dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
1800s
max time network
1803s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	268	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	268	schtasks.exe	35

DCRat payload 26 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001400000000558e-12.dat	dcrat
behavioral1/files/0x001400000000558e-15.dat	dcrat
behavioral1/files/0x001400000000558e-16.dat	dcrat
behavioral1/files/0x000a000000016d30-27.dat	dcrat
behavioral1/files/0x000a000000016d30-30.dat	dcrat
behavioral1/files/0x000a000000016d30-29.dat	dcrat
behavioral1/files/0x000a000000016d30-28.dat	dcrat
behavioral1/memory/2748-35-0x00000000010E0000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2748-36-0x000000001B250000-0x000000001B2D0000-memory.dmp	dcrat
behavioral1/files/0x0002000000017ef2-51.dat	dcrat
behavioral1/files/0x0005000000018b90-65.dat	dcrat
behavioral1/memory/3040-67-0x0000000000180000-0x0000000000300000-memory.dmp	dcrat
behavioral1/files/0x0005000000018b90-66.dat	dcrat
behavioral1/files/0x0005000000018b7c-243.dat	dcrat
behavioral1/files/0x0008000000016d84-244.dat	dcrat
behavioral1/files/0x0005000000018b7c-245.dat	dcrat
behavioral1/files/0x0008000000016d84-246.dat	dcrat
behavioral1/files/0x0005000000018b90-255.dat	dcrat
behavioral1/files/0x0007000000016d78-256.dat	dcrat
behavioral1/files/0x0007000000016d78-257.dat	dcrat
behavioral1/files/0x0008000000016d84-267.dat	dcrat
behavioral1/files/0x0005000000018b7c-268.dat	dcrat
behavioral1/files/0x0005000000018b90-278.dat	dcrat
behavioral1/files/0x0007000000016d78-279.dat	dcrat
behavioral1/files/0x0008000000016d84-287.dat	dcrat
behavioral1/files/0x0005000000018b7c-288.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
2660	Loader.exe
2748	MsServerfont.exe
3040	lsass.exe
3044	sppsvc.exe
2656	Idle.exe
1144	lsass.exe
2796	WmiPrvSE.exe
1092	Idle.exe
584	sppsvc.exe
2176	lsass.exe
2052	WmiPrvSE.exe
2704	Idle.exe
592	sppsvc.exe

