dcrat | 4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exe
Size

1.3MB
MD5

fc021897699a09d266926d5c54840a5b
SHA1

07c7b0956cd4d205346710bb728e5e53f31e5a80
SHA256

4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd
SHA512

e59fd6efeb8bc2d2816afecb19f468cff79dda665aac25a89c4bbbb7ad28a2112019f6018879f2b7d378c841582a1a907c2504148b88192818129e0259a64046
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	1304	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1304	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4544-139-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat
C:\Windows\ja-JP\fontdrvhost.exe	dcrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exeWScript.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
4544	DllCommonsvc.exe
3968	fontdrvhost.exe
4436	fontdrvhost.exe
2332	fontdrvhost.exe
2912	fontdrvhost.exe
4288	fontdrvhost.exe
1640	fontdrvhost.exe
4284	fontdrvhost.exe
2588	fontdrvhost.exe
4016	fontdrvhost.exe
1260	fontdrvhost.exe
5112	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\TAPI\wuapihost.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\8df8b199a15f03	DllCommonsvc.exe
File created	C:\Windows\ja-JP\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4516	schtasks.exe
4956	schtasks.exe
4016	schtasks.exe
100	schtasks.exe
208	schtasks.exe
3080	schtasks.exe
1432	schtasks.exe
2296	schtasks.exe
3760	schtasks.exe
4216	schtasks.exe
1384	schtasks.exe
3892	schtasks.exe
4252	schtasks.exe
1448	schtasks.exe
4972	schtasks.exe
3512	schtasks.exe
4264	schtasks.exe
5092	schtasks.exe
4584	schtasks.exe
3364	schtasks.exe
4888	schtasks.exe
3724	schtasks.exe
1828	schtasks.exe
2156	schtasks.exe
4120	schtasks.exe
2372	schtasks.exe
4436	schtasks.exe

Modifies registry class 12 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
4544	DllCommonsvc.exe
1772	powershell.exe
1772	powershell.exe
1804	powershell.exe
1804	powershell.exe
4452	powershell.exe
4452	powershell.exe
4364	powershell.exe
852	powershell.exe
4364	powershell.exe
852	powershell.exe
1644	powershell.exe
1644	powershell.exe
3108	powershell.exe
3108	powershell.exe
3428	powershell.exe
3428	powershell.exe
3636	powershell.exe
3636	powershell.exe
444	powershell.exe
444	powershell.exe
3968	fontdrvhost.exe
3968	fontdrvhost.exe
1772	powershell.exe
4452	powershell.exe
1804	powershell.exe
4364	powershell.exe
852	powershell.exe
1644	powershell.exe
3428	powershell.exe
3636	powershell.exe
3108	powershell.exe
444	powershell.exe
4436	fontdrvhost.exe
2332	fontdrvhost.exe
2912	fontdrvhost.exe
4288	fontdrvhost.exe
1640	fontdrvhost.exe
4284	fontdrvhost.exe
2588	fontdrvhost.exe
4016	fontdrvhost.exe
1260	fontdrvhost.exe
5112	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4544	DllCommonsvc.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	3968	fontdrvhost.exe
Token: SeDebugPrivilege	4436	fontdrvhost.exe
Token: SeDebugPrivilege	2332	fontdrvhost.exe
Token: SeDebugPrivilege	2912	fontdrvhost.exe
Token: SeDebugPrivilege	4288	fontdrvhost.exe
Token: SeDebugPrivilege	1640	fontdrvhost.exe
Token: SeDebugPrivilege	4284	fontdrvhost.exe
Token: SeDebugPrivilege	2588	fontdrvhost.exe
Token: SeDebugPrivilege	4016	fontdrvhost.exe
Token: SeDebugPrivilege	1260	fontdrvhost.exe
Token: SeDebugPrivilege	5112	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exeWScript.execmd.exeDllCommonsvc.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exe

