dcrat | 915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exe
Size

1.3MB
MD5

501bbac8231d4327f1b339cf40e3b462
SHA1

e53565cc8087c30ce350b3de1799d274d70f250d
SHA256

915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff
SHA512

13be7986c44c5b05320413811b1195a9b525fb663016da139e9e51d3a3740d1d7c97c6fa35a84578af7a36f7f113e8774e7b971fe51edb8532718feca5780e8c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4616	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4616	schtasks.exe

DCRat payload 18 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/3516-286-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat
C:\Program Files\Internet Explorer\de-DE\lsass.exe	dcrat

Executes dropped EXE 15 IoCs

Processes:

DllCommonsvc.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
3516	DllCommonsvc.exe
3348	lsass.exe
4916	lsass.exe
3820	lsass.exe
3040	lsass.exe
1560	lsass.exe
2184	lsass.exe
1576	lsass.exe
432	lsass.exe
1940	lsass.exe
3368	lsass.exe
2700	lsass.exe
4528	lsass.exe
4868	lsass.exe
4688	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\Updates\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Updates\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\f8c8f1285d826b	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Provisioning\Packages\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Provisioning\Packages\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4984	schtasks.exe
1848	schtasks.exe
4408	schtasks.exe
4500	schtasks.exe
4372	schtasks.exe
2544	schtasks.exe
4988	schtasks.exe
4576	schtasks.exe
4540	schtasks.exe
4228	schtasks.exe
3704	schtasks.exe
4676	schtasks.exe
4948	schtasks.exe
4548	schtasks.exe
4596	schtasks.exe
4664	schtasks.exe
5044	schtasks.exe
3112	schtasks.exe

Modifies registry class 15 IoCs

Processes:

lsass.exelsass.exelsass.exeDllCommonsvc.exelsass.exelsass.exelsass.exelsass.exe915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	lsass.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
3516	DllCommonsvc.exe
4472	powershell.exe
4564	powershell.exe
1012	powershell.exe
1104	powershell.exe
3192	powershell.exe
4564	powershell.exe
1152	powershell.exe
1544	powershell.exe
1012	powershell.exe
1104	powershell.exe
1104	powershell.exe
4564	powershell.exe
4472	powershell.exe
1012	powershell.exe
3192	powershell.exe
1152	powershell.exe
1544	powershell.exe
4472	powershell.exe
3192	powershell.exe
1544	powershell.exe
1152	powershell.exe
3348	lsass.exe
4916	lsass.exe
3820	lsass.exe
3040	lsass.exe
1560	lsass.exe
2184	lsass.exe
1576	lsass.exe
432	lsass.exe
1940	lsass.exe
3368	lsass.exe
2700	lsass.exe
4528	lsass.exe
4868	lsass.exe
4688	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3516	DllCommonsvc.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeIncreaseQuotaPrivilege	4564	powershell.exe
Token: SeSecurityPrivilege	4564	powershell.exe
Token: SeTakeOwnershipPrivilege	4564	powershell.exe
Token: SeLoadDriverPrivilege	4564	powershell.exe
Token: SeSystemProfilePrivilege	4564	powershell.exe
Token: SeSystemtimePrivilege	4564	powershell.exe
Token: SeProfSingleProcessPrivilege	4564	powershell.exe
Token: SeIncBasePriorityPrivilege	4564	powershell.exe
Token: SeCreatePagefilePrivilege	4564	powershell.exe
Token: SeBackupPrivilege	4564	powershell.exe
Token: SeRestorePrivilege	4564	powershell.exe
Token: SeShutdownPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeSystemEnvironmentPrivilege	4564	powershell.exe
Token: SeRemoteShutdownPrivilege	4564	powershell.exe
Token: SeUndockPrivilege	4564	powershell.exe
Token: SeManageVolumePrivilege	4564	powershell.exe
Token: 33	4564	powershell.exe
Token: 34	4564	powershell.exe
Token: 35	4564	powershell.exe
Token: 36	4564	powershell.exe
Token: SeIncreaseQuotaPrivilege	1104	powershell.exe
Token: SeSecurityPrivilege	1104	powershell.exe
Token: SeTakeOwnershipPrivilege	1104	powershell.exe
Token: SeLoadDriverPrivilege	1104	powershell.exe
Token: SeSystemProfilePrivilege	1104	powershell.exe
Token: SeSystemtimePrivilege	1104	powershell.exe
Token: SeProfSingleProcessPrivilege	1104	powershell.exe
Token: SeIncBasePriorityPrivilege	1104	powershell.exe
Token: SeCreatePagefilePrivilege	1104	powershell.exe
Token: SeBackupPrivilege	1104	powershell.exe
Token: SeRestorePrivilege	1104	powershell.exe
Token: SeShutdownPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeSystemEnvironmentPrivilege	1104	powershell.exe
Token: SeRemoteShutdownPrivilege	1104	powershell.exe
Token: SeUndockPrivilege	1104	powershell.exe
Token: SeManageVolumePrivilege	1104	powershell.exe
Token: 33	1104	powershell.exe
Token: 34	1104	powershell.exe
Token: 35	1104	powershell.exe
Token: 36	1104	powershell.exe
Token: SeIncreaseQuotaPrivilege	1012	powershell.exe
Token: SeSecurityPrivilege	1012	powershell.exe
Token: SeTakeOwnershipPrivilege	1012	powershell.exe
Token: SeLoadDriverPrivilege	1012	powershell.exe
Token: SeSystemProfilePrivilege	1012	powershell.exe
Token: SeSystemtimePrivilege	1012	powershell.exe
Token: SeProfSingleProcessPrivilege	1012	powershell.exe
Token: SeIncBasePriorityPrivilege	1012	powershell.exe
Token: SeCreatePagefilePrivilege	1012	powershell.exe
Token: SeBackupPrivilege	1012	powershell.exe
Token: SeRestorePrivilege	1012	powershell.exe
Token: SeShutdownPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeSystemEnvironmentPrivilege	1012	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exeWScript.execmd.exeDllCommonsvc.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exe

