dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
279s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4916	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4916	schtasks.exe	84

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x0006000000023211-12.dat	dcrat
behavioral3/files/0x0006000000023211-14.dat	dcrat
behavioral3/files/0x0006000000023211-15.dat	dcrat
behavioral3/files/0x0006000000023214-28.dat	dcrat
behavioral3/files/0x0006000000023214-30.dat	dcrat
behavioral3/memory/4544-31-0x0000000000A20000-0x0000000000BA0000-memory.dmp	dcrat
behavioral3/files/0x000600000002321a-37.dat	dcrat
behavioral3/files/0x0006000000023214-43.dat	dcrat
behavioral3/files/0x0006000000023241-475.dat	dcrat
behavioral3/files/0x0006000000023241-474.dat	dcrat
behavioral3/files/0x000600000002321a-540.dat	dcrat
behavioral3/files/0x000600000002321a-541.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4640	Loader.exe
4544	MsServerfont.exe
2656	MsServerfont.exe
2236	MoUsoCoreWorker.exe
5896	sihost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ipinfo.io
37	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1216	YammiBeta.exe
1216	YammiBeta.exe
1216	YammiBeta.exe
1216	YammiBeta.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\dllhost.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\upfc.exe	MsServerfont.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\upfc.exe	MsServerfont.exe
File created	C:\Program Files\7-Zip\Lang\sysmon.exe	MsServerfont.exe
File created	C:\Program Files\7-Zip\Lang\121e5b5079f7c0	MsServerfont.exe
File created	C:\Program Files\7-Zip\Lang\5b884080fd4f94	MsServerfont.exe
File created	C:\Program Files\Windows Defender\ja-JP\e978f868350d50	MsServerfont.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\ea1d8f6d871115	MsServerfont.exe
File created	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	MsServerfont.exe
File created	C:\Program Files\Windows Portable Devices\5940a34987c991	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\56085415360792	MsServerfont.exe
File created	C:\Program Files\Windows Defender\ja-JP\powershell.exe	MsServerfont.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellExperiences\WmiPrvSE.exe	MsServerfont.exe
File created	C:\Windows\ShellExperiences\24dbde2999530e	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3384	schtasks.exe
3368	schtasks.exe
3136	schtasks.exe
5068	schtasks.exe
4684	schtasks.exe
3136	schtasks.exe
1172	schtasks.exe
2040	schtasks.exe
3060	schtasks.exe
2536	schtasks.exe
3936	schtasks.exe
4876	schtasks.exe
4384	schtasks.exe
4712	schtasks.exe
3704	schtasks.exe
1900	schtasks.exe
4640	schtasks.exe
2140	schtasks.exe
4468	schtasks.exe
988	schtasks.exe
3812	schtasks.exe
1624	schtasks.exe
1052	schtasks.exe
4384	schtasks.exe
1448	schtasks.exe
4376	schtasks.exe
988	schtasks.exe
2772	schtasks.exe
4948	schtasks.exe
1900	schtasks.exe
1464	schtasks.exe
3676	schtasks.exe
4704	schtasks.exe
4640	schtasks.exe
3368	schtasks.exe
4712	schtasks.exe
2140	schtasks.exe
4464	schtasks.exe
1348	schtasks.exe
2432	schtasks.exe
1552	schtasks.exe
2536	schtasks.exe
4948	schtasks.exe
2120	schtasks.exe
3864	schtasks.exe
1896	schtasks.exe
3876	schtasks.exe
2860	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	MsServerfont.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	MsServerfont.exe
4544	MsServerfont.exe
4544	MsServerfont.exe
4544	MsServerfont.exe
4544	MsServerfont.exe
2036	powershell.exe
2036	powershell.exe
1232	powershell.exe
1232	powershell.exe
4980	powershell.exe
4980	powershell.exe
528	powershell.exe
528	powershell.exe
2920	powershell.exe
2920	powershell.exe
4920	powershell.exe
4920	powershell.exe
4860	powershell.exe
4860	powershell.exe
3888	powershell.exe
3888	powershell.exe
2740	powershell.exe
2740	powershell.exe
4672	powershell.exe
4672	powershell.exe
1760	powershell.exe
1760	powershell.exe
716	powershell.exe
716	powershell.exe
2656	MsServerfont.exe
2656	MsServerfont.exe
2036	powershell.exe
4980	powershell.exe
1232	powershell.exe
528	powershell.exe
2920	powershell.exe
4920	powershell.exe
3888	powershell.exe
4860	powershell.exe
4672	powershell.exe
2740	powershell.exe
1760	powershell.exe
716	powershell.exe
2656	MsServerfont.exe
2656	MsServerfont.exe
1544	powershell.exe
1544	powershell.exe
1360	powershell.exe
1360	powershell.exe
2536	schtasks.exe
2536	schtasks.exe
4164	powershell.exe
4164	powershell.exe
5080	powershell.exe
5080	powershell.exe
