dcrat | abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exe
Size

1.3MB
MD5

c675e476b7698ab8798a9e5c7c04ab5d
SHA1

3fbd33395848cc15f3407c8985450411a340087d
SHA256

abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1
SHA512

c952c76a98cff927ebda3d070ee2a1e372e8094725b083089207418e81c7a24e96a5a1e5b5b63049fd5d88c42f6c76c862f7d35ee848d691fa33caf58c0defab
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	4324	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4820-282-0x0000000000430000-0x0000000000540000-memory.dmp	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	dcrat

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

pid	process
4820	DllCommonsvc.exe
3104	wininit.exe
2684	wininit.exe
760	wininit.exe
2088	wininit.exe
3548	wininit.exe
4112	wininit.exe
2920	wininit.exe
4836	wininit.exe
2204	wininit.exe
3800	wininit.exe
1032	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Windows NT\Accessories\it-IT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Common Files\DESIGNER\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\DESIGNER\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\ja-JP\dllhost.exe DllCommonsvc.exe
File created C:\Windows\ja-JP\5940a34987c991 DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\ja-JP\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\5940a34987c991	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4700	schtasks.exe
4520	schtasks.exe
864	schtasks.exe
4976	schtasks.exe
4708	schtasks.exe
2864	schtasks.exe
372	schtasks.exe
4456	schtasks.exe
5052	schtasks.exe
3712	schtasks.exe
1432	schtasks.exe
588	schtasks.exe
4296	schtasks.exe
4452	schtasks.exe
868	schtasks.exe
2836	schtasks.exe
4612	schtasks.exe
1864	schtasks.exe
4384	schtasks.exe
416	schtasks.exe
4688	schtasks.exe
1152	schtasks.exe
1564	schtasks.exe
5072	schtasks.exe
4208	schtasks.exe
1680	schtasks.exe
688	schtasks.exe
352	schtasks.exe
4604	schtasks.exe
1168	schtasks.exe
5048	schtasks.exe
4704	schtasks.exe
4504	schtasks.exe

Modifies registry class 12 IoCs

Processes:

wininit.exewininit.exewininit.exeDllCommonsvc.exewininit.exewininit.exewininit.exewininit.exeabc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exewininit.exewininit.exewininit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