description	pid	process	target process
PID 3764 wrote to memory of 5068	3764	915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exe	WScript.exe
PID 3764 wrote to memory of 5068	3764	915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exe	WScript.exe
PID 3764 wrote to memory of 5068	3764	915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exe	WScript.exe
PID 5068 wrote to memory of 4344	5068	WScript.exe	cmd.exe
PID 5068 wrote to memory of 4344	5068	WScript.exe	cmd.exe
PID 5068 wrote to memory of 4344	5068	WScript.exe	cmd.exe
PID 4344 wrote to memory of 3516	4344	cmd.exe	DllCommonsvc.exe
PID 4344 wrote to memory of 3516	4344	cmd.exe	DllCommonsvc.exe
PID 3516 wrote to memory of 4564	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 4564	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 4472	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 4472	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 1104	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 1104	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 1012	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 1012	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 3192	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 3192	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 1152	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 1152	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 1544	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 1544	3516	DllCommonsvc.exe	powershell.exe
PID 3516 wrote to memory of 976	3516	DllCommonsvc.exe	cmd.exe
PID 3516 wrote to memory of 976	3516	DllCommonsvc.exe	cmd.exe
PID 976 wrote to memory of 5108	976	cmd.exe	w32tm.exe
PID 976 wrote to memory of 5108	976	cmd.exe	w32tm.exe
PID 976 wrote to memory of 3348	976	cmd.exe	lsass.exe
PID 976 wrote to memory of 3348	976	cmd.exe	lsass.exe
PID 3348 wrote to memory of 2304	3348	lsass.exe	cmd.exe
PID 3348 wrote to memory of 2304	3348	lsass.exe	cmd.exe
PID 2304 wrote to memory of 1244	2304	cmd.exe	w32tm.exe
PID 2304 wrote to memory of 1244	2304	cmd.exe	w32tm.exe
PID 2304 wrote to memory of 4916	2304	cmd.exe	lsass.exe
PID 2304 wrote to memory of 4916	2304	cmd.exe	lsass.exe
PID 4916 wrote to memory of 3976	4916	lsass.exe	cmd.exe
PID 4916 wrote to memory of 3976	4916	lsass.exe	cmd.exe
PID 3976 wrote to memory of 4076	3976	cmd.exe	w32tm.exe
PID 3976 wrote to memory of 4076	3976	cmd.exe	w32tm.exe
PID 3976 wrote to memory of 3820	3976	cmd.exe	lsass.exe
PID 3976 wrote to memory of 3820	3976	cmd.exe	lsass.exe
PID 3820 wrote to memory of 4228	3820	lsass.exe	cmd.exe
PID 3820 wrote to memory of 4228	3820	lsass.exe	cmd.exe
PID 4228 wrote to memory of 4976	4228	cmd.exe	w32tm.exe
PID 4228 wrote to memory of 4976	4228	cmd.exe	w32tm.exe
PID 4228 wrote to memory of 3040	4228	cmd.exe	lsass.exe
PID 4228 wrote to memory of 3040	4228	cmd.exe	lsass.exe
PID 3040 wrote to memory of 4712	3040	lsass.exe	cmd.exe
PID 3040 wrote to memory of 4712	3040	lsass.exe	cmd.exe
PID 4712 wrote to memory of 4500	4712	cmd.exe	w32tm.exe
PID 4712 wrote to memory of 4500	4712	cmd.exe	w32tm.exe
PID 4712 wrote to memory of 1560	4712	cmd.exe	lsass.exe
PID 4712 wrote to memory of 1560	4712	cmd.exe	lsass.exe
PID 1560 wrote to memory of 4676	1560	lsass.exe	cmd.exe
PID 1560 wrote to memory of 4676	1560	lsass.exe	cmd.exe
PID 4676 wrote to memory of 5112	4676	cmd.exe	w32tm.exe
PID 4676 wrote to memory of 5112	4676	cmd.exe	w32tm.exe
PID 4676 wrote to memory of 2184	4676	cmd.exe	lsass.exe
PID 4676 wrote to memory of 2184	4676	cmd.exe	lsass.exe
PID 2184 wrote to memory of 3140	2184	lsass.exe	cmd.exe
PID 2184 wrote to memory of 3140	2184	lsass.exe	cmd.exe
PID 3140 wrote to memory of 4352	3140	cmd.exe	w32tm.exe
PID 3140 wrote to memory of 4352	3140	cmd.exe	w32tm.exe
PID 3140 wrote to memory of 1576	3140	cmd.exe	lsass.exe
PID 3140 wrote to memory of 1576	3140	cmd.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exe
"C:\Users\Admin\AppData\Local\Temp\915779c8adb503ffff9dd6a151e5d605a71d24ea0f5854185dab003660ba41ff.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\ShellExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3YETYeAKgW.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:5108

