dcrat | c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02/02/2023, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a.exe
Size

1.3MB
MD5

c4438027b2b634566037e2b5daa1572c
SHA1

b499cce43dfbccfdf861384d9218fd9a8a4f4397
SHA256

c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a
SHA512

96e4bb54b34622b309925164b48b9d3e92c9141c52199928bbb3b9d12526feb4c96e92caeb0de5157b1b3726b267f4bf4ff93e737b5eacabad8f85aab159f768
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2232	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2232	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac10-284.dat	dcrat
behavioral1/files/0x000800000001ac10-285.dat	dcrat
behavioral1/memory/2112-286-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/files/0x000800000001ac2d-328.dat	dcrat
behavioral1/files/0x000800000001ac2d-329.dat	dcrat
behavioral1/files/0x000800000001ac2d-650.dat	dcrat
behavioral1/files/0x000800000001ac2d-656.dat	dcrat
behavioral1/files/0x000800000001ac2d-661.dat	dcrat
behavioral1/files/0x000800000001ac2d-666.dat	dcrat
behavioral1/files/0x000800000001ac2d-671.dat	dcrat
behavioral1/files/0x000800000001ac2d-677.dat	dcrat
behavioral1/files/0x000800000001ac2d-682.dat	dcrat
behavioral1/files/0x000800000001ac2d-687.dat	dcrat
behavioral1/files/0x000800000001ac2d-692.dat	dcrat
behavioral1/files/0x000800000001ac2d-697.dat	dcrat
behavioral1/files/0x000800000001ac2d-702.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
2112	DllCommonsvc.exe
4848	fontdrvhost.exe
3736	fontdrvhost.exe
4304	fontdrvhost.exe
3756	fontdrvhost.exe
4936	fontdrvhost.exe
1780	fontdrvhost.exe
2620	fontdrvhost.exe
1540	fontdrvhost.exe
676	fontdrvhost.exe
2112	fontdrvhost.exe
2004	fontdrvhost.exe
3684	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4672	schtasks.exe
4424	schtasks.exe
4796	schtasks.exe
664	schtasks.exe
3244	schtasks.exe
4820	schtasks.exe
1340	schtasks.exe
4736	schtasks.exe
4432	schtasks.exe
3796	schtasks.exe
4460	schtasks.exe
668	schtasks.exe
4660	schtasks.exe
4440	schtasks.exe
1316	schtasks.exe
1068	schtasks.exe
612	schtasks.exe
3124	schtasks.exe
3664	schtasks.exe
452	schtasks.exe
4680	schtasks.exe
4784	schtasks.exe
4816	schtasks.exe
1800	schtasks.exe
1440	schtasks.exe
4616	schtasks.exe
1948	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2112	DllCommonsvc.exe
2112	DllCommonsvc.exe
2112	DllCommonsvc.exe
1256	powershell.exe
1312	powershell.exe
4188	powershell.exe
1256	powershell.exe
1112	powershell.exe
1516	powershell.exe
1920	powershell.exe
204	powershell.exe
1888	powershell.exe
5008	powershell.exe
2776	powershell.exe
1256	powershell.exe
4848	fontdrvhost.exe
204	powershell.exe
1312	powershell.exe
1920	powershell.exe
1112	powershell.exe
5008	powershell.exe
4188	powershell.exe
1516	powershell.exe
2776	powershell.exe
1888	powershell.exe
204	powershell.exe
204	powershell.exe
5008	powershell.exe
5008	powershell.exe
1112	powershell.exe
1112	powershell.exe
1312	powershell.exe
1312	powershell.exe
1920	powershell.exe
1920	powershell.exe
4188	powershell.exe
4188	powershell.exe
1516	powershell.exe
1516	powershell.exe
2776	powershell.exe
2776	powershell.exe
1888	powershell.exe
1888	powershell.exe
3736	fontdrvhost.exe
4304	fontdrvhost.exe
3756	fontdrvhost.exe