description	pid	process	target process
PID 2688 wrote to memory of 1960	2688	4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exe	WScript.exe
PID 2688 wrote to memory of 1960	2688	4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exe	WScript.exe
PID 2688 wrote to memory of 1960	2688	4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exe	WScript.exe
PID 1960 wrote to memory of 4196	1960	WScript.exe	cmd.exe
PID 1960 wrote to memory of 4196	1960	WScript.exe	cmd.exe
PID 1960 wrote to memory of 4196	1960	WScript.exe	cmd.exe
PID 4196 wrote to memory of 4544	4196	cmd.exe	DllCommonsvc.exe
PID 4196 wrote to memory of 4544	4196	cmd.exe	DllCommonsvc.exe
PID 4544 wrote to memory of 3636	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 3636	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 4452	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 4452	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 1772	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 1772	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 1804	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 1804	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 852	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 852	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 4364	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 4364	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 1644	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 1644	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 3428	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 3428	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 3108	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 3108	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 444	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 444	4544	DllCommonsvc.exe	powershell.exe
PID 4544 wrote to memory of 3968	4544	DllCommonsvc.exe	fontdrvhost.exe
PID 4544 wrote to memory of 3968	4544	DllCommonsvc.exe	fontdrvhost.exe
PID 3968 wrote to memory of 3672	3968	fontdrvhost.exe	cmd.exe
PID 3968 wrote to memory of 3672	3968	fontdrvhost.exe	cmd.exe
PID 3672 wrote to memory of 3648	3672	cmd.exe	w32tm.exe
PID 3672 wrote to memory of 3648	3672	cmd.exe	w32tm.exe
PID 3672 wrote to memory of 4436	3672	cmd.exe	fontdrvhost.exe
PID 3672 wrote to memory of 4436	3672	cmd.exe	fontdrvhost.exe
PID 4436 wrote to memory of 4488	4436	fontdrvhost.exe	cmd.exe
PID 4436 wrote to memory of 4488	4436	fontdrvhost.exe	cmd.exe
PID 4488 wrote to memory of 5004	4488	cmd.exe	w32tm.exe
PID 4488 wrote to memory of 5004	4488	cmd.exe	w32tm.exe
PID 4488 wrote to memory of 2332	4488	cmd.exe	fontdrvhost.exe
PID 4488 wrote to memory of 2332	4488	cmd.exe	fontdrvhost.exe
PID 2332 wrote to memory of 4456	2332	fontdrvhost.exe	cmd.exe
PID 2332 wrote to memory of 4456	2332	fontdrvhost.exe	cmd.exe
PID 4456 wrote to memory of 1224	4456	cmd.exe	w32tm.exe
PID 4456 wrote to memory of 1224	4456	cmd.exe	w32tm.exe
PID 4456 wrote to memory of 2912	4456	cmd.exe	fontdrvhost.exe
PID 4456 wrote to memory of 2912	4456	cmd.exe	fontdrvhost.exe
PID 2912 wrote to memory of 2460	2912	fontdrvhost.exe	cmd.exe
PID 2912 wrote to memory of 2460	2912	fontdrvhost.exe	cmd.exe
PID 2460 wrote to memory of 3948	2460	cmd.exe	w32tm.exe
PID 2460 wrote to memory of 3948	2460	cmd.exe	w32tm.exe
PID 2460 wrote to memory of 4288	2460	cmd.exe	fontdrvhost.exe
PID 2460 wrote to memory of 4288	2460	cmd.exe	fontdrvhost.exe
PID 4288 wrote to memory of 632	4288	fontdrvhost.exe	cmd.exe
PID 4288 wrote to memory of 632	4288	fontdrvhost.exe	cmd.exe
PID 632 wrote to memory of 4784	632	cmd.exe	w32tm.exe
PID 632 wrote to memory of 4784	632	cmd.exe	w32tm.exe
PID 632 wrote to memory of 1640	632	cmd.exe	fontdrvhost.exe
PID 632 wrote to memory of 1640	632	cmd.exe	fontdrvhost.exe
PID 1640 wrote to memory of 1416	1640	fontdrvhost.exe	cmd.exe
PID 1640 wrote to memory of 1416	1640	fontdrvhost.exe	cmd.exe
PID 1416 wrote to memory of 3964	1416	cmd.exe	w32tm.exe
PID 1416 wrote to memory of 3964	1416	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exe
"C:\Users\Admin\AppData\Local\Temp\4220c2e366f7e69ee3f195b6b51b350bf6f7ae3184a40cf5b445741942f73acd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\WmiPrvSE.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\wuapihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3648

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:5004

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:1224

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:3948

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:4784

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:3964

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
18⤵
PID:1456

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:2312

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
20⤵
PID:3696

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:4464

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"
22⤵
PID:4696

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:2284

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"
24⤵
PID:4896

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:4836

C:\Windows\ja-JP\fontdrvhost.exe
"C:\Windows\ja-JP\fontdrvhost.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
26⤵
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wuapihostw" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\wuapihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wuapihost" /sc ONLOGON /tr "'C:\Windows\TAPI\wuapihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wuapihostw" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\wuapihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat
Filesize
197B

MD5
a7542ce81526ae03943f52a2480ace06

SHA1
bc745df1beb68a2a2c18b808d86c49cabe0d46c7

SHA256
0df5d3a4ce69aeadb17b73893f13feeb33b59bc5dcb6072b192f4f5c65280d2f

SHA512
2ed46dba8021b994b344c5ecc522b9a0bbe6464941c401e20731733794c93b5f88bc4001107a16b97a183376987c3350f9a363d457d0317eedd46df0d3c94bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat
Filesize
197B