pid	process
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
312	powershell.exe
3260	powershell.exe
208	powershell.exe
3296	powershell.exe
3296	powershell.exe
2220	powershell.exe
2220	powershell.exe
2268	powershell.exe
2268	powershell.exe
2292	powershell.exe
2292	powershell.exe
3260	powershell.exe
3260	powershell.exe
3832	powershell.exe
3832	powershell.exe
756	powershell.exe
756	powershell.exe
3296	powershell.exe
2220	powershell.exe
2928	powershell.exe
2928	powershell.exe
2680	powershell.exe
2680	powershell.exe
2292	powershell.exe
3784	powershell.exe
3784	powershell.exe
3296	powershell.exe
3260	powershell.exe
3784	powershell.exe
2292	powershell.exe
2268	powershell.exe
312	powershell.exe
312	powershell.exe
2220	powershell.exe
2928	powershell.exe
208	powershell.exe
208	powershell.exe
2680	powershell.exe
3832	powershell.exe
756	powershell.exe
3784	powershell.exe
2268	powershell.exe
312	powershell.exe
208	powershell.exe
2928	powershell.exe
3832	powershell.exe
2680	powershell.exe
756	powershell.exe
3104	wininit.exe
3104	wininit.exe
2684	wininit.exe
760	wininit.exe
2088	wininit.exe
3548	wininit.exe
4112	wininit.exe
2920	wininit.exe
4836	wininit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4820	DllCommonsvc.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeIncreaseQuotaPrivilege	3296	powershell.exe
Token: SeSecurityPrivilege	3296	powershell.exe
Token: SeTakeOwnershipPrivilege	3296	powershell.exe
Token: SeLoadDriverPrivilege	3296	powershell.exe
Token: SeSystemProfilePrivilege	3296	powershell.exe
Token: SeSystemtimePrivilege	3296	powershell.exe
Token: SeProfSingleProcessPrivilege	3296	powershell.exe
Token: SeIncBasePriorityPrivilege	3296	powershell.exe
Token: SeCreatePagefilePrivilege	3296	powershell.exe
Token: SeBackupPrivilege	3296	powershell.exe
Token: SeRestorePrivilege	3296	powershell.exe
Token: SeShutdownPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeSystemEnvironmentPrivilege	3296	powershell.exe
Token: SeRemoteShutdownPrivilege	3296	powershell.exe
Token: SeUndockPrivilege	3296	powershell.exe
Token: SeManageVolumePrivilege	3296	powershell.exe
Token: 33	3296	powershell.exe
Token: 34	3296	powershell.exe
Token: 35	3296	powershell.exe
Token: 36	3296	powershell.exe
Token: SeIncreaseQuotaPrivilege	3260	powershell.exe
Token: SeSecurityPrivilege	3260	powershell.exe
Token: SeTakeOwnershipPrivilege	3260	powershell.exe
Token: SeLoadDriverPrivilege	3260	powershell.exe
Token: SeSystemProfilePrivilege	3260	powershell.exe
Token: SeSystemtimePrivilege	3260	powershell.exe
Token: SeProfSingleProcessPrivilege	3260	powershell.exe
Token: SeIncBasePriorityPrivilege	3260	powershell.exe
Token: SeCreatePagefilePrivilege	3260	powershell.exe
Token: SeBackupPrivilege	3260	powershell.exe
Token: SeRestorePrivilege	3260	powershell.exe
Token: SeShutdownPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeSystemEnvironmentPrivilege	3260	powershell.exe
Token: SeRemoteShutdownPrivilege	3260	powershell.exe
Token: SeUndockPrivilege	3260	powershell.exe
Token: SeManageVolumePrivilege	3260	powershell.exe
Token: 33	3260	powershell.exe
Token: 34	3260	powershell.exe
Token: 35	3260	powershell.exe
Token: 36	3260	powershell.exe
Token: SeIncreaseQuotaPrivilege	2292	powershell.exe
Token: SeSecurityPrivilege	2292	powershell.exe
Token: SeTakeOwnershipPrivilege	2292	powershell.exe
Token: SeLoadDriverPrivilege	2292	powershell.exe
Token: SeSystemProfilePrivilege	2292	powershell.exe
Token: SeSystemtimePrivilege	2292	powershell.exe
Token: SeProfSingleProcessPrivilege	2292	powershell.exe
Token: SeIncBasePriorityPrivilege	2292	powershell.exe
Token: SeCreatePagefilePrivilege	2292	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exeWScript.execmd.exeDllCommonsvc.execmd.exewininit.execmd.exewininit.execmd.exewininit.execmd.exewininit.execmd.exewininit.exe