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1244

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:4076

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:4976

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:4500

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:5112

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
17⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:4352

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
19⤵
PID:3784

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:740

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
21⤵
PID:2732

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:2744

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
23⤵
PID:4860

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:1440

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
24⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
25⤵
PID:3648

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:1984

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
26⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
27⤵
PID:2308

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
28⤵
PID:4444

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
28⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
29⤵
PID:4968

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
30⤵
PID:4268

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
30⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
31⤵
PID:4072

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
32⤵
PID:3736

C:\Program Files\Internet Explorer\de-DE\lsass.exe
"C:\Program Files\Internet Explorer\de-DE\lsass.exe"
32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Updates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Policies\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Policies\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\de-DE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32357c542048424827e534aea7c79647

SHA1
e985e304148277aa7d88b4d4a4bcb09d614354a5

SHA256
96a51d4fac942459a7a51800335e03a5c44737cf5b22defdd3ebaa4a8cb341a1

SHA512
05ea4d4a5f42481f3225c3e2c99223dc7fddefc73156c631392471755380cc89b15ce347dc6e4881270c7be5aca9faf9dafc5d7cd8db186116b0e523161905b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
754c29885a91889d54e37ff5501b2c64

SHA1
4dc3c40717cd0fae4a04f53e54a5bd80f3bfc319

SHA256
2f6b1a2b6ce7d300327567e9e1f1247a7b7a5c180b2c9ae4a4a55d2104ef9f64

SHA512
c754fd14dd55993c0ff29cb272a46b5c2b3168915c9a462da3c2fe2b99a9ae23c082f086ec5df95bc5f3b8a6f0db6a08414311b1c586e2d4b3e712298ff7057d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5afefe9aa292430cbf2ca579053fba6d

SHA1
4e0668b6cfe2558b5f7a3f582f8f4a96c88b88aa

SHA256
cfc265a67da43cc3729b07869a973dfb0519f94289cc07804b2c55449a036b1f

SHA512
c0a8f5421e6c3a255d184db0f3d377b84299c4871f90edcc0587fc4da3bbea9ed483ad4255deb8668e0d415045101e2f6ebe6d3590ff84b061faccc7ebb22066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4bf62b42f70baa4b1ba4238f6bca785e

