dcrat | b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exe
Size

1.3MB
MD5

0ca290e31ad46426c4a54ea1e7de9cdf
SHA1

b4ad96a7106649c899d1c2e48bf94aad781d139e
SHA256

b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d
SHA512

5db49937181da09527fe070bc44a571608086595fc7c6a8d430fbd66ecd4c281d7d766a816ebd74cc4d0c7afce0b195c921f5d8bcbe13f8086de40ba69712f0f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4448	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4556-139-0x0000000000420000-0x0000000000530000-memory.dmp	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeDllCommonsvc.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeWScript.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeb78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exeStartMenuExperienceHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid	process
4556	DllCommonsvc.exe
4136	StartMenuExperienceHost.exe
4112	StartMenuExperienceHost.exe
3548	StartMenuExperienceHost.exe
2620	StartMenuExperienceHost.exe
396	StartMenuExperienceHost.exe
4332	StartMenuExperienceHost.exe
5064	StartMenuExperienceHost.exe
2588	StartMenuExperienceHost.exe
3144	StartMenuExperienceHost.exe
812	StartMenuExperienceHost.exe
1484	StartMenuExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3272	schtasks.exe
1128	schtasks.exe
1752	schtasks.exe
4196	schtasks.exe
2964	schtasks.exe
2332	schtasks.exe
3220	schtasks.exe
3860	schtasks.exe
4652	schtasks.exe
3476	schtasks.exe
2364	schtasks.exe
2176	schtasks.exe
4620	schtasks.exe
964	schtasks.exe
216	schtasks.exe
2896	schtasks.exe
2232	schtasks.exe
3784	schtasks.exe
2564	schtasks.exe
1784	schtasks.exe
2508	schtasks.exe
864	schtasks.exe
1700	schtasks.exe
4232	schtasks.exe

Modifies registry class 12 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeb78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid	process
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
4556	DllCommonsvc.exe
3704	powershell.exe
3744	powershell.exe
3744	powershell.exe
4544	powershell.exe
4544	powershell.exe
3376	powershell.exe
3376	powershell.exe
3096	powershell.exe
3096	powershell.exe
3744	powershell.exe
4424	powershell.exe
4424	powershell.exe
4188	powershell.exe
4188	powershell.exe
2932	powershell.exe
2932	powershell.exe
4540	powershell.exe
4540	powershell.exe
4136	StartMenuExperienceHost.exe
4136	StartMenuExperienceHost.exe
3704	powershell.exe
3704	powershell.exe
4544	powershell.exe
3096	powershell.exe
3376	powershell.exe
4424	powershell.exe
4188	powershell.exe
2932	powershell.exe
4540	powershell.exe
4112	StartMenuExperienceHost.exe
3548	StartMenuExperienceHost.exe
2620	StartMenuExperienceHost.exe
396	StartMenuExperienceHost.exe
4332	StartMenuExperienceHost.exe
5064	StartMenuExperienceHost.exe
2588	StartMenuExperienceHost.exe
3144	StartMenuExperienceHost.exe
812	StartMenuExperienceHost.exe
1484	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4556	DllCommonsvc.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4136	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4112	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3548	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2620	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	396	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4332	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5064	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2588	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3144	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	812	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1484	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exeWScript.execmd.exeDllCommonsvc.exeStartMenuExperienceHost.execmd.exeStartMenuExperienceHost.execmd.exeStartMenuExperienceHost.execmd.exeStartMenuExperienceHost.execmd.exeStartMenuExperienceHost.execmd.exeStartMenuExperienceHost.execmd.exe

