dcrat | 78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exe
Size

1.3MB
MD5

4ef031db663c197163f81187ce6a86a7
SHA1

f0d7dc4856a99dbc25521e2473a1b0240e5b01e0
SHA256

78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199
SHA512

ffdf04340164f29dbf4a244dae0fd6f22780ad3538d09a3d55f3ec2593ce60899e58185030391d08779dd0b013b93e909a006858585273a0eb7d2df313a32524
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	3096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3096	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/428-139-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exeWScript.exeDllCommonsvc.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

pid	process
428	DllCommonsvc.exe
4584	WmiPrvSE.exe
2512	WmiPrvSE.exe
3300	WmiPrvSE.exe
2280	WmiPrvSE.exe
1008	WmiPrvSE.exe
4940	WmiPrvSE.exe
3516	WmiPrvSE.exe
3824	WmiPrvSE.exe
1340	WmiPrvSE.exe
2556	WmiPrvSE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\debug\services.exe DllCommonsvc.exe
File created C:\Windows\debug\c5b4cb5e9653cc DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\debug\services.exe	DllCommonsvc.exe
File created	C:\Windows\debug\c5b4cb5e9653cc	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4888	schtasks.exe
680	schtasks.exe
2884	schtasks.exe
4516	schtasks.exe
2708	schtasks.exe
1828	schtasks.exe
2908	schtasks.exe
220	schtasks.exe
2184	schtasks.exe
1356	schtasks.exe
2144	schtasks.exe
4788	schtasks.exe
2544	schtasks.exe
4936	schtasks.exe
2752	schtasks.exe
2692	schtasks.exe
4708	schtasks.exe
1308	schtasks.exe
2808	schtasks.exe
4204	schtasks.exe
1172	schtasks.exe
112	schtasks.exe
3984	schtasks.exe
4540	schtasks.exe
3744	schtasks.exe
4188	schtasks.exe
4208	schtasks.exe

Modifies registry class 11 IoCs

Processes:

78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeDllCommonsvc.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	WmiPrvSE.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

pid	process
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
428	DllCommonsvc.exe
4052	powershell.exe
4052	powershell.exe
4656	powershell.exe
4656	powershell.exe
2240	powershell.exe
2240	powershell.exe
1960	powershell.exe
1960	powershell.exe
4508	powershell.exe
4508	powershell.exe
4136	powershell.exe
4136	powershell.exe
4492	powershell.exe
4492	powershell.exe
2240	powershell.exe
756	powershell.exe
756	powershell.exe
4368	powershell.exe
4368	powershell.exe
3524	powershell.exe
3524	powershell.exe
4052	powershell.exe
4656	powershell.exe
1960	powershell.exe
4508	powershell.exe
4492	powershell.exe
4136	powershell.exe
4368	powershell.exe
756	powershell.exe
3524	powershell.exe
4584	WmiPrvSE.exe
2512	WmiPrvSE.exe
3300	WmiPrvSE.exe
2280	WmiPrvSE.exe
1008	WmiPrvSE.exe
4940	WmiPrvSE.exe
3516	WmiPrvSE.exe
3824	WmiPrvSE.exe
1340	WmiPrvSE.exe
2556	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	428	DllCommonsvc.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	4584	WmiPrvSE.exe
Token: SeDebugPrivilege	2512	WmiPrvSE.exe
Token: SeDebugPrivilege	3300	WmiPrvSE.exe
Token: SeDebugPrivilege	2280	WmiPrvSE.exe
Token: SeDebugPrivilege	1008	WmiPrvSE.exe
Token: SeDebugPrivilege	4940	WmiPrvSE.exe
Token: SeDebugPrivilege	3516	WmiPrvSE.exe
Token: SeDebugPrivilege	3824	WmiPrvSE.exe
Token: SeDebugPrivilege	1340	WmiPrvSE.exe
Token: SeDebugPrivilege	2556	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exeWScript.execmd.exeDllCommonsvc.execmd.exeWmiPrvSE.execmd.exeWmiPrvSE.execmd.exeWmiPrvSE.execmd.exeWmiPrvSE.execmd.exeWmiPrvSE.execmd.exe

