dcrat | a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exe
Size

1.3MB
MD5

e0be955500361c2d46cc51353719c430
SHA1

c5a5f72bdda885e13d2d2cdafbd22062608c5a7f
SHA256

a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81
SHA512

03db094393eda5bde5f35edb6b1f1c23e8d22ed5ad761641eb4da1d4360663ab1773cd677fc45f7e337f97c18b180ec05c4e94d2e6e429ebf89e02d1035c9935
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	444	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/1672-139-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat
C:\Recovery\WindowsRE\System.exe	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeWScript.exeDllCommonsvc.exeSystem.exeSystem.exeSystem.exea61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exeSystem.exeSystem.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid	process
1672	DllCommonsvc.exe
4308	System.exe
5068	System.exe
68	System.exe
1548	System.exe
1060	System.exe
972	System.exe
2884	System.exe
1744	System.exe
5116	System.exe
4396	System.exe
4648	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\0409\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\0409\5940a34987c991	DllCommonsvc.exe

Drops file in Program Files directory 7 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\Fonts\fontdrvhost.exe DllCommonsvc.exe
File created C:\Windows\Fonts\5b884080fd4f94 DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Fonts\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\5b884080fd4f94	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3176	schtasks.exe
1868	schtasks.exe
752	schtasks.exe
2104	schtasks.exe
232	schtasks.exe
2200	schtasks.exe
3116	schtasks.exe
4132	schtasks.exe
2848	schtasks.exe
216	schtasks.exe
5108	schtasks.exe
1352	schtasks.exe
4908	schtasks.exe
4060	schtasks.exe
2264	schtasks.exe
4272	schtasks.exe
884	schtasks.exe
4644	schtasks.exe
3104	schtasks.exe
4768	schtasks.exe
4232	schtasks.exe
3996	schtasks.exe
4932	schtasks.exe
1028	schtasks.exe
1116	schtasks.exe
3212	schtasks.exe
4056	schtasks.exe

Modifies registry class 11 IoCs

Processes:

a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	System.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid	process
1672	DllCommonsvc.exe
1672	DllCommonsvc.exe
1672	DllCommonsvc.exe
1672	DllCommonsvc.exe
1672	DllCommonsvc.exe
1672	DllCommonsvc.exe
1672	DllCommonsvc.exe
1256	powershell.exe
1608	powershell.exe
4444	powershell.exe
1368	powershell.exe
1368	powershell.exe
3352	powershell.exe
3352	powershell.exe
4268	powershell.exe
4268	powershell.exe
2100	powershell.exe
2100	powershell.exe
2724	powershell.exe
2724	powershell.exe
1504	powershell.exe
1504	powershell.exe
2076	powershell.exe
2076	powershell.exe
4308	System.exe
4308	System.exe
1256	powershell.exe
1256	powershell.exe
1608	powershell.exe
1608	powershell.exe
4444	powershell.exe
4444	powershell.exe
1368	powershell.exe
3352	powershell.exe
1504	powershell.exe
2100	powershell.exe
4268	powershell.exe
2076	powershell.exe
2724	powershell.exe
5068	System.exe
68	System.exe
1548	System.exe
1060	System.exe
972	System.exe
2884	System.exe
1744	System.exe
5116	System.exe
4396	System.exe
4648	System.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1672	DllCommonsvc.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	4308	System.exe
Token: SeDebugPrivilege	5068	System.exe
Token: SeDebugPrivilege	68	System.exe
Token: SeDebugPrivilege	1548	System.exe
Token: SeDebugPrivilege	1060	System.exe
Token: SeDebugPrivilege	972	System.exe
Token: SeDebugPrivilege	2884	System.exe
Token: SeDebugPrivilege	1744	System.exe
Token: SeDebugPrivilege	5116	System.exe
Token: SeDebugPrivilege	4396	System.exe
Token: SeDebugPrivilege	4648	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exeWScript.execmd.exeDllCommonsvc.exeSystem.execmd.exeSystem.execmd.exeSystem.execmd.exeSystem.execmd.exeSystem.execmd.exeSystem.execmd.exe