description	pid	process	target process
PID 2740 wrote to memory of 4228	2740	abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exe	WScript.exe
PID 2740 wrote to memory of 4228	2740	abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exe	WScript.exe
PID 2740 wrote to memory of 4228	2740	abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exe	WScript.exe
PID 4228 wrote to memory of 4444	4228	WScript.exe	cmd.exe
PID 4228 wrote to memory of 4444	4228	WScript.exe	cmd.exe
PID 4228 wrote to memory of 4444	4228	WScript.exe	cmd.exe
PID 4444 wrote to memory of 4820	4444	cmd.exe	DllCommonsvc.exe
PID 4444 wrote to memory of 4820	4444	cmd.exe	DllCommonsvc.exe
PID 4820 wrote to memory of 3260	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 3260	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 312	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 312	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 208	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 208	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 3296	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 3296	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2268	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2268	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2220	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2220	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2292	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2292	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 3832	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 3832	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 756	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 756	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2928	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2928	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2680	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 2680	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 3784	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 3784	4820	DllCommonsvc.exe	powershell.exe
PID 4820 wrote to memory of 4064	4820	DllCommonsvc.exe	cmd.exe
PID 4820 wrote to memory of 4064	4820	DllCommonsvc.exe	cmd.exe
PID 4064 wrote to memory of 824	4064	cmd.exe	w32tm.exe
PID 4064 wrote to memory of 824	4064	cmd.exe	w32tm.exe
PID 4064 wrote to memory of 3104	4064	cmd.exe	wininit.exe
PID 4064 wrote to memory of 3104	4064	cmd.exe	wininit.exe
PID 3104 wrote to memory of 4592	3104	wininit.exe	cmd.exe
PID 3104 wrote to memory of 4592	3104	wininit.exe	cmd.exe
PID 4592 wrote to memory of 3572	4592	cmd.exe	w32tm.exe
PID 4592 wrote to memory of 3572	4592	cmd.exe	w32tm.exe
PID 4592 wrote to memory of 2684	4592	cmd.exe	wininit.exe
PID 4592 wrote to memory of 2684	4592	cmd.exe	wininit.exe
PID 2684 wrote to memory of 1124	2684	wininit.exe	cmd.exe
PID 2684 wrote to memory of 1124	2684	wininit.exe	cmd.exe
PID 1124 wrote to memory of 2288	1124	cmd.exe	w32tm.exe
PID 1124 wrote to memory of 2288	1124	cmd.exe	w32tm.exe
PID 1124 wrote to memory of 760	1124	cmd.exe	wininit.exe
PID 1124 wrote to memory of 760	1124	cmd.exe	wininit.exe
PID 760 wrote to memory of 2092	760	wininit.exe	cmd.exe
PID 760 wrote to memory of 2092	760	wininit.exe	cmd.exe
PID 2092 wrote to memory of 220	2092	cmd.exe	w32tm.exe
PID 2092 wrote to memory of 220	2092	cmd.exe	w32tm.exe
PID 2092 wrote to memory of 2088	2092	cmd.exe	wininit.exe
PID 2092 wrote to memory of 2088	2092	cmd.exe	wininit.exe
PID 2088 wrote to memory of 4124	2088	wininit.exe	cmd.exe
PID 2088 wrote to memory of 4124	2088	wininit.exe	cmd.exe
PID 4124 wrote to memory of 1564	4124	cmd.exe	w32tm.exe
PID 4124 wrote to memory of 1564	4124	cmd.exe	w32tm.exe
PID 4124 wrote to memory of 3548	4124	cmd.exe	wininit.exe
PID 4124 wrote to memory of 3548	4124	cmd.exe	wininit.exe
PID 3548 wrote to memory of 4784	3548	wininit.exe	cmd.exe
PID 3548 wrote to memory of 4784	3548	wininit.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exe
"C:\Users\Admin\AppData\Local\Temp\abc313e92ff329b96b2735bcc18e1795a5093792a0abded91b9fab478dc81ee1.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\services.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\it-IT\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bJf2fX0smf.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:824

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:3572

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:2288

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:220

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:1564

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
15⤵
PID:4784

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:4772

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
17⤵
PID:732

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:4776

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"
19⤵
PID:2272

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:5048

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
21⤵
PID:4752

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:4740

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
22⤵
- Executes dropped EXE
- Modifies registry class
PID:2204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
23⤵
PID:3184

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:688

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
24⤵
- Executes dropped EXE
- Modifies registry class
PID:3800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
25⤵
PID:3832

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:1700

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
"C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe"
26⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\DESIGNER\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\DESIGNER\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\wininit.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fe184927205b3a48c4f535c44a022cd8

SHA1
9b5793a0349cc8e14cbb7c6ff523866002842e8e

SHA256
986fca2f778f0a1395b7fe218c4f123526965b9209d426b30b75ad707cbba281

SHA512
e7ff38686cda94c966cfdf8b12212ba6c425f0ec094827629d04b9f39d3c4d282c857906008c4220be9c2deae4da84292bf326bea2d3a4cf8e781483164964b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ab64fc93dfe5b4732f12e99ac7155668