4436	powershell.exe
4436	powershell.exe
4684	powershell.exe
4684	powershell.exe
4468	powershell.exe
4468	powershell.exe
3808	powershell.exe
3808	powershell.exe
5124	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2236	MoUsoCoreWorker.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	YammiBeta.exe
Token: SeDebugPrivilege	4544	MsServerfont.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2656	MsServerfont.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2536	schtasks.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	3136	schtasks.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	2236	MoUsoCoreWorker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	YammiBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4640	1216	YammiBeta.exe	88
PID 1216 wrote to memory of 4640	1216	YammiBeta.exe	88
PID 1216 wrote to memory of 4640	1216	YammiBeta.exe	88
PID 4640 wrote to memory of 1848	4640	Loader.exe	89
PID 4640 wrote to memory of 1848	4640	Loader.exe	89
PID 4640 wrote to memory of 1848	4640	Loader.exe	89
PID 1848 wrote to memory of 2156	1848	WScript.exe	90
PID 1848 wrote to memory of 2156	1848	WScript.exe	90
PID 1848 wrote to memory of 2156	1848	WScript.exe	90
PID 2156 wrote to memory of 4544	2156	cmd.exe	92
PID 2156 wrote to memory of 4544	2156	cmd.exe	92
PID 4544 wrote to memory of 716	4544	MsServerfont.exe	106
PID 4544 wrote to memory of 716	4544	MsServerfont.exe	106
PID 4544 wrote to memory of 2036	4544	MsServerfont.exe	107
PID 4544 wrote to memory of 2036	4544	MsServerfont.exe	107
PID 4544 wrote to memory of 1232	4544	MsServerfont.exe	112
PID 4544 wrote to memory of 1232	4544	MsServerfont.exe	112
PID 4544 wrote to memory of 4920	4544	MsServerfont.exe	111
PID 4544 wrote to memory of 4920	4544	MsServerfont.exe	111
PID 4544 wrote to memory of 4672	4544	MsServerfont.exe	110
PID 4544 wrote to memory of 4672	4544	MsServerfont.exe	110
PID 4544 wrote to memory of 3888	4544	MsServerfont.exe	108
PID 4544 wrote to memory of 3888	4544	MsServerfont.exe	108
PID 4544 wrote to memory of 4860	4544	MsServerfont.exe	109
PID 4544 wrote to memory of 4860	4544	MsServerfont.exe	109
PID 4544 wrote to memory of 1760	4544	MsServerfont.exe	128
PID 4544 wrote to memory of 1760	4544	MsServerfont.exe	128
PID 4544 wrote to memory of 2740	4544	MsServerfont.exe	126
PID 4544 wrote to memory of 2740	4544	MsServerfont.exe	126
PID 4544 wrote to memory of 2920	4544	MsServerfont.exe	125
PID 4544 wrote to memory of 2920	4544	MsServerfont.exe	125
PID 4544 wrote to memory of 4980	4544	MsServerfont.exe	116
PID 4544 wrote to memory of 4980	4544	MsServerfont.exe	116
PID 4544 wrote to memory of 528	4544	MsServerfont.exe	115
PID 4544 wrote to memory of 528	4544	MsServerfont.exe	115
PID 4544 wrote to memory of 2656	4544	MsServerfont.exe	129
PID 4544 wrote to memory of 2656	4544	MsServerfont.exe	129
PID 2656 wrote to memory of 1544	2656	MsServerfont.exe	186
PID 2656 wrote to memory of 1544	2656	MsServerfont.exe	186
PID 2656 wrote to memory of 2536	2656	MsServerfont.exe	191
PID 2656 wrote to memory of 2536	2656	MsServerfont.exe	191
PID 2656 wrote to memory of 1360	2656	MsServerfont.exe	183
PID 2656 wrote to memory of 1360	2656	MsServerfont.exe	183
PID 2656 wrote to memory of 4164	2656	MsServerfont.exe	181
PID 2656 wrote to memory of 4164	2656	MsServerfont.exe	181
PID 2656 wrote to memory of 5080	2656	MsServerfont.exe	179
PID 2656 wrote to memory of 5080	2656	MsServerfont.exe	179
PID 2656 wrote to memory of 4436	2656	MsServerfont.exe	161
PID 2656 wrote to memory of 4436	2656	MsServerfont.exe	161
PID 2656 wrote to memory of 4468	2656	MsServerfont.exe	176
PID 2656 wrote to memory of 4468	2656	MsServerfont.exe	176
PID 2656 wrote to memory of 4684	2656	MsServerfont.exe	163
PID 2656 wrote to memory of 4684	2656	MsServerfont.exe	163
PID 2656 wrote to memory of 3808	2656	MsServerfont.exe	174
PID 2656 wrote to memory of 3808	2656	MsServerfont.exe	174
PID 2656 wrote to memory of 3136	2656	MsServerfont.exe	193
PID 2656 wrote to memory of 3136	2656	MsServerfont.exe	193
PID 2656 wrote to memory of 5124	2656	MsServerfont.exe	170
PID 2656 wrote to memory of 5124	2656	MsServerfont.exe	170
PID 2656 wrote to memory of 5132	2656	MsServerfont.exe	165
PID 2656 wrote to memory of 5132	2656	MsServerfont.exe	165
PID 2656 wrote to memory of 5476	2656	MsServerfont.exe	172
PID 2656 wrote to memory of 5476	2656	MsServerfont.exe	172
PID 5476 wrote to memory of 5816	5476	cmd.exe	185