description	pid	process	target process
PID 4216 wrote to memory of 2268	4216	a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exe	WScript.exe
PID 4216 wrote to memory of 2268	4216	a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exe	WScript.exe
PID 4216 wrote to memory of 2268	4216	a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exe	WScript.exe
PID 2268 wrote to memory of 4580	2268	WScript.exe	cmd.exe
PID 2268 wrote to memory of 4580	2268	WScript.exe	cmd.exe
PID 2268 wrote to memory of 4580	2268	WScript.exe	cmd.exe
PID 4580 wrote to memory of 1672	4580	cmd.exe	DllCommonsvc.exe
PID 4580 wrote to memory of 1672	4580	cmd.exe	DllCommonsvc.exe
PID 1672 wrote to memory of 4268	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 4268	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 1256	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 1256	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 1608	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 1608	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 1368	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 1368	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 4444	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 4444	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 2100	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 2100	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 3352	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 3352	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 1504	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 1504	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 2724	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 2724	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 2076	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 2076	1672	DllCommonsvc.exe	powershell.exe
PID 1672 wrote to memory of 4308	1672	DllCommonsvc.exe	System.exe
PID 1672 wrote to memory of 4308	1672	DllCommonsvc.exe	System.exe
PID 4308 wrote to memory of 4360	4308	System.exe	cmd.exe
PID 4308 wrote to memory of 4360	4308	System.exe	cmd.exe
PID 4360 wrote to memory of 3100	4360	cmd.exe	w32tm.exe
PID 4360 wrote to memory of 3100	4360	cmd.exe	w32tm.exe
PID 4360 wrote to memory of 5068	4360	cmd.exe	System.exe
PID 4360 wrote to memory of 5068	4360	cmd.exe	System.exe
PID 5068 wrote to memory of 1092	5068	System.exe	cmd.exe
PID 5068 wrote to memory of 1092	5068	System.exe	cmd.exe
PID 1092 wrote to memory of 5028	1092	cmd.exe	w32tm.exe
PID 1092 wrote to memory of 5028	1092	cmd.exe	w32tm.exe
PID 1092 wrote to memory of 68	1092	cmd.exe	System.exe
PID 1092 wrote to memory of 68	1092	cmd.exe	System.exe
PID 68 wrote to memory of 5012	68	System.exe	cmd.exe
PID 68 wrote to memory of 5012	68	System.exe	cmd.exe
PID 5012 wrote to memory of 4936	5012	cmd.exe	w32tm.exe
PID 5012 wrote to memory of 4936	5012	cmd.exe	w32tm.exe
PID 5012 wrote to memory of 1548	5012	cmd.exe	System.exe
PID 5012 wrote to memory of 1548	5012	cmd.exe	System.exe
PID 1548 wrote to memory of 1728	1548	System.exe	cmd.exe
PID 1548 wrote to memory of 1728	1548	System.exe	cmd.exe
PID 1728 wrote to memory of 1480	1728	cmd.exe	w32tm.exe
PID 1728 wrote to memory of 1480	1728	cmd.exe	w32tm.exe
PID 1728 wrote to memory of 1060	1728	cmd.exe	System.exe
PID 1728 wrote to memory of 1060	1728	cmd.exe	System.exe
PID 1060 wrote to memory of 2900	1060	System.exe	cmd.exe
PID 1060 wrote to memory of 2900	1060	System.exe	cmd.exe
PID 2900 wrote to memory of 1864	2900	cmd.exe	w32tm.exe
PID 2900 wrote to memory of 1864	2900	cmd.exe	w32tm.exe
PID 2900 wrote to memory of 972	2900	cmd.exe	System.exe
PID 2900 wrote to memory of 972	2900	cmd.exe	System.exe
PID 972 wrote to memory of 2968	972	System.exe	cmd.exe
PID 972 wrote to memory of 2968	972	System.exe	cmd.exe
PID 2968 wrote to memory of 4912	2968	cmd.exe	w32tm.exe
PID 2968 wrote to memory of 4912	2968	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exe
"C:\Users\Admin\AppData\Local\Temp\a61c8f0fb3d3a4a044e9f3d759f3e71f166c99014e4982b2963965a629541f81.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\conhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\msadc\ja-JP\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\0409\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:5028

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:4936

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:1480

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:1864

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:4912

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
18⤵
PID:4064

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:1572

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
20⤵
PID:232

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:3768

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
22⤵
PID:4860

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:1188

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
24⤵
PID:4440

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:380

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Recent\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\msadc\ja-JP\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\msadc\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\System\msadc\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\0409\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\0409\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\0409\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat
Filesize
197B