SHA1
24dd0adfa1c38457b0f1ddbc41250ff5c0025749

SHA256
bc1bc7608deef758ec0a489b0da11508a4a51f1e98fffd5678c201002b577301

SHA512
57983ab8ace357456b430f1e294bd339682b6968ded333897fe03ba7f8d83b71f82574a2618370b14831e892e3bc1edd03a39d362e87b5c69372d37212898c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
60e0700aa58036a167aca82905581fe1

SHA1
9660b51a63f41dab60e8ef024da2aa7b9b3b3009

SHA256
3f185328638a479c51d6fb888987d0d9f311cb083ea681e9183162dd9edd57cf

SHA512
75fa0b13bf01bfd95de07c7c3763cd392df1f76ae24d7abc323b35cf7001d9b739a94de57fb5409d8a9492b902461e7130cb8b36c53cdba8aadd0d94ffb832aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3aaf96048724e730889bb3b01f3a50a9

SHA1
fea8ccb16d72ec8ccdf2b3eb71531b5ee4a1e2fc

SHA256
fa80c0a0136eb08226bda32adbd1ddbf02060b4da27f7491a41c935fbd914218

SHA512
a50249654f9bd5ec35ce39a68d0adb1b83b5b15dd952b56b1f57b55486bf4c38cabb8dc348bd1ad7989f1e123ba3bd5d0c695c590c0f143ddbd2dcdf5673835a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4d2c718bb6ce5f406c6bb118fc838656

SHA1
aa74b9ff855d7dcc1aecab6d990df87f1ba793ae

SHA256
4608ba6f718e751f357274e0b1ad78dca436b5e53860d606a062c15b88b58447

SHA512
0b26210a753ea16a00fdf0e0777d5e96278ab257bb25cf071d6d6ada57ebbe1f652f1f854626bb3eddb4adca4575d95d560ec3fe09e48450d470cd5a8e1296cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8cd34593b8347a6ec069775e32802291

SHA1
7fc111decaa8afdf496d82e850dc84c612fe5197

SHA256
9d0617a88256164cd731f76ef30a980c628653185b1a4e53fbb075f744a75875

SHA512
4b3af3b24b392d1ec0e9c132f85016c1eaf07d0795ef0ae571d7ceb6b7233e9ef614bfea84e42246a1e0e13ccbf24645c9d62c175d22d49ca9530f648cffd345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
51f747002d3dc1f97325dfe76e42e6f6

SHA1
66b9e9f40ee3a305dedc60adc8bb0cc381c0b474

SHA256
645506bdfa163e37e82d9dbc92e0cf90d49c531fd6f909d7ae38d01fcc22883b

SHA512
262790a2d693d961a87bf73411fb61fff09565145e70c317c4ace953c78a0ccde4bc2e314c75d4376ff192eaaa8f837a1d4cd63b67412c6b6a1a5708d96c179c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
51f747002d3dc1f97325dfe76e42e6f6

SHA1
66b9e9f40ee3a305dedc60adc8bb0cc381c0b474

SHA256
645506bdfa163e37e82d9dbc92e0cf90d49c531fd6f909d7ae38d01fcc22883b

SHA512
262790a2d693d961a87bf73411fb61fff09565145e70c317c4ace953c78a0ccde4bc2e314c75d4376ff192eaaa8f837a1d4cd63b67412c6b6a1a5708d96c179c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c97405b4fd29c1e0545a6af0b9f7d019

SHA1
06d4b76ada5401320cd1929f63ad1190be048ef4

SHA256
bdf8818afad5664e1963472d9049adaf4811c13c1b4bb42042041f7d5bda9d07

SHA512
3c8342942c322911a6b5edfa668e9e7ed899290378108d5dda032b202ba4dea5d2dd61d9c736ac0bd70ae09d5abdcee7064208b99c3973c0a6236fb3c78f930e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f5fcdba1f63a17afdd2c14adde27c80d