Loads dropped DLL 3 IoCs

pid	Process
2908	YammiBeta.exe
2480	cmd.exe
2480	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
10	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2908	YammiBeta.exe
2908	YammiBeta.exe
2908	YammiBeta.exe
2908	YammiBeta.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\Idle.exe	MsServerfont.exe
File created	C:\Program Files\VideoLAN\VLC\locale\6ccacd8608530f	MsServerfont.exe
File created	C:\Program Files\Windows Media Player\de-DE\sppsvc.exe	MsServerfont.exe
File created	C:\Program Files\Windows Media Player\de-DE\0a1fd5f707cd16	MsServerfont.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe	MsServerfont.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\0a1fd5f707cd16	MsServerfont.exe
File created	C:\Program Files\Mozilla Firefox\fonts\lsass.exe	MsServerfont.exe
File created	C:\Program Files\Mozilla Firefox\fonts\6203df4a6bafc7	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1092	schtasks.exe
1952	schtasks.exe
1120	schtasks.exe
1580	schtasks.exe
2484	schtasks.exe
240	schtasks.exe
1480	schtasks.exe
1796	schtasks.exe
2388	schtasks.exe
2044	schtasks.exe
2404	schtasks.exe
472	schtasks.exe
1992	schtasks.exe
2276	schtasks.exe
1692	schtasks.exe
2068	schtasks.exe
2200	schtasks.exe
1784	schtasks.exe
2020	schtasks.exe
2504	schtasks.exe
1400	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2748	MsServerfont.exe
636	powershell.exe
1340	powershell.exe
772	powershell.exe
1680	powershell.exe
2268	powershell.exe
2100	powershell.exe
912	powershell.exe
1308	powershell.exe
2036	powershell.exe
2060	powershell.exe
1764	powershell.exe
2228	powershell.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe
3040	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	lsass.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	YammiBeta.exe
Token: SeDebugPrivilege	2748	MsServerfont.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	3040	lsass.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	3044	sppsvc.exe
Token: SeDebugPrivilege	2656	Idle.exe
Token: SeDebugPrivilege	1144	lsass.exe
Token: SeDebugPrivilege	2796	WmiPrvSE.exe
Token: SeDebugPrivilege	1092	Idle.exe
Token: SeDebugPrivilege	584	sppsvc.exe
Token: SeDebugPrivilege	2176	lsass.exe
Token: SeDebugPrivilege	2052	WmiPrvSE.exe
Token: SeDebugPrivilege	592	sppsvc.exe
Token: SeDebugPrivilege	2704	Idle.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2908	YammiBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2660	2908	YammiBeta.exe	30
PID 2908 wrote to memory of 2660	2908	YammiBeta.exe	30
PID 2908 wrote to memory of 2660	2908	YammiBeta.exe	30
PID 2908 wrote to memory of 2660	2908	YammiBeta.exe	30
PID 2660 wrote to memory of 2576	2660	Loader.exe	31
PID 2660 wrote to memory of 2576	2660	Loader.exe	31
PID 2660 wrote to memory of 2576	2660	Loader.exe	31
PID 2660 wrote to memory of 2576	2660	Loader.exe	31
PID 2576 wrote to memory of 2480	2576	WScript.exe	32
PID 2576 wrote to memory of 2480	2576	WScript.exe	32
PID 2576 wrote to memory of 2480	2576	WScript.exe	32
PID 2576 wrote to memory of 2480	2576	WScript.exe	32
PID 2480 wrote to memory of 2748	2480	cmd.exe	34
PID 2480 wrote to memory of 2748	2480	cmd.exe	34
PID 2480 wrote to memory of 2748	2480	cmd.exe	34
PID 2480 wrote to memory of 2748	2480	cmd.exe	34
PID 2748 wrote to memory of 912	2748	MsServerfont.exe	57
PID 2748 wrote to memory of 912	2748	MsServerfont.exe	57
PID 2748 wrote to memory of 912	2748	MsServerfont.exe	57
PID 2748 wrote to memory of 1340	2748	MsServerfont.exe	79
PID 2748 wrote to memory of 1340	2748	MsServerfont.exe	79
PID 2748 wrote to memory of 1340	2748	MsServerfont.exe	79
PID 2748 wrote to memory of 636	2748	MsServerfont.exe	78
PID 2748 wrote to memory of 636	2748	MsServerfont.exe	78
PID 2748 wrote to memory of 636	2748	MsServerfont.exe	78
PID 2748 wrote to memory of 772	2748	MsServerfont.exe	77
PID 2748 wrote to memory of 772	2748	MsServerfont.exe	77
PID 2748 wrote to memory of 772	2748	MsServerfont.exe	77
PID 2748 wrote to memory of 2228	2748	MsServerfont.exe	76
PID 2748 wrote to memory of 2228	2748	MsServerfont.exe	76
PID 2748 wrote to memory of 2228	2748	MsServerfont.exe	76
PID 2748 wrote to memory of 2268	2748	MsServerfont.exe	75
PID 2748 wrote to memory of 2268	2748	MsServerfont.exe	75
PID 2748 wrote to memory of 2268	2748	MsServerfont.exe	75
PID 2748 wrote to memory of 2060	2748	MsServerfont.exe	58
PID 2748 wrote to memory of 2060	2748	MsServerfont.exe	58
PID 2748 wrote to memory of 2060	2748	MsServerfont.exe	58
PID 2748 wrote to memory of 1680	2748	MsServerfont.exe	74
PID 2748 wrote to memory of 1680	2748	MsServerfont.exe	74
PID 2748 wrote to memory of 1680	2748	MsServerfont.exe	74
PID 2748 wrote to memory of 2100	2748	MsServerfont.exe	72
PID 2748 wrote to memory of 2100	2748	MsServerfont.exe	72
PID 2748 wrote to memory of 2100	2748	MsServerfont.exe	72
PID 2748 wrote to memory of 1764	2748	MsServerfont.exe	71
PID 2748 wrote to memory of 1764	2748	MsServerfont.exe	71
PID 2748 wrote to memory of 1764	2748	MsServerfont.exe	71
PID 2748 wrote to memory of 2036	2748	MsServerfont.exe	69
PID 2748 wrote to memory of 2036	2748	MsServerfont.exe	69
PID 2748 wrote to memory of 2036	2748	MsServerfont.exe	69
PID 2748 wrote to memory of 1308	2748	MsServerfont.exe	68
PID 2748 wrote to memory of 1308	2748	MsServerfont.exe	68
PID 2748 wrote to memory of 1308	2748	MsServerfont.exe	68
PID 2748 wrote to memory of 3040	2748	MsServerfont.exe	81
PID 2748 wrote to memory of 3040	2748	MsServerfont.exe	81
PID 2748 wrote to memory of 3040	2748	MsServerfont.exe	81
PID 868 wrote to memory of 1092	868	taskeng.exe	88
PID 868 wrote to memory of 1092	868	taskeng.exe	88
PID 868 wrote to memory of 1092	868	taskeng.exe	88
PID 868 wrote to memory of 584	868	taskeng.exe	89
PID 868 wrote to memory of 584	868	taskeng.exe	89
PID 868 wrote to memory of 584	868	taskeng.exe	89
PID 868 wrote to memory of 584	868	taskeng.exe	89
PID 868 wrote to memory of 584	868	taskeng.exe	89
PID 868 wrote to memory of 2176	868	taskeng.exe	90