description	pid	process	target process
PID 4748 wrote to memory of 4716	4748	b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exe	WScript.exe
PID 4748 wrote to memory of 4716	4748	b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exe	WScript.exe
PID 4748 wrote to memory of 4716	4748	b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exe	WScript.exe
PID 4716 wrote to memory of 5036	4716	WScript.exe	cmd.exe
PID 4716 wrote to memory of 5036	4716	WScript.exe	cmd.exe
PID 4716 wrote to memory of 5036	4716	WScript.exe	cmd.exe
PID 5036 wrote to memory of 4556	5036	cmd.exe	DllCommonsvc.exe
PID 5036 wrote to memory of 4556	5036	cmd.exe	DllCommonsvc.exe
PID 4556 wrote to memory of 3704	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 3704	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 3744	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 3744	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4544	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4544	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 3376	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 3376	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 3096	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 3096	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4188	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4188	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4424	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4424	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4540	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4540	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 2932	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 2932	4556	DllCommonsvc.exe	powershell.exe
PID 4556 wrote to memory of 4136	4556	DllCommonsvc.exe	StartMenuExperienceHost.exe
PID 4556 wrote to memory of 4136	4556	DllCommonsvc.exe	StartMenuExperienceHost.exe
PID 4136 wrote to memory of 1368	4136	StartMenuExperienceHost.exe	cmd.exe
PID 4136 wrote to memory of 1368	4136	StartMenuExperienceHost.exe	cmd.exe
PID 1368 wrote to memory of 4196	1368	cmd.exe	w32tm.exe
PID 1368 wrote to memory of 4196	1368	cmd.exe	w32tm.exe
PID 1368 wrote to memory of 4112	1368	cmd.exe	StartMenuExperienceHost.exe
PID 1368 wrote to memory of 4112	1368	cmd.exe	StartMenuExperienceHost.exe
PID 4112 wrote to memory of 2156	4112	StartMenuExperienceHost.exe	cmd.exe
PID 4112 wrote to memory of 2156	4112	StartMenuExperienceHost.exe	cmd.exe
PID 2156 wrote to memory of 4680	2156	cmd.exe	w32tm.exe
PID 2156 wrote to memory of 4680	2156	cmd.exe	w32tm.exe
PID 2156 wrote to memory of 3548	2156	cmd.exe	StartMenuExperienceHost.exe
PID 2156 wrote to memory of 3548	2156	cmd.exe	StartMenuExperienceHost.exe
PID 3548 wrote to memory of 2080	3548	StartMenuExperienceHost.exe	cmd.exe
PID 3548 wrote to memory of 2080	3548	StartMenuExperienceHost.exe	cmd.exe
PID 2080 wrote to memory of 2912	2080	cmd.exe	w32tm.exe
PID 2080 wrote to memory of 2912	2080	cmd.exe	w32tm.exe
PID 2080 wrote to memory of 2620	2080	cmd.exe	StartMenuExperienceHost.exe
PID 2080 wrote to memory of 2620	2080	cmd.exe	StartMenuExperienceHost.exe
PID 2620 wrote to memory of 4916	2620	StartMenuExperienceHost.exe	cmd.exe
PID 2620 wrote to memory of 4916	2620	StartMenuExperienceHost.exe	cmd.exe
PID 4916 wrote to memory of 4156	4916	cmd.exe	w32tm.exe
PID 4916 wrote to memory of 4156	4916	cmd.exe	w32tm.exe
PID 4916 wrote to memory of 396	4916	cmd.exe	StartMenuExperienceHost.exe
PID 4916 wrote to memory of 396	4916	cmd.exe	StartMenuExperienceHost.exe
PID 396 wrote to memory of 2128	396	StartMenuExperienceHost.exe	cmd.exe
PID 396 wrote to memory of 2128	396	StartMenuExperienceHost.exe	cmd.exe
PID 2128 wrote to memory of 4812	2128	cmd.exe	w32tm.exe
PID 2128 wrote to memory of 4812	2128	cmd.exe	w32tm.exe
PID 2128 wrote to memory of 4332	2128	cmd.exe	StartMenuExperienceHost.exe
PID 2128 wrote to memory of 4332	2128	cmd.exe	StartMenuExperienceHost.exe
PID 4332 wrote to memory of 3712	4332	StartMenuExperienceHost.exe	cmd.exe
PID 4332 wrote to memory of 3712	4332	StartMenuExperienceHost.exe	cmd.exe
PID 3712 wrote to memory of 5088	3712	cmd.exe	w32tm.exe
PID 3712 wrote to memory of 5088	3712	cmd.exe	w32tm.exe
PID 3712 wrote to memory of 5064	3712	cmd.exe	StartMenuExperienceHost.exe
PID 3712 wrote to memory of 5064	3712	cmd.exe	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exe
"C:\Users\Admin\AppData\Local\Temp\b78b9e80088687ac515e40f293ef8a3a3eaccb36b58c3c79afc170b00fd3d31d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:4196

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4680

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:2912

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:4156

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:4812

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:5088

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
18⤵
PID:2868

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:1852

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
20⤵
PID:4444

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:4252

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
22⤵
PID:4064

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:1084

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"
24⤵
PID:3620

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:4560

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
26⤵
PID:4152

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat
Filesize
214B

MD5
481b8a779906448a03cdd212cc931c26

SHA1
c90ab086627c8c8f57e8e8bce987e7f723a5a98f

SHA256
3f1bec1671450d494c3b5283ead51e5f3850f386fd99bdb54b0d04920e29b19b

SHA512
23dd2ad5a2298a1033795186fcc946878865e7d5eaa9a28e45e796f982b7de09c3731bb09f9f90bcb0f4060f8554df4e069df378d2e641b9c925b85f44e13cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat
Filesize
214B