SHA1
27ee73ef339e04210549bcb9d732603d33397a42

SHA256
e3551a2e3105dede830172c064b4a3f4aad13e9ec5cfca102abdb94a8667d154

SHA512
b42ed790df177fb40dae665acda9a370e6fa4265eb9e944d67da913b9aa93d75951a8022bbe51c4a4515dbf31316bad421b74073c785ba9e15b98d9bc543a487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4bf62b42f70baa4b1ba4238f6bca785e

SHA1
27ee73ef339e04210549bcb9d732603d33397a42

SHA256
e3551a2e3105dede830172c064b4a3f4aad13e9ec5cfca102abdb94a8667d154

SHA512
b42ed790df177fb40dae665acda9a370e6fa4265eb9e944d67da913b9aa93d75951a8022bbe51c4a4515dbf31316bad421b74073c785ba9e15b98d9bc543a487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4bf62b42f70baa4b1ba4238f6bca785e

SHA1
27ee73ef339e04210549bcb9d732603d33397a42

SHA256
e3551a2e3105dede830172c064b4a3f4aad13e9ec5cfca102abdb94a8667d154

SHA512
b42ed790df177fb40dae665acda9a370e6fa4265eb9e944d67da913b9aa93d75951a8022bbe51c4a4515dbf31316bad421b74073c785ba9e15b98d9bc543a487

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
215B

MD5
c9259cd289f48f8ebe4e2afe14a7cfed

SHA1
09dba4b03fdffcce0315f8f59f5a6b6214d87265

SHA256
0bfdfee598a001844809e70f29bcf2a000929659f1377454846e7daa7636ff68

SHA512
182675a66a9e4b2f617dcdbeafeaec752bfb317dcfe33af8f34d6f814b7d0a904a5aa4d50c7c599201d652a4bfbc45130d381b252c83387ed235f92090c17f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YETYeAKgW.bat

Filesize
215B

MD5
284f9e9ab3068cf9fcc8610b66615fd2

SHA1
fc5d8c8b706ac7e566a35d9903753b73fff6ad6d

SHA256
27b396f74b2b0a35c591735497500980f7fc867aa947a6d2f90be8848f66f6bd

SHA512
445520330c501a2fa55a67d9d16468cafb5a1bc27c6eb619efdf244a762149211e36aad3384e451cab88b66d4c3f9c4daad29112ba88b67730a8cdb1d4b37f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
215B

MD5
62e3082719f03cf7b152285fc5f23517

SHA1
a51a818415146d1a04c110387922aab81df5b786

SHA256
5fc4f17262030b24a8cf0c97b8ada5a1112654aeea8105441a9d2c81826ac9d4

SHA512
9a3d6bde736c6ffb9c8df9ffe0f345ebef22555981d9b29a55310fb7f34ac11a3c08def5561bfbd3313f5858f57bf21ac143a51e83e7dbab42ff2992f7dba5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
215B

MD5
aa71e802d461a0e6f528e2e4c29f00e6

SHA1
f5e85d5495d4c4bf7d0abfe65cceedb4228e4538

SHA256
3e6f6ef1a5baaaf8e2694d2038dca5a90a2cd740319747ec761ae6c8dda0a5a7

SHA512
ce9f95dfcd710e64c7e98c5daff6d62eea68684af43c44ca256da3206d0507cd06af9f1cdd6c50fc13b293c0e7522d4016fe5f3f98bd74e6a6e8acbc6ebb7087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
215B

MD5
cd2b8b7edc6c85537bae83d9a390cf05

SHA1
1c0c72d7fa42871837e3b5e58430a26b289e4ae9

SHA256
0600561850c6900f441707071759348e2dcbde36e2eff4e811ca387e9f44cb5c

SHA512
9b96e548e6a4119df25a0601dad129ad99f85f9571ed36147f8b58980c0dd1b565e67944008aeb32ad275e5f0753359352bed2e74679150dc1bb99bfcdd66495

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat

Filesize
215B

MD5
2c3b52e32b800ca224fbfa4e2ea93b6d

SHA1
6ef0163c8b3d93ad5867e06eaada01ba722cacb0

SHA256
560e762d1649ef026069c91d919b21f4ed597fae47cfa0c531b7fd19af2b2497

SHA512
b01e56fc5c1f5d855af967180ceecd2c4e666839ec1bcb3b07a1c63386422c8ef0c2b7a9cc9c5e99e457924c51aa51692353fc245758100e1f7c3a3dbe47229a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
215B