MD5
a2d95f14a78e4f2653b34d22cb472c6d

SHA1
02bb940c1c613fc3a2dcdf25108204085f765101

SHA256
eaa8362c514318d62f89b6604c5ea43ed3006dfc0ec827cd6e443c3c64902882

SHA512
227ad96e9023a83e4d13fd2041e549d277ae3e64b35fa18d7581977d63fa2fb4d0b30f2127caee7a86a73f878ea2d08e18b2f5cb1a74aa7ca9bed958f768125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat
Filesize
197B

MD5
3390d51a8a19a2ee65616245b10a0572

SHA1
970b447b1d95953a8230f1b4a69feeb92e6da829

SHA256
1c4326136b54d4c14ec3407af08b345f42a39bf67d87d3da05bb55e1b9d443cb

SHA512
f7a03e57b3353539980f13568555f3261badf56f202b580ea2603add65cce76827e835300aa5948fabec1c9558f95600175aedef07a9ed1a9fa95b366ddd863d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat
Filesize
197B

MD5
14cfa8f3aff1a2b1867f7be6059db66e

SHA1
f81407af66e29ae28759e3fdcb39855c68fd0890

SHA256
399522773be9022ac4e5ba09bcd92ed79275b4602e66db3b643f93328968ea96

SHA512
4dc824f37fe6860f612128da68b6fd8d8403cdbf1541feeaf942851dbd6d86d84774601220314812247d0aca62aa784a692099f6d27679f87a08123c9d113f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat
Filesize
197B

MD5
dd85af06dabbec09573ec38871905651

SHA1
9bd1c409be646bc12ff3540fca4ca9ee6b7e2359

SHA256
ab89a3a33ef62684f210362cafb8f98b5072688e08c2ef08c00c3ec57b750ddd

SHA512
9d67b72d5d17834797cc35d6da4f76bf500d05488586a9a2e9dc8f8ce337c0bd0f8bb9d1893d3679deb5b5b3a90a1329a302371ee9694158cf2fa6362e7a4614

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat
Filesize
197B

MD5
1dd0765084159bd7d01e6e75e4c335f0

SHA1
71006a9eb2dc71fa955876f13251af0e441bb5e1

SHA256
cab7d63042c88cfce2c43d2960a6723388fc1e919002ed35aaae359d5918de5b

SHA512
61b1426d46909a825382be950e19614883f05ceb80109ce37458527216721fb94a2239cd968c016c7d40b014ac5d468e519d5c752c54d5ae487602cc89a8a556

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat
Filesize
197B

MD5
5c761f980a0d4a0ab27aafb42595d4f4

SHA1
f6bdff66e54aadd9d05ea8c695abae3c9d49123d

SHA256
9328ecfbfea84a119fa1541e6666a474bf53554c0a76a67aac6a5a8afca22f08

SHA512
e248d0f4f2cbb811db2dc05dc1a3f66ef5459ab2f66e667cdd3d526913b52e0785ac04535b81b0a8e8b9ba7f57424c1cde96d6ae7b9dd268e341609abf3843a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat
Filesize
197B

MD5
b27af27e817c8c69056cfe868d1b4607

SHA1
5b81c9d1205565bca5a8f3a770aff729ad07411e

SHA256
7344f7e4374fde43da18581704e1c42686aa5b6b060b7cff48406e3c1f2332de

SHA512
efdfa293af5c396b35a3229e5e4db920660f379e2828bb14b5a346125052198c90e0a9919b467a1aca8eea67029f721f2f1359d08c63282e8646ac99cbdd9dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat
Filesize
197B

MD5
14440c61d7f9085225d57a6f5c5cc71b

SHA1
c3ddac69c5fa01ee92c08e375fe11780677876bf

SHA256
07e477325a99e267352eebcbea3217c96065304289c0e6bdb3f94a519a8e0ac4

SHA512
08bf7dd5dedaac134233ad03a20854c5c1016370dbc7de8a43f64b7cb87ed6b9079eb0a74a9fd230a51188f8afac20038fa7fe75c51ac57c6cd47da7bfba9d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat
Filesize
197B

MD5
36e90a2c9372fb4df91e223ad46d9d65

SHA1
fd771dd5e432ff9b377ac0ddc1165db88c977c05

SHA256
ef6edc903caa1691d01ed8f0221067fa59b92547e0b1b38ebe7ca473081364e6

SHA512
e41690e62118c94f5460bd7afdb377393ca404e0efe3d9436e19b966386125576987b943e6839482f623a1e1d11de7939ff3b693930dd33c2eef20df5760cadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat
Filesize
197B