MD5
ee26318cc4eec6fc364de7e6159f5b9a

SHA1
0596f80ff3bf5342796db23f6345a2a0dbf1df53

SHA256
0fd0c0c4fc4fb772ed76e79056b0aead368717d0c461463191d698bce7aab5d1

SHA512
f3444ee416379021b19d4d2b5704a167cf2722b94aa4124da7dcd178b8dc584f063f823546c8934121b90c28746e19c9ab2308100c7a8801be44e399aef29f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat
Filesize
214B

MD5
ee26318cc4eec6fc364de7e6159f5b9a

SHA1
0596f80ff3bf5342796db23f6345a2a0dbf1df53

SHA256
0fd0c0c4fc4fb772ed76e79056b0aead368717d0c461463191d698bce7aab5d1

SHA512
f3444ee416379021b19d4d2b5704a167cf2722b94aa4124da7dcd178b8dc584f063f823546c8934121b90c28746e19c9ab2308100c7a8801be44e399aef29f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat
Filesize
214B

MD5
16c48adbebe9bd29203091d61f9f4548

SHA1
640a9e955b5c357cf3b2c642af89738c55b4cd2f

SHA256
b78826a07cac5b21ae45424077504e47f11d514bdc3ef8ef238a46da6889d827

SHA512
6a32753ca92534a230ca43a71af63e21f76a876638b1b60e221ed0392cb15172a6001767ceba4b81075eced9bb6ef556f991e8edc0bb75f37ff3b6bd4d936562

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat
Filesize
214B

MD5
e7149eb8c26b097998d90415dab4ca0e

SHA1
de9d8213ee2118ae2c186ca4bc24917fd827abd2

SHA256
44e1075e31aebfb1aba4bab2c0ce73532a308b617cdc188ab6969ede33905a31

SHA512
dc171adbf63ce182fbe2d9a29c4d8cbf4a5e118bdd40cce3d1372b46f1ac1d3e36fdecedd813b547c4cb38f8a4f13f4e379be7f799de0a37d2f294dd3853313f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat
Filesize
214B

MD5
e7149eb8c26b097998d90415dab4ca0e

SHA1
de9d8213ee2118ae2c186ca4bc24917fd827abd2

SHA256
44e1075e31aebfb1aba4bab2c0ce73532a308b617cdc188ab6969ede33905a31

SHA512
dc171adbf63ce182fbe2d9a29c4d8cbf4a5e118bdd40cce3d1372b46f1ac1d3e36fdecedd813b547c4cb38f8a4f13f4e379be7f799de0a37d2f294dd3853313f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat
Filesize
214B

MD5
b4043bc68f944edf4ca2d4617ffb5ace

SHA1
9efe7bb542d0caafe677cc155b1d91def2490ae5

SHA256
5ecb6e3e8d30eb3435f67e466af9f0a19e73c7000500ed3096142363c9b93d50

SHA512
7856d91786c8c146c84581fd1db0ea8423ed6d4833439f0b5ae02c0592ac5030c9bf19c477cf9cbd2360ada70f7c5d72c1704a9af56efbdb11238c361fae858f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat
Filesize
214B

MD5
58d7d971657ae675cf54a553223d7b8c

SHA1
2b85f25940d031e7ebaba1794375758f9ea987b5

SHA256
01e9ca9f61fc19d891f03970fcf5045f450d176790206485d44db5555a376959

SHA512
e7af5130918c998af6c39d8fc34fb9a0cb3ed55071b48879514aa0ed2e9cfa94e39ce66030cbb819109f3937eec5306808586a08b4531f127c33f233076f347b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat
Filesize
214B

MD5
1987032c7f0470faabd14f4c4b86cd6f

SHA1
ec0f2a834d10ab2b05a593f4f0cbc70397495e34

SHA256
f63ca3073174bfb2f9014d2a6623cae0c2b14dfced3fb0f69cd51b4be7efc1e2

SHA512
438e0da81a166cc8ce5b94f76aa19c33d01934d99ccc13750df15db9a3f37aabd7b1ff7ac4f8aaf3a19de0af8cf5e127a6d91d755e04fd3c8df52c1287d66f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat
Filesize
214B

MD5
36879b0cab793f8e2ade6bcc99253fce

SHA1
859802ff53adef3cdabe3f4ccd31a1c27b951c7a

SHA256
c7328776bcffdf1e6781a2afaaf7eec257748428cf5de0633d2817b9b8b6e1dc

SHA512
ad23383ef7f1789cc3fa4fecc01da31c538c7bcbbb9c915b934c4273c0901e1cd1a09017d1452d2eb45a5775880d7030a737e662798935ec80c9594563b8c8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat
Filesize
214B