description	pid	process	target process
PID 2312 wrote to memory of 3460	2312	78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exe	WScript.exe
PID 2312 wrote to memory of 3460	2312	78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exe	WScript.exe
PID 2312 wrote to memory of 3460	2312	78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exe	WScript.exe
PID 3460 wrote to memory of 2316	3460	WScript.exe	cmd.exe
PID 3460 wrote to memory of 2316	3460	WScript.exe	cmd.exe
PID 3460 wrote to memory of 2316	3460	WScript.exe	cmd.exe
PID 2316 wrote to memory of 428	2316	cmd.exe	DllCommonsvc.exe
PID 2316 wrote to memory of 428	2316	cmd.exe	DllCommonsvc.exe
PID 428 wrote to memory of 4052	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4052	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4656	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4656	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 1960	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 1960	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4508	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4508	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 2240	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 2240	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 756	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 756	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4136	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4136	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4492	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4492	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4368	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 4368	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 3524	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 3524	428	DllCommonsvc.exe	powershell.exe
PID 428 wrote to memory of 5020	428	DllCommonsvc.exe	cmd.exe
PID 428 wrote to memory of 5020	428	DllCommonsvc.exe	cmd.exe
PID 5020 wrote to memory of 2752	5020	cmd.exe	w32tm.exe
PID 5020 wrote to memory of 2752	5020	cmd.exe	w32tm.exe
PID 5020 wrote to memory of 4584	5020	cmd.exe	WmiPrvSE.exe
PID 5020 wrote to memory of 4584	5020	cmd.exe	WmiPrvSE.exe
PID 4584 wrote to memory of 4080	4584	WmiPrvSE.exe	cmd.exe
PID 4584 wrote to memory of 4080	4584	WmiPrvSE.exe	cmd.exe
PID 4080 wrote to memory of 4056	4080	cmd.exe	w32tm.exe
PID 4080 wrote to memory of 4056	4080	cmd.exe	w32tm.exe
PID 4080 wrote to memory of 2512	4080	cmd.exe	WmiPrvSE.exe
PID 4080 wrote to memory of 2512	4080	cmd.exe	WmiPrvSE.exe
PID 2512 wrote to memory of 1376	2512	WmiPrvSE.exe	cmd.exe
PID 2512 wrote to memory of 1376	2512	WmiPrvSE.exe	cmd.exe
PID 1376 wrote to memory of 1136	1376	cmd.exe	w32tm.exe
PID 1376 wrote to memory of 1136	1376	cmd.exe	w32tm.exe
PID 1376 wrote to memory of 3300	1376	cmd.exe	WmiPrvSE.exe
PID 1376 wrote to memory of 3300	1376	cmd.exe	WmiPrvSE.exe
PID 3300 wrote to memory of 1460	3300	WmiPrvSE.exe	cmd.exe
PID 3300 wrote to memory of 1460	3300	WmiPrvSE.exe	cmd.exe
PID 1460 wrote to memory of 808	1460	cmd.exe	w32tm.exe
PID 1460 wrote to memory of 808	1460	cmd.exe	w32tm.exe
PID 1460 wrote to memory of 2280	1460	cmd.exe	WmiPrvSE.exe
PID 1460 wrote to memory of 2280	1460	cmd.exe	WmiPrvSE.exe
PID 2280 wrote to memory of 308	2280	WmiPrvSE.exe	cmd.exe
PID 2280 wrote to memory of 308	2280	WmiPrvSE.exe	cmd.exe
PID 308 wrote to memory of 4500	308	cmd.exe	w32tm.exe
PID 308 wrote to memory of 4500	308	cmd.exe	w32tm.exe
PID 308 wrote to memory of 1008	308	cmd.exe	WmiPrvSE.exe
PID 308 wrote to memory of 1008	308	cmd.exe	WmiPrvSE.exe
PID 1008 wrote to memory of 860	1008	WmiPrvSE.exe	cmd.exe
PID 1008 wrote to memory of 860	1008	WmiPrvSE.exe	cmd.exe
PID 860 wrote to memory of 1380	860	cmd.exe	w32tm.exe
PID 860 wrote to memory of 1380	860	cmd.exe	w32tm.exe
PID 860 wrote to memory of 4940	860	cmd.exe	WmiPrvSE.exe
PID 860 wrote to memory of 4940	860	cmd.exe	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exe
"C:\Users\Admin\AppData\Local\Temp\78049f20439d2c5b44b4af28051221cdf6b0447e7abfb0734bda27cdf7c76199.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8dF5EAHBDA.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2752
      - C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4056
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1136
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:808
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4500
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1380
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
        17⤵
        
        PID:1412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2200
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"
        19⤵
        
        PID:3500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:644
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat"
        21⤵
        
        PID:4816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2596
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        23⤵
        
        PID:3912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4812
        
        C:\Recovery\WindowsRE\WmiPrvSE.exe
        
        "C:\Recovery\WindowsRE\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dF5EAHBDA.bat