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
      - C:\Program Files\Mozilla Firefox\fonts\lsass.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\lsass.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\taskeng.exe
taskeng.exe {826C31F1-07C4-4012-A7A8-7044FB3ADF55} S-1-5-21-1528014236-771305907-3973026625-1000:DMCOTBQQ\Admin:Interactive:[1]
1⤵
PID:2920
- C:\Program Files\VideoLAN\VLC\locale\Idle.exe
  "C:\Program Files\VideoLAN\VLC\locale\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Users\Default\Downloads\sppsvc.exe
  C:\Users\Default\Downloads\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Program Files\Mozilla Firefox\fonts\lsass.exe
  "C:\Program Files\Mozilla Firefox\fonts\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe
  "C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

C:\Windows\system32\taskeng.exe
taskeng.exe {76C8F663-7AE2-4681-9F31-7A8326567293} S-1-5-21-1528014236-771305907-3973026625-1000:DMCOTBQQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Program Files\VideoLAN\VLC\locale\Idle.exe
  "C:\Program Files\VideoLAN\VLC\locale\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Users\Default\Downloads\sppsvc.exe
  C:\Users\Default\Downloads\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Program Files\Mozilla Firefox\fonts\lsass.exe
  "C:\Program Files\Mozilla Firefox\fonts\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe
  "C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Program Files\VideoLAN\VLC\locale\Idle.exe
  "C:\Program Files\VideoLAN\VLC\locale\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Users\Default\Downloads\sppsvc.exe
  C:\Users\Default\Downloads\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\fonts\lsass.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Mozilla Firefox\fonts\lsass.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Mozilla Firefox\fonts\lsass.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Mozilla Firefox\fonts\lsass.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\VideoLAN\VLC\locale\Idle.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\VideoLAN\VLC\locale\Idle.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\VideoLAN\VLC\locale\Idle.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\VideoLAN\VLC\locale\Idle.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Windows Media Player\de-DE\sppsvc.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1dc48528bcba38a6f948885eda89543

SHA1
a871bb22a6f438531f267ff66383571b376bbbe3

SHA256
055809158db3522f649ae4e4a275351d4210e21c4fec36a843e90744338bf168

SHA512
dee3146cb6fac3b2497942531d464bf19a1f4b2d04d40ebed0d7e2029df1d6e9aff4bb1bee5592b01b29faef7f6bcf36109cdf5a9ef00f8047a517cef55bd59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab22EE.tmp

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar24F7.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c9d040cb645dabc2c01bd849e0a4c29

SHA1
ac9da321a03d03cf63b78338eb87ab3d4cd53c40

SHA256
bf4ee8b0c99be358e3ce92abfdb8f807c3c4b9e361292d779a510bcddb263bec

SHA512
405e83c28444338ae3ccb47ec0b7479a5aab8a78f25625177b705a0ef65c7f0d67049ac3b2efc1fb221f42375d1d24bbe07f75763ee9608e6447a1b807f2922c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c9d040cb645dabc2c01bd849e0a4c29

SHA1
ac9da321a03d03cf63b78338eb87ab3d4cd53c40

SHA256
bf4ee8b0c99be358e3ce92abfdb8f807c3c4b9e361292d779a510bcddb263bec

SHA512
405e83c28444338ae3ccb47ec0b7479a5aab8a78f25625177b705a0ef65c7f0d67049ac3b2efc1fb221f42375d1d24bbe07f75763ee9608e6447a1b807f2922c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c9d040cb645dabc2c01bd849e0a4c29