MD5
f2a1906278a4596e7753dc621f90ca42

SHA1
ce50cbfa062b0ce4755b0471095e6166487a1b3a

SHA256
e1530df3ba82c1d513640ef1ada7ce8875d6231ea2f19408e72d11e5a62ae0f2

SHA512
e7f16ceffb9b5eae8719bce0fc95775fa1c6adcadb5e9d48da04b471a0d9f0d3db2bb751af169b1f0a6612029028bcee08e74d26fc07119d1a5d5991d26793ce

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/396-215-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/396-211-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/396-209-0x0000000000000000-mapping.dmp

Download
memory/812-244-0x0000000000000000-mapping.dmp

Download
memory/812-246-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/812-248-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/944-256-0x0000000000000000-mapping.dmp

Download
memory/1084-242-0x0000000000000000-mapping.dmp

Download
memory/1368-183-0x0000000000000000-mapping.dmp

Download
memory/1484-257-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/1484-251-0x0000000000000000-mapping.dmp

Download
memory/1484-253-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-228-0x0000000000000000-mapping.dmp

Download
memory/2080-198-0x0000000000000000-mapping.dmp

Download
memory/2128-212-0x0000000000000000-mapping.dmp

Download
memory/2156-191-0x0000000000000000-mapping.dmp

Download
memory/2588-236-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-230-0x0000000000000000-mapping.dmp

Download
memory/2588-232-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/2620-202-0x0000000000000000-mapping.dmp

Download
memory/2620-208-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/2620-204-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-226-0x0000000000000000-mapping.dmp

Download
memory/2912-200-0x0000000000000000-mapping.dmp

Download
memory/2932-177-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/2932-149-0x0000000000000000-mapping.dmp

Download
memory/2932-162-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3096-145-0x0000000000000000-mapping.dmp

Download
memory/3096-176-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3096-158-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3144-243-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-239-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-237-0x0000000000000000-mapping.dmp

Download
memory/3376-144-0x0000000000000000-mapping.dmp

Download
memory/3376-180-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3376-159-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3548-197-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-201-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-195-0x0000000000000000-mapping.dmp

Download
memory/3620-247-0x0000000000000000-mapping.dmp

Download
memory/3704-150-0x00000145F5CD0000-0x00000145F5CF2000-memory.dmp

Filesize
136KB

Download
memory/3704-154-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3704-167-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3704-141-0x0000000000000000-mapping.dmp

Download
memory/3712-219-0x0000000000000000-mapping.dmp

Download
memory/3744-168-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3744-156-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/3744-142-0x0000000000000000-mapping.dmp

Download
memory/4064-240-0x0000000000000000-mapping.dmp

Download
memory/4112-190-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/4112-194-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/4112-187-0x0000000000000000-mapping.dmp

Download
memory/4136-151-0x0000000000000000-mapping.dmp

Download
memory/4136-185-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4136-164-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4152-254-0x0000000000000000-mapping.dmp

Download
memory/4156-207-0x0000000000000000-mapping.dmp

Download
memory/4188-146-0x0000000000000000-mapping.dmp

Download
memory/4188-174-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4188-160-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4196-186-0x0000000000000000-mapping.dmp

Download
memory/4252-235-0x0000000000000000-mapping.dmp

Download
memory/4332-218-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-222-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-216-0x0000000000000000-mapping.dmp

Download
memory/4424-147-0x0000000000000000-mapping.dmp

Download
memory/4424-179-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4424-161-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4444-233-0x0000000000000000-mapping.dmp

Download
memory/4540-182-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4540-148-0x0000000000000000-mapping.dmp

Download
memory/4540-163-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4544-143-0x0000000000000000-mapping.dmp

Download
memory/4544-157-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4544-170-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4556-140-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4556-155-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

Filesize
10.8MB

Download
memory/4556-136-0x0000000000000000-mapping.dmp

Download
memory/4556-139-0x0000000000420000-0x0000000000530000-memory.dmp

Filesize
1.1MB

Download
memory/4560-250-0x0000000000000000-mapping.dmp

Download
memory/4680-193-0x0000000000000000-mapping.dmp

Download
memory/4716-132-0x0000000000000000-mapping.dmp

Download
memory/4812-214-0x0000000000000000-mapping.dmp

Download
memory/4916-205-0x0000000000000000-mapping.dmp

Download
memory/5036-135-0x0000000000000000-mapping.dmp

Download
memory/5064-223-0x0000000000000000-mapping.dmp

Download
memory/5064-225-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-229-0x00007FF9D3D10000-0x00007FF9D47D1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-221-0x0000000000000000-mapping.dmp

Download