4936	fontdrvhost.exe
1780	fontdrvhost.exe
2620	fontdrvhost.exe
1540	fontdrvhost.exe
676	fontdrvhost.exe
2112	fontdrvhost.exe
2004	fontdrvhost.exe
3684	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	DllCommonsvc.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	204	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	4848	fontdrvhost.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	1256	powershell.exe
Token: SeSecurityPrivilege	1256	powershell.exe
Token: SeTakeOwnershipPrivilege	1256	powershell.exe
Token: SeLoadDriverPrivilege	1256	powershell.exe
Token: SeSystemProfilePrivilege	1256	powershell.exe
Token: SeSystemtimePrivilege	1256	powershell.exe
Token: SeProfSingleProcessPrivilege	1256	powershell.exe
Token: SeIncBasePriorityPrivilege	1256	powershell.exe
Token: SeCreatePagefilePrivilege	1256	powershell.exe
Token: SeBackupPrivilege	1256	powershell.exe
Token: SeRestorePrivilege	1256	powershell.exe
Token: SeShutdownPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeSystemEnvironmentPrivilege	1256	powershell.exe
Token: SeRemoteShutdownPrivilege	1256	powershell.exe
Token: SeUndockPrivilege	1256	powershell.exe
Token: SeManageVolumePrivilege	1256	powershell.exe
Token: 33	1256	powershell.exe
Token: 34	1256	powershell.exe
Token: 35	1256	powershell.exe
Token: 36	1256	powershell.exe
Token: SeIncreaseQuotaPrivilege	204	powershell.exe
Token: SeSecurityPrivilege	204	powershell.exe
Token: SeTakeOwnershipPrivilege	204	powershell.exe
Token: SeLoadDriverPrivilege	204	powershell.exe
Token: SeSystemProfilePrivilege	204	powershell.exe
Token: SeSystemtimePrivilege	204	powershell.exe
Token: SeProfSingleProcessPrivilege	204	powershell.exe
Token: SeIncBasePriorityPrivilege	204	powershell.exe
Token: SeCreatePagefilePrivilege	204	powershell.exe
Token: SeBackupPrivilege	204	powershell.exe
Token: SeRestorePrivilege	204	powershell.exe
Token: SeShutdownPrivilege	204	powershell.exe
Token: SeDebugPrivilege	204	powershell.exe
Token: SeSystemEnvironmentPrivilege	204	powershell.exe
Token: SeRemoteShutdownPrivilege	204	powershell.exe
Token: SeUndockPrivilege	204	powershell.exe
Token: SeManageVolumePrivilege	204	powershell.exe
Token: 33	204	powershell.exe
Token: 34	204	powershell.exe
Token: 35	204	powershell.exe
Token: 36	204	powershell.exe
Token: SeIncreaseQuotaPrivilege	5008	powershell.exe
Token: SeSecurityPrivilege	5008	powershell.exe
Token: SeTakeOwnershipPrivilege	5008	powershell.exe
Token: SeLoadDriverPrivilege	5008	powershell.exe
Token: SeSystemProfilePrivilege	5008	powershell.exe
Token: SeSystemtimePrivilege	5008	powershell.exe
Token: SeProfSingleProcessPrivilege	5008	powershell.exe
Token: SeIncBasePriorityPrivilege	5008	powershell.exe
Token: SeCreatePagefilePrivilege	5008	powershell.exe
Token: SeBackupPrivilege	5008	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3336	1532	c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a.exe	66
PID 1532 wrote to memory of 3336	1532	c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a.exe	66
PID 1532 wrote to memory of 3336	1532	c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a.exe	66
PID 3336 wrote to memory of 4300	3336	WScript.exe	67
PID 3336 wrote to memory of 4300	3336	WScript.exe	67
PID 3336 wrote to memory of 4300	3336	WScript.exe	67