MD5
cf369e50f704de1365908d2ec6993596

SHA1
ba64f0b070c44ab3fac98eb6be7f510dde43d39d

SHA256
8986b4ca9ad52979f126c27d6f2fce6b805ece5b6886b0cb4abe06d7d8c8e0a6

SHA512
51576300be99222bb00e6b7c28372a82c5f4978b3b4914a77b09589a7b26bbe3d6af82d7d496e7d4df5cdaf89d61be85041d802e5291511471815d7c861cfc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat
Filesize
197B

MD5
0d12e70b51b0acf2b73e213a0fb3c20c

SHA1
5151b53d1c8a64e2bab6327782f1a27e3247e342

SHA256
6034a462a78c7e207788cd4e07ac20e3b3520ca6ca82396d44a37819216f0e77

SHA512
344b6f16b83c3ac4c627e40b4b287d249f95e905fdcc04de896ca9d848a822b5be50f2dc62ede9f2cc6369bcf36a88b803aa099d53049ab82e06db4ae29a4051

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat
Filesize
197B

MD5
2793354f42dd80bd067540d380bdb062

SHA1
1b1de9292db89925978ed98875dad2a429fce99b

SHA256
cacb07fd374fbb60d0a5e58bf1d1f3a58dc3a4a117b2e9ea71478ef3d44795c1

SHA512
7d8f9d3b15f264b2991bc33ea961e84671336db7c33b3049ac6324b01bde5866dbb5dc4a5c10293790774790f8eff12b6972b998f6b796d7188ea7072e5602da

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat
Filesize
197B

MD5
2793354f42dd80bd067540d380bdb062

SHA1
1b1de9292db89925978ed98875dad2a429fce99b

SHA256
cacb07fd374fbb60d0a5e58bf1d1f3a58dc3a4a117b2e9ea71478ef3d44795c1

SHA512
7d8f9d3b15f264b2991bc33ea961e84671336db7c33b3049ac6324b01bde5866dbb5dc4a5c10293790774790f8eff12b6972b998f6b796d7188ea7072e5602da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat
Filesize
197B

MD5
6dd479f8506c14646c0b566ed5ef223d

SHA1
dba08072c0ce14937ad5e92de819712d5e517075

SHA256
55c369c0d900a5f8255f7d705b8b9137cc523ea00469097979a8202559a3c90a

SHA512
c3960423043cac60408c28c91a2032046c6b54155b7ab5381474a4c9740b7be7f490b903050a728dc14af30bd5ff8e77d22661551b31be8b90ed6b4807c0e527

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat
Filesize
197B

MD5
ed7d63782aa94ababb7e25a8089a5343

SHA1
dd02a624fd128249f430fd256ffe714a3371acbd

SHA256
5f4aba5283d85ac24ea04204c660e0328f531fab4974fef578be51e7f9e93a9c

SHA512
a54f66277c0e438b70bc3621e8f9b7ca4ccc996faeb73794b6ebb45ca4837c4e8505edecf0fae9ccb5ac6611fba6de498dce503a52dc43ee2feaa3336abc9bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat
Filesize
197B

MD5
62f638a595f8b2d3d323690f163999a9

SHA1
e561802e6dfa022a9f6108dd51fb0c8eb86eed7e

SHA256
986cd5855b8432af120299bb3b05ac247b8fb025f29508a3994deae47db8b2cb

SHA512
0af99606a45cb36afc799e450a9d585651fa204058165bf7b33488e466e12452ef05193b84710b84407e0f2e3be1fff60ca5b95dc855bc552adffc5184fc8e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat
Filesize
197B

MD5
a3ce3dc1fdee7f41aeae8bdc58e2713e

SHA1
45a5a7fd0063e7b9d898ff928bb1c135f36ed74b

SHA256
1003d8c3db5a022b796d37835ec9d60839e96878497e27557b30aeeabce1cc4b

SHA512
9c5dff5fa91b0da05e4c38a8676d0ba3e6a05d383f40644ba8a14e4cb97760c99a0d56dacbeb491ce20b375d4085da0f4a44a26468c17fda2d397a57de840724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat
Filesize
197B

MD5
5d27201722a18ed4c2aba8e97ff282a2

SHA1
2d33fed43b9de93695a8f9f872e6af5ccbeface6

SHA256
362911241aaaf890fb3e8d9078f3b7e535ab413ceb24fefee9a01913d95c8f9a

SHA512
c04e44718021914e6c196f9ece6bbbeb459e7acf47ef9c901782547bcb7899a86e0a38e147bae057886130b68587dc2f74f4e16d350def61ad29ae1860a9bdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat
Filesize
197B

MD5
a88045e6f6c78ef2777ca804b38ef7c0

SHA1
78865cbeb17a3b96364541f32d154384fc071f2a

SHA256
77570e896242a1e3d5145fe243a95aa2d9164e105addaeb7260e9b09c4d1aaf5

SHA512
2e58d11c3801351934aa0fbc12c3ea3a336b018100fad247f44323746d31112617c2bbc5f7f4a8afe0bc8a5eefbcfb85e7d72ef19e1651bbe5c7862a1370ff4b