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        
        PID:3136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OLSx9fioU7.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5816
        
        C:\odt\MoUsoCoreWorker.exe
        
        "C:\odt\MoUsoCoreWorker.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\odt\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\odt\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SIHClient.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\odt\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Music\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\odt\sihost.exe
C:\odt\sihost.exe
1⤵
- Executes dropped EXE
PID:5896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MsServerfont.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8202723a82f7477bbb09846c2edcf583

SHA1
72bd9892d54f6d93c7798e86dbfa72b86e075c41

SHA256
8070ccb83f012da20d8b4bb6e085e163dbd4e93ab56787933acfd82aef5dcc99

SHA512
f2be04e53918961d879a7a7a6a80da7489954bb531ecf2d219ece4973ca8cf28076758e5d3940b59c2f5233059c830dcd8086a4a41a1266d44a7e9687a31bbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9cc5831dd60c33bbcec03ca874abcfda

SHA1
d4ee88f7622b6a05627dc25ea9e58313e0cde849

SHA256
eabe610508e720128e61c762c6f72974ad9e8be445b854a5cc45aaa3f565d514

SHA512
9343ddf032d76ee7e258d068a1084d807ab11e0c1cdbcec580839c6c4132da1957864bb607c5d6259db8f7c9f432e6ec967b9c445f2b6b1c1c2ac141218edee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4345955c1b5cc2f2c8a6923e677f6a61

SHA1
572a46a5fa74524df83da70b00f40ddb81b5b432

SHA256
14178c711c1c432e590041f1c4e426b664b07b1c3aad6c84b352677330ce3fef

SHA512
6bc29254e9aa6e12b353979f4e3b7689fe586bdcc6a6605f540b9202ab70c7b6c1cf28b25d7d69e8569917b183f62f0f40c8689e9e5d0134b2b6f1c306cbd2b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c513fe7261cbb0fd7ec5d03873693d6

SHA1
360d69bf9f5ba328d5f039f4802b2546ac346c4b

SHA256
4dc40c8efd2b217c5552937c9fd2b7ac00bc30ac50a81526ab6655278c5a4dc9

SHA512
8c0fbffdfc5003e06c7ae0b53052b3478fbd7e2e1b9028db12248383535d04dcfeb80069295e48c5e0ec60504f45610b7bd944b8852cada005a590660caa04d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c513fe7261cbb0fd7ec5d03873693d6

SHA1
360d69bf9f5ba328d5f039f4802b2546ac346c4b

SHA256
4dc40c8efd2b217c5552937c9fd2b7ac00bc30ac50a81526ab6655278c5a4dc9

SHA512
8c0fbffdfc5003e06c7ae0b53052b3478fbd7e2e1b9028db12248383535d04dcfeb80069295e48c5e0ec60504f45610b7bd944b8852cada005a590660caa04d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0a62c5527e5c53da2089257599b96737