PID 4300 wrote to memory of 2112	4300	cmd.exe	69
PID 4300 wrote to memory of 2112	4300	cmd.exe	69
PID 2112 wrote to memory of 1312	2112	DllCommonsvc.exe	98
PID 2112 wrote to memory of 1312	2112	DllCommonsvc.exe	98
PID 2112 wrote to memory of 1256	2112	DllCommonsvc.exe	100
PID 2112 wrote to memory of 1256	2112	DllCommonsvc.exe	100
PID 2112 wrote to memory of 1112	2112	DllCommonsvc.exe	112
PID 2112 wrote to memory of 1112	2112	DllCommonsvc.exe	112
PID 2112 wrote to memory of 1920	2112	DllCommonsvc.exe	102
PID 2112 wrote to memory of 1920	2112	DllCommonsvc.exe	102
PID 2112 wrote to memory of 5008	2112	DllCommonsvc.exe	103
PID 2112 wrote to memory of 5008	2112	DllCommonsvc.exe	103
PID 2112 wrote to memory of 4188	2112	DllCommonsvc.exe	109
PID 2112 wrote to memory of 4188	2112	DllCommonsvc.exe	109
PID 2112 wrote to memory of 1516	2112	DllCommonsvc.exe	104
PID 2112 wrote to memory of 1516	2112	DllCommonsvc.exe	104
PID 2112 wrote to memory of 204	2112	DllCommonsvc.exe	105
PID 2112 wrote to memory of 204	2112	DllCommonsvc.exe	105
PID 2112 wrote to memory of 2776	2112	DllCommonsvc.exe	113
PID 2112 wrote to memory of 2776	2112	DllCommonsvc.exe	113
PID 2112 wrote to memory of 1888	2112	DllCommonsvc.exe	114
PID 2112 wrote to memory of 1888	2112	DllCommonsvc.exe	114
PID 2112 wrote to memory of 4848	2112	DllCommonsvc.exe	118
PID 2112 wrote to memory of 4848	2112	DllCommonsvc.exe	118
PID 4848 wrote to memory of 3704	4848	fontdrvhost.exe	120
PID 4848 wrote to memory of 3704	4848	fontdrvhost.exe	120
PID 3704 wrote to memory of 1352	3704	cmd.exe	122
PID 3704 wrote to memory of 1352	3704	cmd.exe	122
PID 3704 wrote to memory of 3736	3704	cmd.exe	123
PID 3704 wrote to memory of 3736	3704	cmd.exe	123
PID 3736 wrote to memory of 1564	3736	fontdrvhost.exe	124
PID 3736 wrote to memory of 1564	3736	fontdrvhost.exe	124
PID 1564 wrote to memory of 3732	1564	cmd.exe	126
PID 1564 wrote to memory of 3732	1564	cmd.exe	126
PID 1564 wrote to memory of 4304	1564	cmd.exe	127
PID 1564 wrote to memory of 4304	1564	cmd.exe	127
PID 4304 wrote to memory of 4940	4304	fontdrvhost.exe	128
PID 4304 wrote to memory of 4940	4304	fontdrvhost.exe	128
PID 4940 wrote to memory of 4744	4940	cmd.exe	130
PID 4940 wrote to memory of 4744	4940	cmd.exe	130
PID 4940 wrote to memory of 3756	4940	cmd.exe	131
PID 4940 wrote to memory of 3756	4940	cmd.exe	131
PID 3756 wrote to memory of 4608	3756	fontdrvhost.exe	132
PID 3756 wrote to memory of 4608	3756	fontdrvhost.exe	132
PID 4608 wrote to memory of 4852	4608	cmd.exe	134
PID 4608 wrote to memory of 4852	4608	cmd.exe	134
PID 4608 wrote to memory of 4936	4608	cmd.exe	135
PID 4608 wrote to memory of 4936	4608	cmd.exe	135
PID 4936 wrote to memory of 2376	4936	fontdrvhost.exe	136
PID 4936 wrote to memory of 2376	4936	fontdrvhost.exe	136
PID 2376 wrote to memory of 1660	2376	cmd.exe	138
PID 2376 wrote to memory of 1660	2376	cmd.exe	138
PID 2376 wrote to memory of 1780	2376	cmd.exe	139
PID 2376 wrote to memory of 1780	2376	cmd.exe	139
PID 1780 wrote to memory of 3988	1780	fontdrvhost.exe	140
PID 1780 wrote to memory of 3988	1780	fontdrvhost.exe	140
PID 3988 wrote to memory of 4568	3988	cmd.exe	142
PID 3988 wrote to memory of 4568	3988	cmd.exe	142

