID 1780 wrote to memory of 1256	1780	cmd.exe	w32tm.exe
PID 1780 wrote to memory of 1884	1780	cmd.exe	spoolsv.exe
PID 1780 wrote to memory of 1884	1780	cmd.exe	spoolsv.exe
PID 1884 wrote to memory of 3496	1884	spoolsv.exe	cmd.exe
PID 1884 wrote to memory of 3496	1884	spoolsv.exe	cmd.exe
PID 3496 wrote to memory of 4076	3496	cmd.exe	w32tm.exe
PID 3496 wrote to memory of 4076	3496	cmd.exe	w32tm.exe
PID 3496 wrote to memory of 3132	3496	cmd.exe	spoolsv.exe
PID 3496 wrote to memory of 3132	3496	cmd.exe	spoolsv.exe
PID 3132 wrote to memory of 5048	3132	spoolsv.exe	cmd.exe
PID 3132 wrote to memory of 5048	3132	spoolsv.exe	cmd.exe
PID 5048 wrote to memory of 2272	5048	cmd.exe	w32tm.exe
PID 5048 wrote to memory of 2272	5048	cmd.exe	w32tm.exe
PID 5048 wrote to memory of 1016	5048	cmd.exe	spoolsv.exe
PID 5048 wrote to memory of 1016	5048	cmd.exe	spoolsv.exe
PID 1016 wrote to memory of 2296	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 2296	1016	spoolsv.exe	cmd.exe
PID 2296 wrote to memory of 640	2296	cmd.exe	w32tm.exe
PID 2296 wrote to memory of 640	2296	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exe
"C:\Users\Admin\AppData\Local\Temp\5b0a69d70a6d2a3f3def61c3af581755daf3d8e93b742f80f73a59c61b9833af.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\upfc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:1896

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:1256

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
11⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:4076

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
13⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:2272

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
15⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:640

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
17⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
18⤵
PID:4248

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:972

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
19⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
20⤵
PID:2988

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:3568

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
21⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
22⤵
PID:3660

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:1820

C:\Users\Default\Start Menu\spoolsv.exe
"C:\Users\Default\Start Menu\spoolsv.exe"
23⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat"
24⤵
PID:2604

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\INT\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\INT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\USOShared\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\USOShared\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat
Filesize
204B

MD5
761d3877c810c9471b0c13850f87430a

SHA1
f22426ac3af91078eed17846917656cd19f2c027

SHA256
81c363fc012562d5b7f4b4570c2af3d1f88a29450b4310dfad0df58edc5cc830

SHA512
4dd1407c6dad4580c8243a60d11a8da2ca8d624290f7305595a11f8904dca7ddb3e80ebe216eb99be1ac2c24e2d189b877728fd617688e5eed94e7a7ecc2a188

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat
Filesize
204B

MD5
50bd045677ae438c2dd761abd9071561

SHA1
7ef136e9e948934acc1876ec14bbdb0e10ff4fa2

SHA256
01387cb6ca70324e58ce9c29e28d5867d6874beba88e5377d37772367a051072

SHA512
e6a8596cdabe341412fcdcddb820348495f1b41a99f317f2eaa9c0f6f970059d462df6cad97ee62ea96f063d115b30b731566108f244a2745d1a874967868bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat
Filesize
204B

MD5
50bd045677ae438c2dd761abd9071561

SHA1
7ef136e9e948934acc1876ec14bbdb0e10ff4fa2

SHA256
01387cb6ca70324e58ce9c29e28d5867d6874beba88e5377d37772367a051072

SHA512
e6a8596cdabe341412fcdcddb820348495f1b41a99f317f2eaa9c0f6f970059d462df6cad97ee62ea96f063d115b30b731566108f244a2745d1a874967868bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat
Filesize
204B

MD5
7aa16134039adf58729093c3ed13f1c2

SHA1
520565ef77afdf671a6f9634ed906e96be16e0ca

SHA256
c13eb77209b0e87873df85ace9bf42d7748a6fc22da6d2522e96cd0d60fd34fd

SHA512
c29bf744c15b329f039cb2ede0e11bc653930fcaa784ea503d08974cb8cff9329ddea4dcb890fa7277c59255a4fb2a3badb69010a3a9aced65b12404d3060071

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat
Filesize
204B

MD5
88d2bd70e87767d847a4e1e0d2424095

SHA1
ea944897dfe1ae0ade2249dc738292beccfc624f

SHA256
21376424cf3fd2e5cd30d6a7a829c4530758beddf6c61a5039e6e0978b3f359b

SHA512
36ed9293764d73294b6a9389338c9f5ea70a605bc9ab38f9c843bc1ffba4156b8f17ad714d7edc1406562808581fb54cbc81961aabd33633977b6161789a2a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat
Filesize
204B

MD5
4dfde200fa7d7a4e1c818dc862a26484

SHA1
b85bbd45c7841cbb14724a09319d788e51c23c37

SHA256
99c63bbdcfcab1df26e1b42930d4cb6ce1d84fb4da190987eee26765f20a46b6

SHA512
58ba9622b587dc1fbf2c483211a761c1ea39cd4077dab4a8aa160f206050dfc23558fdc89d92c19a3d5abddae68867cb8476d82ec5e1695dd024e4ec3282751c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat
Filesize
204B

MD5
e753a9c306ee7bcafa9b5b612912a5a3

SHA1
c164977d79704b72c2b10afa38dd650fcc1c8a57

SHA256
0c8fec551be4e6c601e80d981508f345f385ee4751b17fc9812f72bfe77439cf

SHA512
9d765e9c11dba4820f5ee1ee904000f3f8319aba9314ad89b44e0fde7fe3a0fd3479ae9518341f0e9dd65a90877dfd3be0c31e3eb0c41c0f096944341b117398