SHA1
19f98976bddd8582fef1a03efbc8dbee98b4d3b1

SHA256
5c6b7bcd8169c883cccfe55b5aa65a1514b26b387bda470c651b9d352ba1ed66

SHA512
60ec49abc186d92fe7403f1dc87d281c6db508ce5c271c45784dd1a3a9780d7fa66dcb93a10801c446809fec44c86e50f29f85eda0fe983df2a07217d5dbc0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f6b5bbcd2386512d0b9af775e45d3770

SHA1
a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43

SHA256
50adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999

SHA512
3775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f6b5bbcd2386512d0b9af775e45d3770

SHA1
a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43

SHA256
50adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999

SHA512
3775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3698a76af5bc9f51abb0dd648c4e5330

SHA1
75f195af327a21f1110a963e3420a66d5caf666e

SHA256
525b4b6cbf8a3953ba304dce17b454c0f07b44fcf54566f002b02203e1aa4b25

SHA512
692b87c6e6b14aeed268a951baa3c0a5232500d95a72b3ce333b720b0d6600579b9d012f7dc9dbce99748dfb640e7870f98ff7282cf6ea2df8b4e429b6b0d4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8925cc4f81eb78ed54752cb09f7b0934

SHA1
f62fd8dfb10d42f8d6dee003bdcbc470df1b89bc

SHA256
c9bce703083e444b00adbe14bebffa77421d4eeb0b596ebd01a9d8185875104d

SHA512
f3aad77bab1dd364527e940f2322b9137ae4cf877a4f5a1d6466b3fbab0cd4a2cc5a59f40cf1720abfe573b000c252112692f5e5bb0dbf860fcfadfbbf688374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
174ee3eb2a195cb2fb7a08930e5e3d64

SHA1
83505b16e9deb08919ad4600502272c36f8270e8

SHA256
f3cf2d850fcd88530cc2d76f327749074f4da3f20230cedf62cd5f2dea77e814

SHA512
f9f0c64b36e92975ed0da80d3314773798e876e0adb5323155800ef7a1101a5f1ddca2a761c4488f15216010c03d81958c0bf2ec02213c7d0cb0f0b341c2fd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OLSx9fioU7.bat

Filesize
191B

MD5
6e19b88f6450b432e39110378c59b042

SHA1
ea079b8b0850ee807ca7a1e014554c716a5ca856

SHA256
601a095a404337b86d69f5fa77654e75a877536e8e3185d75397126f1bfa549a

SHA512
7e0aaa970453f26f224900dc555be5e25ffcce55e3c2f4768d12344cdfc8874597d8f854db4dec0da7392d96a5b3ccc51fb873ea27ed150f8854cdcaac2f03d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aw5nvgew.ggj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\odt\MoUsoCoreWorker.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\odt\MoUsoCoreWorker.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\odt\sihost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\odt\sihost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\odt\sihost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
memory/528-143-0x00000241DABD0000-0x00000241DABE0000-memory.dmp

Filesize
64KB

Download
memory/528-124-0x00000241DABD0000-0x00000241DABE0000-memory.dmp

Filesize
64KB

Download
memory/528-86-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/528-201-0x00000241DABD0000-0x00000241DABE0000-memory.dmp

Filesize
64KB

Download
memory/716-197-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/716-190-0x000002D830410000-0x000002D830420000-memory.dmp

Filesize
64KB

Download
memory/1216-25-0x0000000006B90000-0x0000000007134000-memory.dmp

Filesize
5.6MB

Download
memory/1216-26-0x00000000066D0000-0x0000000006762000-memory.dmp

Filesize
584KB

Download
memory/1216-0-0x0000000000080000-0x00000000003FE000-memory.dmp

Filesize
3.5MB

Download
memory/1216-85-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1216-7-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/1216-6-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1216-4-0x0000000000080000-0x00000000003FE000-memory.dmp

Filesize
3.5MB

Download
memory/1216-3-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/1216-1-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1216-2-0x0000000000080000-0x00000000003FE000-memory.dmp