C:\Users\Admin\AppData\Local\Temp\c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a.exe
"C:\Users\Admin\AppData\Local\Temp\c02207169ab90e98b316f240d24e6dea87d3fae5370de254a60e151c3543367a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1352
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3732
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4744
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4852
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1660
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4568
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        18⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3500
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        20⤵
        
        PID:4444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3964
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        22⤵
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4868
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        24⤵
        
        PID:3968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2804
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        26⤵
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4500
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        28⤵
        
        PID:4776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4158e99cbe1e3ae856753bdb5aac59aa

SHA1
6475a9e8d6702a78dbbcb0d23d9545bab3d644cc

SHA256
fbaa696f4925f7587e5aec17bf0791a881a2075201c74b173ab4288538225636

SHA512
ecdab10f6b01627ebdbd112c52376ad755e8d50e72bf52a231fc16970a01fa0a3e01b452877f871edeb0d50cd15e5a48a73d9b3ef8c5c98a2d3f6ec9b71dfd59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
666645396c2ed47289bcde84115d9d2c

SHA1
1dacfec155d8a12dcc82fe379065a2e8c40f0f2c

SHA256
2913fcb0ba9c883a39984545cc43be1a35b2cc4675304f109aec03ce197be6c5

SHA512
01f79e028aa30418f6e37f420fb16ec7102c4a02a0051bec89528d42743ac1861e859125636024fe83de58a3dd97d31f468e5070a579706b42846f9499fd2efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
666645396c2ed47289bcde84115d9d2c

SHA1
1dacfec155d8a12dcc82fe379065a2e8c40f0f2c

SHA256
2913fcb0ba9c883a39984545cc43be1a35b2cc4675304f109aec03ce197be6c5

SHA512
01f79e028aa30418f6e37f420fb16ec7102c4a02a0051bec89528d42743ac1861e859125636024fe83de58a3dd97d31f468e5070a579706b42846f9499fd2efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec99423fded24a5c0b20f8196bfe9f4a

SHA1
9290c09bddb0c62c1beef9083957bc152962ac3e

SHA256
37a3014ce2a7251b0543f2bc45af776ed104b3eba831672b2fe9e71fd35a730b

SHA512
8f350173e0d8df5965497ec30f46e043f5d1bf353c77de347c096f114a4120f2cbc52de83232708bc719ce177721341b797fb5cc9e618fddd49a8d9863c20c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec99423fded24a5c0b20f8196bfe9f4a

SHA1
9290c09bddb0c62c1beef9083957bc152962ac3e

SHA256
37a3014ce2a7251b0543f2bc45af776ed104b3eba831672b2fe9e71fd35a730b

SHA512
8f350173e0d8df5965497ec30f46e043f5d1bf353c77de347c096f114a4120f2cbc52de83232708bc719ce177721341b797fb5cc9e618fddd49a8d9863c20c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec99423fded24a5c0b20f8196bfe9f4a

SHA1
9290c09bddb0c62c1beef9083957bc152962ac3e

SHA256
37a3014ce2a7251b0543f2bc45af776ed104b3eba831672b2fe9e71fd35a730b

SHA512
8f350173e0d8df5965497ec30f46e043f5d1bf353c77de347c096f114a4120f2cbc52de83232708bc719ce177721341b797fb5cc9e618fddd49a8d9863c20c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bdfaa14d7814b541a77f4e97920dfd6

SHA1
c239720eee47db7f7136bb78e37c539b9e735c4c

SHA256
4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

SHA512
dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f9618b953d6d6c98fc0688b4b64d5eb5