MD5
1669b99af156dca0e1c25cd143ef6de3

SHA1
32fd083e115b5364d0cfebe59d511386bf06c72c

SHA256
45a8290ece8b6c5b28928d65487462d34b3129e3a3aa52e0f4d335544de47531

SHA512
3383e95c77faa088c020dee04a875965fd73aa3fecb9e935342df700a74201c8bea667e3a575d4b167fc03304ee883db018d89aea10a0a739803f4ecf6c6ab3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
215B

MD5
61197f69bfe105e09264d09773f8c81c

SHA1
8386800515a5227685c89b8f0ee68baa6a348d7b

SHA256
576d024601a65e048fe7a9c3ec48f55d93ad684b3ae98a0355b5b302bf5a6ecd

SHA512
31f421c25c057fe714f9354d5671b904cb928f97840e122d3a04e356cc7a430987c8774874cd3863a6775c78907b294933fb1422a4d7fb60ab014f341ab0c013

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
215B

MD5
59ef52f5370b88b91e37fdf4d993ed37

SHA1
8fb4e1111b7349ee371a33b3c47035e9104cb452

SHA256
fff6f9401d49d52b110fef4ec7b22f9580b15e7cb3d57312b0180fe53cb7a4c1

SHA512
8b9f22391148a84aaf4fbc78ced66a6eae6dfbf4cd23f8259d045bdd3a6b0b063ad20288bee804caabecd8a5dcf7fd4b51b9a0aa0477c9f5ca797789dea8d59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
215B

MD5
eb933b34905c75ee6c9e9df84d908b92

SHA1
fe7a7cfc260d0bde237d9b738d6eaea045184c8a

SHA256
54e91328890edf43fefda33a762f83b7318476e9c1c79925ce79f0d05c704053

SHA512
3c63daf4c290bfee0ba9b1b7c0487889580eb2ea142f94b7452c158df24eb1233544ef7655a9c6e54f258f4ce18cb5ae12dd48b7517e1fb473201798e5dcc00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
215B

MD5
f1d431621a2054b92c11dbfd5e3c7977

SHA1
fc31bac43509592a562408654afbbff8b0c82dbb

SHA256
62a48376ce13970a1054855f35da73cbf10dd5a708e3545beab7f5f7d9b5df80

SHA512
a01b23a22bab8a56ffdf41be66eeb2d6dd0eec6482cae196314453e535bdcef3ab81286cc5311cfbf6b6e1432a359b87ebd2274ea5238eb75b15a06aee111118

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
215B

MD5
de33843b93cf9021338d7f9d0ed48493

SHA1
55f52efb3a6e26b41709faec4d3fc21ea4ac8913

SHA256
a247e9f9f01bfa2c4b591d1422ec03c18d1f399b32a71e5290bf2ce6623cc695

SHA512
ca07b8f3e673c03d604de453f27d292609211b485373c6a98e17b47ab90f4e21030ddbb7fcf78a5bbc81e808ad64d368f7e467f7830c3351f5a3a97b4229e7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

Filesize
215B

MD5
e4dad49e00838c6ca22e5ee7f18dbf07

SHA1
72fd227ad530150d74a0d19aaf54a70c88fa226a

SHA256
c33e6ad484ee1069d834c0dee204668820078746482fe77bf0b68118b98a7435

SHA512
f907d77dd5b79aea8041036ea64f66af98f2945157ed9ca3b2594d2527624bd8467f89870cff8e777e60f626d11098897b4c5f8144bf3ddb9dff329e57d3be37

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat

Filesize
215B

MD5
c9574da0a337ca2efcc64aeacce4a72c

SHA1
2b96afd0b128f82bad3733e8125b4390cbc10850

SHA256
31f76a29dd723e5cfd924a8e771b27fcd190584b98435ab3b5540f338a7f1488

SHA512
897e805ed8dee05a4b4e9b79deccb4f0ee9598b23b63571fd542c459c0965a3d4c88f7b21c5377cf3dad11f21bb7aa676bde2d96b440a08b5365140332f3f542

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/432-582-0x0000000000000000-mapping.dmp

Download
memory/740-581-0x0000000000000000-mapping.dmp

Download
memory/976-324-0x0000000000000000-mapping.dmp

Download
memory/1012-294-0x0000000000000000-mapping.dmp

Download
memory/1104-293-0x0000000000000000-mapping.dmp

Download
memory/1152-296-0x0000000000000000-mapping.dmp

Download
memory/1244-547-0x0000000000000000-mapping.dmp

Download
memory/1440-592-0x0000000000000000-mapping.dmp

Download
memory/1544-297-0x0000000000000000-mapping.dmp

Download
memory/1560-565-0x0000000000000000-mapping.dmp

Download
memory/1576-576-0x0000000000000000-mapping.dmp

Download
memory/1576-578-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/1940-587-0x0000000000000000-mapping.dmp