Filesize
199B

MD5
9cfb947f41af5056d180662bdb74b009

SHA1
8e882dfa135dc3a817dea9eedd30f34ff7a22103

SHA256
0d8c7ca1c5df62160027d2554b894ed5932ac2b6add1758b47590e2584cb4802

SHA512
0f7adf1f64b7c9dacabbb3439689d52b1767ae2ac40f6897e19f59e2390deb5de6da3bafc166903d3916c7d2aad28b8ed8167a36b06586a6c5e5f8d9174122a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
199B

MD5
0860d469e9017c6f9c4ef1ab1516833c

SHA1
cf3aab0e046e1d2b32862170784ef2b431989583

SHA256
70080eb76164f5f21260c418c4219a8fe5ada675dff7eeb92485c3a4e2f421e6

SHA512
9ead58d65a2a700d879cb8c21802da56e20ad2ca2bf6aac52fca2548c649438b6b6f244e9297fd48f32de9d05db3b430562d22ee22527eff174ed3a494bfac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

Filesize
199B

MD5
dc2367a38ac00ce650fd50221b10f897

SHA1
8c0eeeb2854afbe4c26b368528170831f12a1f2c

SHA256
24e27ad808adaeeba5cc593a87603eb414ff70e7cf77811b8a45810b71385a51

SHA512
4f59bf25d46bc4d2070fdd9132a1354ee9ae562cc01d0e0f8740f71fa832575e6274ad7c7dd7f828c87a4aecef47fb2f9bd4962e21eb9b37c0cccab6497bf936

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

Filesize
199B

MD5
7e2b1700aa7dbcab5d51cbb10b47b8af

SHA1
dc518cfac698361819f88dbaaf53cda8e13ab96a

SHA256
f0be41c2bbc9872dc7f4de253b1f2e53f94dda66fe530a8556c2baff48767324

SHA512
6d2435c50583eb3266f42b04cfef9c63f66f2c404a7c3a7662a3d4362536dcea9c8bdf716bed5986bd809076683d16df5373486b6ffd67a95a72a561f64e7762

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat

Filesize
199B

MD5
f04eabbf21ad3a74f163f4897aed05bc

SHA1
7f7b6a737594110b43359f62a62e16fb76095c51

SHA256
460449d719c2a9a7ce391862b93686170b588227fa621b8f470dec87ca732c2f

SHA512
7d1565efe1238299def3543f977a06cc1fbc9522578a2e78bfd4b40a941be4d197bb6948299c5eb9ba48aa4e249dcf397431a4589fb87aa6218e0c88ed8edb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
199B

MD5
bf5db609949a754662c8f5aa695722f5

SHA1
e374fe074010ec852f96ba4dc4595d22b343acee

SHA256
07de570b234a74db06ee46df6e94807c2a3d24d4a8838ffb96e5f81788755bfb

SHA512
624f1c6168fbee570830e6b5c8110a712df002158a6fcab1e15ad8e0e4d9578520ab5a7a899c95982f23208686efd9db25f1b6f4238b89fa46f45ac65e0dffce

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

Filesize
199B

MD5
3701fb6cf2a4348413be14a0c7be4eb8

SHA1
afc64f2a8d1447622b165f60d9cbb4022e5cbd5e

SHA256
2b9077fcf681b3af354fded18dee7931faec16c9249f5c9d4457dcddb9bd58f6

SHA512
16ba7abe884ac2d14a02c1075fbf498c3c74a4ee0b9ee708960b82ff58b1eb9a25c842e6b553d1d3f18e6f3dd9acf466877720d7c74380cd50677f3117de733a

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
199B

MD5
f6d73ae452fa051d3793bdb3f0368b7d

SHA1
f0103f32f8b2a3890d371ba7feeb17574afc4404

SHA256
f68f9716c24bd7d32d54830959dd621a2a8c037b60f1d37f2b55a2c5b5941e22

SHA512
35c28f901b2268f9a67273c3163cc3c6462ffe437b9e881fe65fb6d685dc89c04927ffaee4c6cc016a8402b59ddc0186a155232f26868a1a50d96f72edf35a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
199B

MD5
f6d73ae452fa051d3793bdb3f0368b7d

SHA1
f0103f32f8b2a3890d371ba7feeb17574afc4404

SHA256
f68f9716c24bd7d32d54830959dd621a2a8c037b60f1d37f2b55a2c5b5941e22

SHA512
35c28f901b2268f9a67273c3163cc3c6462ffe437b9e881fe65fb6d685dc89c04927ffaee4c6cc016a8402b59ddc0186a155232f26868a1a50d96f72edf35a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
199B