SHA1
6971197e9d1cfd453e67b70b02b28b7d5b1cf426

SHA256
320aea252e995829af06c5a97ba82a2a880c725a801a10babfe45bec88e712fd

SHA512
a154b68f64a39068eb73dcd2b275287f65b0a6ec31281229031a33b50ed6640a100883c7964f5e7bd2b2f6d70836bfc711b87132f70ea5e7aa9cd940757fc776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85878b04c72b7a2c3891340fac6cb7e7

SHA1
60f501d5a74adb3a774e6389967f195aa72728ec

SHA256
7059a9c3b596f5b9b8b25ef14f1e0d44598c414711e2846661a249a414f2e6b6

SHA512
53cdad61ed4f28b9fd4dad52e539f0a100859445f1f9a7d08142f4353712e3de89fb40400c6d79976496604ffa89958d168d2c049fee3fdeb87cb10b869ad5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
187B

MD5
35dcd0bcc0d651f2d5569b09d3d6a70a

SHA1
80998287d6b48871598a3f89babf38f57292046b

SHA256
8c8d03d89ecfaf0a853fc63edb542035d2485649817efcd32ccbe6f1b581af17

SHA512
dfaaa069d965e550d1bb14f5899faade55ead3dba669693b2693e273da1e7f6d303c0ba7de8b2e8d51f7325887999ba5d63db79f84d58d86fd8e1fc452cfd0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
187B

MD5
35dcd0bcc0d651f2d5569b09d3d6a70a

SHA1
80998287d6b48871598a3f89babf38f57292046b

SHA256
8c8d03d89ecfaf0a853fc63edb542035d2485649817efcd32ccbe6f1b581af17

SHA512
dfaaa069d965e550d1bb14f5899faade55ead3dba669693b2693e273da1e7f6d303c0ba7de8b2e8d51f7325887999ba5d63db79f84d58d86fd8e1fc452cfd0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
187B

MD5
1bb2b80084a4a4b80f791430eef2930d

SHA1
18d197e2547cc6d4d1145174f7523bf83b6c7314

SHA256
03a668681110c7ecfed53119c59e7beec3a7b1ccaf3a2f03399546868685f0ca

SHA512
31e18085818d49b11e98c78e61bb710f42a4d51f56c9a7a654cf1019207575c6b1420e236c5605912258eb63ac45730af77bbb61e5aa43e52556a7b7ee5536b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat

Filesize
187B

MD5
0f2070997f7481d9a941b5a1d6559eb3

SHA1
ca3e9d4b0e1a749b00d9a9def170561f73511df6

SHA256
4e0ef8683364f57ab62f86d3083a430b4607cc67adcdf36f2b7e7fddf514f79c

SHA512
55a70e5820ac4c1d08eb3fdd09153a1ecaeed40d3106144f3ce55bfa66a346f3caeb6baa8596a019a70adbb04e299f9bdd853ed5474e514885a9229f5e0a3b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
187B

MD5
f36b0a6537911c5edd97e3c1f9ec8518

SHA1
3b76ae4bc08e0b928021f390b5c7c5d5af95475d

SHA256
9196190f86b08cf756374d72d7e683d087229d45acdb049a2a4cee406190b4f3

SHA512
39c36bb0be8f18fddc5661afab171769e72d770dde3af75d4d038221b47b9749fb6ea282785c83d4c00c463f95f425ebc16126e20a9b0159303bc0cddfe25ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
187B

MD5
7e02b423f5cdb94f25d8bafac763df85

SHA1
2a5985cec43b77d8e0a3e5399f854410e4912017

SHA256
fc5b3a33e70efad302862afc010ec31bdfe7a52693d4355e6110add4e0d87e6a

SHA512
667f4270c9ddf8c4d32f03a77d12e83ce5def7b9e7e36d4ad9b941c17685236e6087ce958dd6deefaff7fc7008ac74b19a52c30cbcc690108515f6e96ac89dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
187B