SHA1
fe6ed0ca450e17001007526cfda3559dccba775b

SHA256
06220e3e9817d36691671dbccd90ff6dfc5198dfdaed330b0fe9b4862606f895

SHA512
5387f974382745b6bdad4aae40d946be9a45d4c22cc9e9900c56372c13c175559f6c117dd064ff0629d3aa761637c616692a622a7ef08d5ffcc6addad4c5d48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f5fcdba1f63a17afdd2c14adde27c80d

SHA1
fe6ed0ca450e17001007526cfda3559dccba775b

SHA256
06220e3e9817d36691671dbccd90ff6dfc5198dfdaed330b0fe9b4862606f895

SHA512
5387f974382745b6bdad4aae40d946be9a45d4c22cc9e9900c56372c13c175559f6c117dd064ff0629d3aa761637c616692a622a7ef08d5ffcc6addad4c5d48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat
Filesize
222B

MD5
c687147b28e1ca2769e4cba2b9e0023f

SHA1
e14347abf2ee71a887d00d378b4aca9cdf485674

SHA256
a1c03a6c785cac2d563684b6d12cfc5cb9709159d44fd682a5f818c78a448b2f

SHA512
e24ec1c37a974e63dded819fc5826ce3bc6753826df924509a81fad0c6560e2c8d8a5ffb2601ad6fdcd46cb2a9afaebb8ce18c1af4f18633b64d9e8450311255

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat
Filesize
222B

MD5
1b394bcf233d75d4452bba966de2dabe

SHA1
426bfbb6c4fe47ade32a283a89170abd167c325c

SHA256
2d84a9fc147f8ed2f492253d995bc729ced9a16e1f88d647d6e7c2d75d7ae5ce

SHA512
21c88342b57c87a6d0b0f4c3699afef5d44e36585281f1ee808553e17d462ed14f0db92edbaac3ba2de2e87fd884cecc5fd1ea8ca0d2e8a923844278fa189df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat
Filesize
222B

MD5
ca72bbed32afc0cf05cf2b17700f2358

SHA1
4c2d411215a770c8f6ed2cf6b80a72ed9d782e6b

SHA256
abe9ec78459887936338c0d023cabc3dd6fb1d6fd03911b16243f69d89b8c7ff

SHA512
b4d61a1ccdef50ca04d73b428ffb6191cd93e68f7257b48a7de70a61919a116b97f136db0b30b9bc3c1386fcdb46f1b0b64c239e7530fd912ccf2fd2fa69f3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat
Filesize
222B

MD5
6a9edbb2eb9034fdc834879e1dab2ce0

SHA1
c06073a8017209db2a204895e6cde34d325a6fcf

SHA256
7ad81dbe840eea91263f7e634c1690b29606fbe0887ae067e901a6ee422c04ea

SHA512
3843f783127faeca4f5b6e1745b1b87887ab9333e41e65d98db250e529b0c4ba97a45ec153ca5f5fe351fb3d0f5f730b9f835e2b6491dbb887a29d3cb98056cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat
Filesize
222B

MD5
43ee20f2439a123fffed696fbd94ec6a

SHA1
559d5953327b2097d72a5d4100cae409723cbcf4

SHA256
1996a72dfff13f9e8c0cf9f2e31fed13519d877e63475d1a702e02f3625d75a6

SHA512
424d350d2c7130d71597c1dbafe85fbffe68c3ffa51817b9392f3c93a9f4105035832179f1f988bac6e8a6fdf83a7bf9d029890610e045268ff9d2aebdca880e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat
Filesize
222B

MD5
43ee20f2439a123fffed696fbd94ec6a

SHA1
559d5953327b2097d72a5d4100cae409723cbcf4

SHA256
1996a72dfff13f9e8c0cf9f2e31fed13519d877e63475d1a702e02f3625d75a6

SHA512
424d350d2c7130d71597c1dbafe85fbffe68c3ffa51817b9392f3c93a9f4105035832179f1f988bac6e8a6fdf83a7bf9d029890610e045268ff9d2aebdca880e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat
Filesize
222B