Download
memory/1940-589-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download
memory/1984-597-0x0000000000000000-mapping.dmp

Download
memory/2184-570-0x0000000000000000-mapping.dmp

Download
memory/2184-572-0x0000000000F60000-0x0000000000F72000-memory.dmp

Filesize
72KB

Download
memory/2304-545-0x0000000000000000-mapping.dmp

Download
memory/2308-600-0x0000000000000000-mapping.dmp

Download
memory/2700-598-0x0000000000000000-mapping.dmp

Download
memory/2732-584-0x0000000000000000-mapping.dmp

Download
memory/2744-586-0x0000000000000000-mapping.dmp

Download
memory/3040-560-0x0000000000000000-mapping.dmp

Download
memory/3140-573-0x0000000000000000-mapping.dmp

Download
memory/3192-295-0x0000000000000000-mapping.dmp

Download
memory/3348-541-0x0000000000000000-mapping.dmp

Download
memory/3348-544-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/3368-593-0x0000000000000000-mapping.dmp

Download
memory/3516-283-0x0000000000000000-mapping.dmp

Download
memory/3516-286-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/3516-287-0x0000000001860000-0x0000000001872000-memory.dmp

Filesize
72KB

Download
memory/3516-288-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

Filesize
48KB

Download
memory/3516-289-0x000000001B930000-0x000000001B93C000-memory.dmp

Filesize
48KB

Download
memory/3516-290-0x0000000002F90000-0x0000000002F9C000-memory.dmp

Filesize
48KB

Download
memory/3648-595-0x0000000000000000-mapping.dmp

Download
memory/3736-613-0x0000000000000000-mapping.dmp

Download
memory/3764-164-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-156-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-121-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-122-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-123-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-126-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-128-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-129-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-130-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-182-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-180-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-179-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-177-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-131-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-132-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-133-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-134-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-135-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-136-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-120-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-163-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-162-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-138-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-141-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-157-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-155-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-154-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-143-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-152-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-144-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-145-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/3784-579-0x0000000000000000-mapping.dmp

Download
memory/3820-555-0x0000000000000000-mapping.dmp

Download
memory/3976-552-0x0000000000000000-mapping.dmp

Download
memory/4072-611-0x0000000000000000-mapping.dmp

Download
memory/4076-554-0x0000000000000000-mapping.dmp

Download
memory/4228-557-0x0000000000000000-mapping.dmp

Download
memory/4268-607-0x0000000000000000-mapping.dmp

Download
memory/4344-260-0x0000000000000000-mapping.dmp

Download
memory/4352-575-0x0000000000000000-mapping.dmp

Download
memory/4444-602-0x0000000000000000-mapping.dmp

Download
memory/4472-292-0x0000000000000000-mapping.dmp

Download
memory/4500-564-0x0000000000000000-mapping.dmp

Download
memory/4528-603-0x0000000000000000-mapping.dmp

Download
memory/4564-327-0x0000025E6DD00000-0x0000025E6DD22000-memory.dmp

Filesize
136KB

Download
memory/4564-291-0x0000000000000000-mapping.dmp

Download
memory/4564-334-0x0000025E6E220000-0x0000025E6E296000-memory.dmp

Filesize
472KB

Download
memory/4676-567-0x0000000000000000-mapping.dmp

Download
memory/4688-614-0x0000000000000000-mapping.dmp

Download
memory/4712-562-0x0000000000000000-mapping.dmp

Download
memory/4860-590-0x0000000000000000-mapping.dmp

Download
memory/4868-610-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/4868-608-0x0000000000000000-mapping.dmp

Download
memory/4916-548-0x0000000000000000-mapping.dmp

Download
memory/4916-551-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/4968-605-0x0000000000000000-mapping.dmp

Download
memory/4976-559-0x0000000000000000-mapping.dmp

Download
memory/5068-184-0x0000000000000000-mapping.dmp

Download
memory/5068-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5068-186-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-362-0x0000000000000000-mapping.dmp

Download
memory/5112-569-0x0000000000000000-mapping.dmp

Download