MD5
63ea2b77b0379995f35fd92ad2a141a7

SHA1
72fc671c53a0de4366b1195efe20d23bd0f1493d

SHA256
753cb0ff43eea0e75ba422103f0d3a139338a118894703d248c50243b2c3ecb2

SHA512
bfb456ea7c7522158807ff62f743c764f0f856fbb388642b421e4bd714199d6ff2d7fa4c3c4ea1fdb33187288ed4539fd1a2a17f772ec5cfc318e59971ad2fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

Filesize
187B

MD5
fb812cb563d25a36b54c33e9d15b8d5c

SHA1
e5b0ac658eb3f5e6351608b3de1890f2955d2568

SHA256
a63c9a1444bab32d508ee181e47450e8a34ec269b02d3b32adc214b8c741c94d

SHA512
1a4031f37bd3be5455251ba0f943df1bb1885beaa406e74ed7a59e5ba37486979f19955e5f265e4ae36885480b686aadea9845b446aa896ea37ed83c8d41bd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
187B

MD5
c9ecae7113c889b05672fc7af0576300

SHA1
d049738c54749f759cf4e53e5213afbd2202f3fe

SHA256
abaf30e10ce6d09ab58ef5888110cd9166949e0c48f885ba8b2f99a56790b87e

SHA512
d12254236e5f4ab9c2b7af5cde889149c372ef86f8c71e12618b6c989c4eef25405fdf7ab78346ce7ec6fffeb70800bc5a9af6b67627068ceccd3389221e70b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

Filesize
187B

MD5
3018c69e723882cf295b2422eb290fc7

SHA1
51e655d124e2db931ff345a9405a74d7ec06a328

SHA256
e9713cbdaefe9e8960414ac6442ff11b5b06acda4695c70a0c2dc2d5f1870cda

SHA512
549ccd7916831cb5be17ebfeb05a4cf92cf5e7b6d9385885a9f91998c3929f6e6cafe4a42586391714e062408b097116cdb0b580f7fb7ac85bdb0f38b35a43f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
187B

MD5
b326314a46493c901aac9c9dbf4d8f17

SHA1
61fc45f3e422737524bd4de15cb21cbc10d10f7a

SHA256
1149a1dc504155a76e34963dfcdc826d609f99160d8228cf93ea35a5e14564c7

SHA512
269c6039248e5f6e3ffe10a48c8600392b39aeb5f5592e2384be94dffcf9dd33d5bad9da4675141fc59757589f132759264215c0249c85ae7fd70585c6713290

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
187B

MD5
dc78347164400075cf64dd5af2399361

SHA1
4065c4bbc84b69cd7d848df7433fda0f8cae280c

SHA256
0f0edd180d05cda7c42142f2eb2e1cc1c6a973f3e3e45da9ca944405752851de

SHA512
5722d466f3c023695871c8ee3671e834505ca742a7c96685e59b99d4c52c61b536a04ad6cfe08b9346186113b558e5aa49151f8bfc6267c8decaa440e94b1335

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1256-342-0x0000014ED8150000-0x0000014ED8172000-memory.dmp

Filesize
136KB

Download
memory/1256-347-0x0000014ED8300000-0x0000014ED8376000-memory.dmp

Filesize
472KB

Download
memory/1532-163-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-136-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-173-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-174-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-175-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-176-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-177-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-178-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-179-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-180-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-181-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-183-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-182-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-121-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-122-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-123-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-172-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-171-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-140-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-125-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-170-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-168-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-126-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-128-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-129-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-130-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-131-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-167-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-169-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-132-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-165-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-166-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-133-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-164-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-162-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-141-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-138-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-134-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-120-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-157-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-161-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-160-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-159-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-158-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-156-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-155-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-154-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-153-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-152-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-151-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-150-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-149-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-139-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-148-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-147-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-135-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-146-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-145-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-142-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-144-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-143-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-137-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1780-672-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/2112-289-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/2112-288-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2112-286-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2112-290-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/2112-287-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/3336-186-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3336-185-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download