MD5
f6d73ae452fa051d3793bdb3f0368b7d

SHA1
f0103f32f8b2a3890d371ba7feeb17574afc4404

SHA256
f68f9716c24bd7d32d54830959dd621a2a8c037b60f1d37f2b55a2c5b5941e22

SHA512
35c28f901b2268f9a67273c3163cc3c6462ffe437b9e881fe65fb6d685dc89c04927ffaee4c6cc016a8402b59ddc0186a155232f26868a1a50d96f72edf35a8c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/308-213-0x0000000000000000-mapping.dmp

Download
memory/428-154-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/428-140-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/428-139-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/428-136-0x0000000000000000-mapping.dmp

Download
memory/644-236-0x0000000000000000-mapping.dmp

Download
memory/756-146-0x0000000000000000-mapping.dmp

Download
memory/756-160-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/756-177-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/808-208-0x0000000000000000-mapping.dmp

Download
memory/860-220-0x0000000000000000-mapping.dmp

Download
memory/1008-223-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1008-217-0x0000000000000000-mapping.dmp

Download
memory/1008-219-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1136-201-0x0000000000000000-mapping.dmp

Download
memory/1340-247-0x00007FFF681E0000-0x00007FFF68CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1340-245-0x0000000000000000-mapping.dmp

Download
memory/1340-251-0x00007FFF681E0000-0x00007FFF68CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1376-199-0x0000000000000000-mapping.dmp

Download
memory/1380-222-0x0000000000000000-mapping.dmp

Download
memory/1412-227-0x0000000000000000-mapping.dmp

Download
memory/1460-206-0x0000000000000000-mapping.dmp

Download
memory/1960-143-0x0000000000000000-mapping.dmp

Download
memory/1960-156-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-175-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2200-229-0x0000000000000000-mapping.dmp

Download
memory/2240-166-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2240-145-0x0000000000000000-mapping.dmp

Download
memory/2240-158-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-212-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-216-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-210-0x0000000000000000-mapping.dmp

Download
memory/2316-135-0x0000000000000000-mapping.dmp

Download
memory/2512-198-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2512-202-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2512-195-0x0000000000000000-mapping.dmp

Download
memory/2556-254-0x00007FFF681E0000-0x00007FFF68CA1000-memory.dmp

Filesize
10.8MB

Download
memory/2556-252-0x0000000000000000-mapping.dmp

Download
memory/2596-243-0x0000000000000000-mapping.dmp

Download
memory/2752-163-0x0000000000000000-mapping.dmp

Download
memory/3300-205-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3300-209-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3300-203-0x0000000000000000-mapping.dmp

Download
memory/3460-132-0x0000000000000000-mapping.dmp

Download
memory/3500-234-0x0000000000000000-mapping.dmp

Download
memory/3516-233-0x00007FFF681E0000-0x00007FFF68CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-231-0x0000000000000000-mapping.dmp

Download
memory/3516-237-0x00007FFF681E0000-0x00007FFF68CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-150-0x0000000000000000-mapping.dmp

Download
memory/3524-165-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-182-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3824-240-0x00007FFF681E0000-0x00007FFF68CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3824-244-0x00007FFF681E0000-0x00007FFF68CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3824-238-0x0000000000000000-mapping.dmp

Download
memory/3912-248-0x0000000000000000-mapping.dmp

Download
memory/4052-153-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-151-0x000001DE28940000-0x000001DE28962000-memory.dmp

Filesize
136KB

Download
memory/4052-141-0x0000000000000000-mapping.dmp

Download
memory/4052-169-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-192-0x0000000000000000-mapping.dmp

Download
memory/4080-190-0x0000000000000000-mapping.dmp

Download
memory/4136-185-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-147-0x0000000000000000-mapping.dmp

Download
memory/4136-161-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4368-164-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4368-149-0x0000000000000000-mapping.dmp

Download
memory/4368-179-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-148-0x0000000000000000-mapping.dmp

Download
memory/4492-183-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-162-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-215-0x0000000000000000-mapping.dmp

Download
memory/4508-144-0x0000000000000000-mapping.dmp

Download
memory/4508-157-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-174-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-186-0x0000000000000000-mapping.dmp

Download
memory/4584-194-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-189-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-193-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-142-0x0000000000000000-mapping.dmp

Download
memory/4656-155-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-173-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4812-250-0x0000000000000000-mapping.dmp

Download
memory/4816-241-0x0000000000000000-mapping.dmp

Download
memory/4940-226-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-230-0x00007FFF67FF0000-0x00007FFF68AB1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-224-0x0000000000000000-mapping.dmp

Download
memory/5020-152-0x0000000000000000-mapping.dmp

Download