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat
Filesize
204B

MD5
3af9a152018627b781c36a2dcb643af1

SHA1
0c65658867260dde4d2f69dcfa7b3f5c4794b3ad

SHA256
f42dbb453e7a410a864dbc331601d13cd52aec6554ea0b962bb8eb1fcec10d6c

SHA512
92cb17b06648537db5217eabbce5802357e08bb666a3cf99452125e840350173c0ef73793ee67b277b67c04d34d5e060c76d58f556d9b1fdd6250da86fa15ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat
Filesize
204B

MD5
6850e934659ff8ec0d807c6e48cebe1a

SHA1
3ac01f452088f073388b21681a48b9c718a68bae

SHA256
d6e894dd37490d0a21a8062b0447c011c707e76dba014e343f5489f57b186324

SHA512
14832d0f68c18e9b984b4b4f111639d9071950552d0c19fc8776955924b66c52e4c8a8ba813be4ecf51f7d540a14dd73a25dbb5905caf8afcd37f56e75ebe812

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat
Filesize
204B

MD5
6850e934659ff8ec0d807c6e48cebe1a

SHA1
3ac01f452088f073388b21681a48b9c718a68bae

SHA256
d6e894dd37490d0a21a8062b0447c011c707e76dba014e343f5489f57b186324

SHA512
14832d0f68c18e9b984b4b4f111639d9071950552d0c19fc8776955924b66c52e4c8a8ba813be4ecf51f7d540a14dd73a25dbb5905caf8afcd37f56e75ebe812

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Start Menu\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/332-199-0x0000000000000000-mapping.dmp

Download
memory/332-205-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/332-201-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/548-189-0x0000000000000000-mapping.dmp

Download
memory/640-225-0x0000000000000000-mapping.dmp

Download
memory/972-232-0x0000000000000000-mapping.dmp

Download
memory/1016-222-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1016-220-0x0000000000000000-mapping.dmp

Download
memory/1016-226-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1256-204-0x0000000000000000-mapping.dmp

Download
memory/1268-150-0x0000000000000000-mapping.dmp

Download
memory/1268-187-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/1268-166-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/1476-234-0x0000000000000000-mapping.dmp

Download
memory/1476-240-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1476-236-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1652-250-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1652-254-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1652-248-0x0000000000000000-mapping.dmp

Download
memory/1760-194-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1760-198-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1760-191-0x0000000000000000-mapping.dmp

Download
memory/1780-202-0x0000000000000000-mapping.dmp

Download
memory/1820-246-0x0000000000000000-mapping.dmp

Download
memory/1884-212-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1884-208-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/1884-206-0x0000000000000000-mapping.dmp

Download
memory/1896-197-0x0000000000000000-mapping.dmp

Download
memory/1940-168-0x0000000000000000-mapping.dmp

Download
memory/2164-139-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2164-136-0x0000000000000000-mapping.dmp

Download
memory/2164-157-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2164-140-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2272-218-0x0000000000000000-mapping.dmp

Download
memory/2296-223-0x0000000000000000-mapping.dmp

Download
memory/2512-243-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/2512-247-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/2512-241-0x0000000000000000-mapping.dmp

Download
memory/2604-251-0x0000000000000000-mapping.dmp

Download
memory/2804-161-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2804-146-0x0000000000000000-mapping.dmp

Download
memory/2804-185-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/2988-237-0x0000000000000000-mapping.dmp

Download
memory/3132-219-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/3132-215-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/3132-213-0x0000000000000000-mapping.dmp

Download
memory/3496-209-0x0000000000000000-mapping.dmp

Download
memory/3512-158-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3512-143-0x0000000000000000-mapping.dmp

Download
memory/3512-183-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3568-239-0x0000000000000000-mapping.dmp

Download
memory/3616-176-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3616-156-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3616-142-0x0000000000000000-mapping.dmp

Download
memory/3652-167-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3652-159-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3652-144-0x0000000000000000-mapping.dmp

Download
memory/3660-244-0x0000000000000000-mapping.dmp

Download
memory/3680-160-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3680-179-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3680-145-0x0000000000000000-mapping.dmp

Download
memory/3752-149-0x0000000000000000-mapping.dmp

Download
memory/3752-172-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3752-163-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3844-174-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3844-151-0x0000028F33930000-0x0000028F33952000-memory.dmp

Filesize
136KB

Download
memory/3844-152-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/3844-141-0x0000000000000000-mapping.dmp

Download
memory/3916-253-0x0000000000000000-mapping.dmp

Download
memory/4076-211-0x0000000000000000-mapping.dmp

Download
memory/4116-227-0x0000000000000000-mapping.dmp

Download
memory/4116-233-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/4116-229-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp

Filesize
10.8MB

Download
memory/4244-175-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4244-153-0x0000000000000000-mapping.dmp

Download
memory/4244-164-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4248-230-0x0000000000000000-mapping.dmp

Download
memory/4580-135-0x0000000000000000-mapping.dmp

Download
memory/4596-147-0x0000000000000000-mapping.dmp

Download
memory/4596-182-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4596-165-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4704-190-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4704-162-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/4704-148-0x0000000000000000-mapping.dmp

Download
memory/4776-132-0x0000000000000000-mapping.dmp

Download
memory/4920-195-0x0000000000000000-mapping.dmp

Download
memory/5048-216-0x0000000000000000-mapping.dmp

Download