Filesize
3.5MB

Download
memory/1216-67-0x0000000000080000-0x00000000003FE000-memory.dmp

Filesize
3.5MB

Download
memory/1232-52-0x0000024A73080000-0x0000024A73090000-memory.dmp

Filesize
64KB

Download
memory/1232-51-0x0000024A73080000-0x0000024A73090000-memory.dmp

Filesize
64KB

Download
memory/1232-50-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/1360-233-0x0000028843710000-0x0000028843720000-memory.dmp

Filesize
64KB

Download
memory/1360-232-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/1544-228-0x000002CA765D0000-0x000002CA765E0000-memory.dmp

Filesize
64KB

Download
memory/1544-227-0x000002CA765D0000-0x000002CA765E0000-memory.dmp

Filesize
64KB

Download
memory/1760-175-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/1760-204-0x0000020A3EF50000-0x0000020A3EF60000-memory.dmp

Filesize
64KB

Download
memory/1760-176-0x0000020A3EF50000-0x0000020A3EF60000-memory.dmp

Filesize
64KB

Download
memory/1760-208-0x0000020A3EF50000-0x0000020A3EF60000-memory.dmp

Filesize
64KB

Download
memory/2036-47-0x00000276C1B50000-0x00000276C1B60000-memory.dmp

Filesize
64KB

Download
memory/2036-62-0x00000276DA040000-0x00000276DA062000-memory.dmp

Filesize
136KB

Download
memory/2036-44-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/2036-46-0x00000276C1B50000-0x00000276C1B60000-memory.dmp

Filesize
64KB

Download
memory/2036-205-0x00000276C1B50000-0x00000276C1B60000-memory.dmp

Filesize
64KB

Download
memory/2236-519-0x000000001D170000-0x000000001D319000-memory.dmp

Filesize
1.7MB

Download
memory/2656-154-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/2656-196-0x000000001B170000-0x000000001B180000-memory.dmp

Filesize
64KB

Download
memory/2740-203-0x0000022FB5CA0000-0x0000022FB5CB0000-memory.dmp

Filesize
64KB

Download
memory/2740-207-0x0000022FB5CA0000-0x0000022FB5CB0000-memory.dmp

Filesize
64KB

Download
memory/2740-178-0x0000022FB5CA0000-0x0000022FB5CB0000-memory.dmp

Filesize
64KB

Download
memory/2740-177-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/2920-186-0x000002756D3A0000-0x000002756D3B0000-memory.dmp

Filesize
64KB

Download
memory/2920-185-0x000002756D3A0000-0x000002756D3B0000-memory.dmp

Filesize
64KB

Download
memory/2920-183-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/3888-174-0x00000240EB150000-0x00000240EB160000-memory.dmp

Filesize
64KB

Download
memory/3888-164-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/3888-206-0x00000240EB150000-0x00000240EB160000-memory.dmp

Filesize
64KB

Download
memory/4544-34-0x000000001BD70000-0x000000001BDC0000-memory.dmp

Filesize
320KB

Download
memory/4544-33-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/4544-32-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/4544-48-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/4544-31-0x0000000000A20000-0x0000000000BA0000-memory.dmp

Filesize
1.5MB

Download
memory/4672-189-0x000002A1C5EA0000-0x000002A1C5EB0000-memory.dmp

Filesize
64KB

Download
memory/4672-195-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/4672-202-0x000002A1C5EA0000-0x000002A1C5EB0000-memory.dmp

Filesize
64KB

Download
memory/4860-181-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/4860-182-0x0000025BF9B10000-0x0000025BF9B20000-memory.dmp

Filesize
64KB

Download
memory/4860-184-0x0000025BF9B10000-0x0000025BF9B20000-memory.dmp

Filesize
64KB

Download
memory/4920-153-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/4920-212-0x000001DA00130000-0x000001DA00140000-memory.dmp

Filesize
64KB

Download
memory/4920-191-0x000001DA00130000-0x000001DA00140000-memory.dmp

Filesize
64KB

Download
memory/4980-64-0x0000017DD4610000-0x0000017DD4620000-memory.dmp

Filesize
64KB

Download
memory/4980-66-0x0000017DD4610000-0x0000017DD4620000-memory.dmp

Filesize
64KB

Download
memory/4980-192-0x00007FFD81850000-0x00007FFD82311000-memory.dmp

Filesize
10.8MB

Download
memory/4980-211-0x0000017DD4610000-0x0000017DD4620000-memory.dmp

Filesize
64KB

Download
memory/4980-200-0x0000017DD4610000-0x0000017DD4620000-memory.dmp

Filesize
64KB

Download