MD5
766fc4967747974e5283c39bf67ecdbc

SHA1
5522751f6586591e24229e49f3f06d3b07059937

SHA256
216e55f8a536d6f72d375af36298269d1bcdfba147b676c311399a0979077f04

SHA512
dab713d6df823713a7c9aeb2c15b1ec34d1abfe6b2d0133f37942e5c476188a14b71dbcf8ca97476a293685486910029b97757e9de26d8b837d531792d148966

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat
Filesize
222B

MD5
89aa07b2f96efd6b2f97940cfca00f24

SHA1
23ed943df6954c51d565c22c1c11689bc3d0a4a4

SHA256
a9a85220b3c16370f6d84cffd11f87f351cb3e0d2a0523248e1de8d0ba721ed3

SHA512
ead2a4f9ee72318f8fa31ddab7295f948e1d6ddf6bfaf3a03e14512b1b6fddb49db2fb831dfdfdd97a303e28597cdbca59c268c75fe51f49c3ce8faf065d07ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bJf2fX0smf.bat
Filesize
222B

MD5
2d338c8133db30124786eeda0eb19b62

SHA1
b15b222fa8ade8eebb93af496f81f1a9fe2d3822

SHA256
82991694e704636f1b1e884e6e37ad01d472666eec9b7c8800490a21c298abd8

SHA512
e4a0549d6a9293114171bb0907773e541085ec976f5a0335cdbeaf9922f4b06977f7ad992d522f2a8fd2dba08f0ba40b03960f6c07121924aae57ab6032ccb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat
Filesize
222B

MD5
728563ffd12257e4afb4d83c47a5ba01

SHA1
8676142619ae19f78863c8945c1a2dd5c77b2e4f

SHA256
7b9ee00d3ded105ad687a144bd7d13a09f1d715eafcb5bb0a1a085900573a90e

SHA512
7a67b6e8d2a5bde280e10661be9816e57e6d1af8e0ebc1f0c05cb47efca6d93270e1c93e6ed0a9581adee727685be3cd70bcae8aa9c68d67121729873caacf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat
Filesize
222B

MD5
9e809b69587e857aa7ff1dab03480890

SHA1
8c2a4c9c4ebf9b3145d3d994d508043d7f3a97fb

SHA256
15d972ecacca4247ba7dbc44378da11b9a915c3a23a3b828fafdd721b083bb13

SHA512
20922661d0c7243bec970be1afc4f794e11d53d78c9fa0d28b296c5f8170068af4bae498c58698224333c1cd4ba9d71a6a9ec8da8fe3ee3bd8867844fb609846

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/208-289-0x0000000000000000-mapping.dmp

Download
memory/220-730-0x0000000000000000-mapping.dmp

Download
memory/312-288-0x0000000000000000-mapping.dmp

Download
memory/688-763-0x0000000000000000-mapping.dmp

Download
memory/732-744-0x0000000000000000-mapping.dmp

Download
memory/756-295-0x0000000000000000-mapping.dmp

Download
memory/760-727-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/760-725-0x0000000000000000-mapping.dmp