SHA1
ac9da321a03d03cf63b78338eb87ab3d4cd53c40

SHA256
bf4ee8b0c99be358e3ce92abfdb8f807c3c4b9e361292d779a510bcddb263bec

SHA512
405e83c28444338ae3ccb47ec0b7479a5aab8a78f25625177b705a0ef65c7f0d67049ac3b2efc1fb221f42375d1d24bbe07f75763ee9608e6447a1b807f2922c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c9d040cb645dabc2c01bd849e0a4c29

SHA1
ac9da321a03d03cf63b78338eb87ab3d4cd53c40

SHA256
bf4ee8b0c99be358e3ce92abfdb8f807c3c4b9e361292d779a510bcddb263bec

SHA512
405e83c28444338ae3ccb47ec0b7479a5aab8a78f25625177b705a0ef65c7f0d67049ac3b2efc1fb221f42375d1d24bbe07f75763ee9608e6447a1b807f2922c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B69SU7E9KT4INC4J17H1.temp

Filesize
7KB

MD5
5c9d040cb645dabc2c01bd849e0a4c29

SHA1
ac9da321a03d03cf63b78338eb87ab3d4cd53c40

SHA256
bf4ee8b0c99be358e3ce92abfdb8f807c3c4b9e361292d779a510bcddb263bec

SHA512
405e83c28444338ae3ccb47ec0b7479a5aab8a78f25625177b705a0ef65c7f0d67049ac3b2efc1fb221f42375d1d24bbe07f75763ee9608e6447a1b807f2922c

Download Submit
C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\WmiPrvSE.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Default\Downloads\sppsvc.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Default\Downloads\sppsvc.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Default\Downloads\sppsvc.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Default\Downloads\sppsvc.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
memory/636-119-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/636-129-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/636-134-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/636-94-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/636-144-0x0000000002A0B000-0x0000000002A72000-memory.dmp

Filesize
412KB

Download
memory/772-127-0x000000000256B000-0x00000000025D2000-memory.dmp

Filesize
412KB

Download
memory/772-114-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/772-122-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/912-115-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/912-130-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/912-140-0x00000000027AB000-0x0000000002812000-memory.dmp

Filesize
412KB

Download
memory/1308-145-0x000000000299B000-0x0000000002A02000-memory.dmp

Filesize
412KB

Download
memory/1308-120-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-137-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/1340-110-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/1340-116-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/1340-128-0x000000000232B000-0x0000000002392000-memory.dmp

Filesize
412KB

Download
memory/1680-142-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/1680-123-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/1680-139-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/1764-118-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/1764-143-0x0000000002B2B000-0x0000000002B92000-memory.dmp

Filesize
412KB

Download
memory/1764-132-0x0000000002B24000-0x0000000002B27000-memory.dmp

Filesize
12KB

Download
memory/2036-112-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-135-0x00000000029EB000-0x0000000002A52000-memory.dmp

Filesize
412KB

Download
memory/2036-125-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/2060-131-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/2060-117-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-141-0x000000000253B000-0x00000000025A2000-memory.dmp

Filesize
412KB

Download
memory/2100-133-0x000000000274B000-0x00000000027B2000-memory.dmp

Filesize
412KB

Download
memory/2100-124-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/2100-93-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2100-111-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-138-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/2228-121-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-126-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2268-136-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2268-113-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-37-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-34-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-45-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2748-44-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2748-46-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2748-43-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/2748-42-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/2748-36-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2748-92-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-41-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2748-40-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2748-39-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/2748-38-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2748-35-0x00000000010E0000-0x0000000001260000-memory.dmp

Filesize
1.5MB

Download
memory/2908-8-0x00000000052C0000-0x0000000005300000-memory.dmp

Filesize
256KB

Download
memory/2908-0-0x0000000000260000-0x00000000005DE000-memory.dmp

Filesize
3.5MB

Download
memory/2908-33-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-32-0x0000000000260000-0x00000000005DE000-memory.dmp

Filesize
3.5MB

Download
memory/2908-7-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-5-0x0000000000260000-0x00000000005DE000-memory.dmp

Filesize
3.5MB

Download
memory/2908-4-0x00000000052C0000-0x0000000005300000-memory.dmp

Filesize
256KB

Download
memory/2908-3-0x0000000000260000-0x00000000005DE000-memory.dmp

Filesize
3.5MB

Download
memory/2908-2-0x0000000000260000-0x00000000005DE000-memory.dmp

Filesize
3.5MB

Download
memory/2908-1-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-68-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-67-0x0000000000180000-0x0000000000300000-memory.dmp

Filesize
1.5MB

Download