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\ja-JP\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/444-166-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/444-150-0x0000000000000000-mapping.dmp

Download
memory/444-186-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/632-216-0x0000000000000000-mapping.dmp

Download
memory/852-158-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/852-175-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/852-145-0x0000000000000000-mapping.dmp

Download
memory/1224-204-0x0000000000000000-mapping.dmp

Download
memory/1260-248-0x0000000000000000-mapping.dmp

Download
memory/1260-250-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/1260-254-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/1416-223-0x0000000000000000-mapping.dmp

Download
memory/1448-258-0x0000000000000000-mapping.dmp

Download
memory/1456-230-0x0000000000000000-mapping.dmp

Download
memory/1640-222-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/1640-220-0x0000000000000000-mapping.dmp

Download
memory/1640-226-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/1644-147-0x0000000000000000-mapping.dmp

Download
memory/1644-178-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1644-162-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1772-167-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1772-143-0x0000000000000000-mapping.dmp

Download
memory/1772-157-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1804-152-0x00000274A7720000-0x00000274A7742000-memory.dmp

Filesize
136KB

Download
memory/1804-144-0x0000000000000000-mapping.dmp

Download
memory/1804-159-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1804-176-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/1960-132-0x0000000000000000-mapping.dmp

Download
memory/2284-246-0x0000000000000000-mapping.dmp

Download
memory/2312-232-0x0000000000000000-mapping.dmp

Download
memory/2332-205-0x00007FFF25470000-0x00007FFF25F31000-memory.dmp

Filesize
10.8MB

Download
memory/2332-199-0x0000000000000000-mapping.dmp

Download
memory/2332-201-0x00007FFF25470000-0x00007FFF25F31000-memory.dmp

Filesize
10.8MB

Download
memory/2460-209-0x0000000000000000-mapping.dmp

Download
memory/2588-240-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/2588-234-0x0000000000000000-mapping.dmp

Download
memory/2588-236-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/2912-206-0x0000000000000000-mapping.dmp

Download
memory/2912-208-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/2912-212-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/3108-164-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3108-149-0x0000000000000000-mapping.dmp

Download
memory/3108-184-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3428-185-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3428-160-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3428-148-0x0000000000000000-mapping.dmp

Download
memory/3636-141-0x0000000000000000-mapping.dmp

Download
memory/3636-163-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3636-183-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3648-189-0x0000000000000000-mapping.dmp

Download
memory/3672-187-0x0000000000000000-mapping.dmp

Download
memory/3696-237-0x0000000000000000-mapping.dmp

Download
memory/3948-211-0x0000000000000000-mapping.dmp

Download
memory/3964-225-0x0000000000000000-mapping.dmp

Download
memory/3968-151-0x0000000000000000-mapping.dmp

Download
memory/3968-165-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/3968-190-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4016-243-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/4016-247-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/4016-241-0x0000000000000000-mapping.dmp

Download
memory/4196-135-0x0000000000000000-mapping.dmp

Download
memory/4284-227-0x0000000000000000-mapping.dmp

Download
memory/4284-233-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/4284-229-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/4288-219-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/4288-215-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/4288-213-0x0000000000000000-mapping.dmp

Download
memory/4364-177-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4364-146-0x0000000000000000-mapping.dmp

Download
memory/4364-161-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4436-194-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-191-0x0000000000000000-mapping.dmp

Download
memory/4436-198-0x00007FFF25710000-0x00007FFF261D1000-memory.dmp

Filesize
10.8MB

Download
memory/4452-142-0x0000000000000000-mapping.dmp

Download
memory/4452-156-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4452-173-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4456-202-0x0000000000000000-mapping.dmp

Download
memory/4464-239-0x0000000000000000-mapping.dmp

Download
memory/4488-195-0x0000000000000000-mapping.dmp

Download
memory/4544-140-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4544-155-0x00007FFF25660000-0x00007FFF26121000-memory.dmp

Filesize
10.8MB

Download
memory/4544-136-0x0000000000000000-mapping.dmp

Download
memory/4544-139-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/4696-244-0x0000000000000000-mapping.dmp

Download
memory/4784-218-0x0000000000000000-mapping.dmp

Download
memory/4836-253-0x0000000000000000-mapping.dmp

Download
memory/4896-251-0x0000000000000000-mapping.dmp

Download
memory/5004-197-0x0000000000000000-mapping.dmp

Download
memory/5112-257-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/5112-255-0x0000000000000000-mapping.dmp

Download
memory/5112-259-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download
memory/5112-260-0x00007FFF24A50000-0x00007FFF25511000-memory.dmp

Filesize
10.8MB

Download