Download
memory/824-413-0x0000000000000000-mapping.dmp

Download
memory/1032-772-0x0000000001830000-0x0000000001842000-memory.dmp

Filesize
72KB

Download
memory/1032-770-0x0000000000000000-mapping.dmp

Download
memory/1124-722-0x0000000000000000-mapping.dmp

Download
memory/1564-736-0x0000000000000000-mapping.dmp

Download
memory/1700-769-0x0000000000000000-mapping.dmp

Download
memory/2088-733-0x0000000001290000-0x00000000012A2000-memory.dmp

Filesize
72KB

Download
memory/2088-731-0x0000000000000000-mapping.dmp

Download
memory/2092-728-0x0000000000000000-mapping.dmp

Download
memory/2204-758-0x0000000000000000-mapping.dmp

Download
memory/2204-760-0x0000000001090000-0x00000000010A2000-memory.dmp

Filesize
72KB

Download
memory/2220-292-0x0000000000000000-mapping.dmp

Download
memory/2268-291-0x0000000000000000-mapping.dmp

Download
memory/2272-749-0x0000000000000000-mapping.dmp

Download
memory/2288-724-0x0000000000000000-mapping.dmp

Download
memory/2292-293-0x0000000000000000-mapping.dmp

Download
memory/2680-300-0x0000000000000000-mapping.dmp

Download
memory/2684-721-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/2684-718-0x0000000000000000-mapping.dmp

Download
memory/2740-166-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-144-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-168-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-178-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-165-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-124-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-125-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-126-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-127-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-129-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-130-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-119-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-131-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-177-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-132-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-116-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-176-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-175-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-174-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-173-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-133-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-134-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-136-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-137-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-172-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-171-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-138-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-170-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-169-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-140-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-179-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-121-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-122-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-164-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-163-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-162-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-161-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-160-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-159-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-158-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-157-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-139-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-156-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-135-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-118-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-155-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-154-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-117-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-153-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-152-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-151-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-150-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-149-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-148-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-147-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-146-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-145-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-167-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-143-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-142-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-128-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-141-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-747-0x0000000000000000-mapping.dmp

Download
memory/2928-297-0x0000000000000000-mapping.dmp

Download
memory/3104-660-0x0000000000000000-mapping.dmp

Download
memory/3184-761-0x0000000000000000-mapping.dmp

Download
memory/3260-353-0x000002B8E1FD0000-0x000002B8E2046000-memory.dmp

Filesize
472KB

Download
memory/3260-287-0x0000000000000000-mapping.dmp

Download
memory/3260-347-0x000002B8E1E20000-0x000002B8E1E42000-memory.dmp

Filesize
136KB

Download
memory/3296-290-0x0000000000000000-mapping.dmp

Download
memory/3548-737-0x0000000000000000-mapping.dmp

Download
memory/3572-717-0x0000000000000000-mapping.dmp

Download
memory/3784-304-0x0000000000000000-mapping.dmp

Download
memory/3800-764-0x0000000000000000-mapping.dmp

Download
memory/3800-766-0x0000000002BD0000-0x0000000002BE2000-memory.dmp

Filesize
72KB

Download
memory/3832-294-0x0000000000000000-mapping.dmp

Download
memory/3832-767-0x0000000000000000-mapping.dmp

Download
memory/4064-335-0x0000000000000000-mapping.dmp

Download
memory/4112-742-0x0000000000000000-mapping.dmp

Download
memory/4124-734-0x0000000000000000-mapping.dmp

Download
memory/4228-182-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4228-180-0x0000000000000000-mapping.dmp

Download
memory/4228-181-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4444-256-0x0000000000000000-mapping.dmp

Download
memory/4592-715-0x0000000000000000-mapping.dmp

Download
memory/4740-757-0x0000000000000000-mapping.dmp

Download
memory/4752-755-0x0000000000000000-mapping.dmp

Download
memory/4772-741-0x0000000000000000-mapping.dmp

Download
memory/4776-746-0x0000000000000000-mapping.dmp

Download
memory/4784-739-0x0000000000000000-mapping.dmp

Download
memory/4820-286-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/4820-285-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/4820-284-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/4820-283-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Filesize
72KB

Download
memory/4820-282-0x0000000000430000-0x0000000000540000-memory.dmp

Filesize
1.1MB

Download
memory/4820-279-0x0000000000000000-mapping.dmp

Download
memory/4836-754-0x0000000001340000-0x0000000001352000-memory.dmp

Filesize
72KB

Download
memory/4836-752-0x0000000000000000-mapping.dmp

Download
memory/5048-751-0x0000000000000000-mapping.dmp

Download