MD5
7fa8dffb00087a3e1dbcc7c104c8684f

SHA1
cb0a01244bd770b8aaf39711e1de49629d566f94

SHA256
e5f6a6077fea6bfc2db4c249bd9e1d4d5e7f1facf5ee230ab0581f6e6682293a

SHA512
4772583f19a0abc82a2835fc6b27bd2746121e4449e0cd7305ac57d94986b82a4f7ff2ae1ca966514fb27e87aa50aaebb26918661bd01484c3b62b8b8199a6db

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/68-199-0x0000000000000000-mapping.dmp

Download
memory/68-205-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/68-201-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/232-237-0x0000000000000000-mapping.dmp

Download
memory/380-253-0x0000000000000000-mapping.dmp

Download
memory/972-220-0x0000000000000000-mapping.dmp

Download
memory/972-222-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/972-226-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1060-219-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1060-215-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1060-213-0x0000000000000000-mapping.dmp

Download
memory/1092-195-0x0000000000000000-mapping.dmp

Download
memory/1188-246-0x0000000000000000-mapping.dmp

Download
memory/1256-153-0x0000026DB3290000-0x0000026DB32B2000-memory.dmp

Filesize
136KB

Download
memory/1256-142-0x0000000000000000-mapping.dmp

Download
memory/1256-167-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1256-150-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1368-152-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1368-144-0x0000000000000000-mapping.dmp

Download
memory/1368-179-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1480-211-0x0000000000000000-mapping.dmp

Download
memory/1504-148-0x0000000000000000-mapping.dmp

Download
memory/1504-183-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1504-163-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-208-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-206-0x0000000000000000-mapping.dmp

Download
memory/1548-212-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-232-0x0000000000000000-mapping.dmp

Download
memory/1608-143-0x0000000000000000-mapping.dmp

Download
memory/1608-177-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-157-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-159-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-136-0x0000000000000000-mapping.dmp

Download
memory/1672-140-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-139-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/1728-209-0x0000000000000000-mapping.dmp

Download
memory/1744-234-0x0000000000000000-mapping.dmp

Download
memory/1744-236-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1744-240-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1864-218-0x0000000000000000-mapping.dmp

Download
memory/2076-166-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-151-0x0000000000000000-mapping.dmp

Download
memory/2076-184-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2100-160-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2100-186-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2100-146-0x0000000000000000-mapping.dmp

Download
memory/2268-132-0x0000000000000000-mapping.dmp

Download
memory/2724-164-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2724-178-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2724-149-0x0000000000000000-mapping.dmp

Download
memory/2884-227-0x0000000000000000-mapping.dmp

Download
memory/2884-233-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-229-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-216-0x0000000000000000-mapping.dmp

Download
memory/2968-223-0x0000000000000000-mapping.dmp

Download
memory/3100-189-0x0000000000000000-mapping.dmp

Download
memory/3352-147-0x0000000000000000-mapping.dmp

Download
memory/3352-181-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-161-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/3768-239-0x0000000000000000-mapping.dmp

Download
memory/4064-230-0x0000000000000000-mapping.dmp

Download
memory/4268-171-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-141-0x0000000000000000-mapping.dmp

Download
memory/4268-162-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-154-0x0000000000000000-mapping.dmp

Download
memory/4308-165-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-190-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-187-0x0000000000000000-mapping.dmp

Download
memory/4396-250-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-248-0x0000000000000000-mapping.dmp

Download
memory/4396-254-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-251-0x0000000000000000-mapping.dmp

Download
memory/4444-158-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4444-173-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4444-145-0x0000000000000000-mapping.dmp

Download
memory/4580-135-0x0000000000000000-mapping.dmp

Download
memory/4648-257-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-255-0x0000000000000000-mapping.dmp

Download
memory/4860-244-0x0000000000000000-mapping.dmp

Download
memory/4912-225-0x0000000000000000-mapping.dmp

Download
memory/4936-204-0x0000000000000000-mapping.dmp

Download
memory/5012-202-0x0000000000000000-mapping.dmp

Download
memory/5028-197-0x0000000000000000-mapping.dmp

Download
memory/5068-198-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-194-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-191-0x0000000000000000-mapping.dmp

Download
memory/5116-241-0x0000000000000000-mapping.dmp

Download
memory/5116-247-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-243-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

Filesize
10.8MB

Download