Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 10:41

General

  • Target

    d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe

  • Size

    1.3MB

  • MD5

    e771c53580a9f12333d603b3ace37be6

  • SHA1

    5f335fdc79b16d13c88644f25f35c935c1f54b02

  • SHA256

    d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a

  • SHA512

    300d871db0388faeef7e0cf69c81e1b71a34c161e8d76acc8d456e5e6d1a40eece56d918f37cb896c060c6543e726d583c151a12ae281304e641339e123ab426

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 15 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 12 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe
    "C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3104
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\winlogon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4204
          • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
            "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
            5⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:5440
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:5668
                • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                  "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                  7⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:6132
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5148
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:5204
                      • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                        "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                        9⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:5220
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:5344
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:5448
                            • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                              "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                              11⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:5460
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
                                12⤵
                                  PID:5284
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:5596
                                    • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                                      "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      PID:5608
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
                                        14⤵
                                          PID:5820
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:5424
                                            • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                                              "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              PID:5916
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
                                                16⤵
                                                  PID:3068
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:4764
                                                    • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                                                      "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      PID:220
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
                                                        18⤵
                                                          PID:3816
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:4440
                                                            • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                                                              "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              PID:5680
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
                                                                20⤵
                                                                  PID:5100
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:3540
                                                                    • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                                                                      "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      PID:4556
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
                                                                        22⤵
                                                                          PID:4736
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:4236
                                                                            • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                                                                              "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              PID:4776
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
                                                                                24⤵
                                                                                  PID:4004
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:5736
                                                                                    • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
                                                                                      "C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      PID:4704
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
                                                                                        26⤵
                                                                                          PID:4888
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            27⤵
                                                                                              PID:2804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:416
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:376
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1056
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:620
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:928
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1668
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1248
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1108
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1712
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1896
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:5032
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2504
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2452
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1340
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1812
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1428
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:244
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:36
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3328
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:224
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1496
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4516
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2168
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3132
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:732
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3816
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2268
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1640
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1660
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4120
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:5076
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:5084
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2140
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2588

                                        Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                d63ff49d7c92016feb39812e4db10419

                                                SHA1

                                                2307d5e35ca9864ffefc93acf8573ea995ba189b

                                                SHA256

                                                375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                                SHA512

                                                00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                Filesize

                                                3KB

                                                MD5

                                                ad5cd538ca58cb28ede39c108acb5785

                                                SHA1

                                                1ae910026f3dbe90ed025e9e96ead2b5399be877

                                                SHA256

                                                c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                                SHA512

                                                c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                976f9460c70c6152d51268c92047a9e4

                                                SHA1

                                                d6364332ef19040f010312179575875326c215c6

                                                SHA256

                                                55bafe6cd2eaad40f35b53760b279da4c82ea3f01516db37345cd86cc098fd5a

                                                SHA512

                                                b65de14b9dfb38fbd927b4ebeaa35155abdb956f90dc407e312abf396255a682af089ce84c6f40b95cdd37cb4243caadf5ead774d81258cf21f4b611ebda584c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                976f9460c70c6152d51268c92047a9e4

                                                SHA1

                                                d6364332ef19040f010312179575875326c215c6

                                                SHA256

                                                55bafe6cd2eaad40f35b53760b279da4c82ea3f01516db37345cd86cc098fd5a

                                                SHA512

                                                b65de14b9dfb38fbd927b4ebeaa35155abdb956f90dc407e312abf396255a682af089ce84c6f40b95cdd37cb4243caadf5ead774d81258cf21f4b611ebda584c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                c2943e6810526c25038dd1a31befc379

                                                SHA1

                                                87017f5ee9970737227f781c0c6b8bcf85008358

                                                SHA256

                                                ea410c57a98d3db8aba617008450a4edce3006e8e6862c9c00d603322c96294b

                                                SHA512

                                                9f718dc6507d522c35916629d2829e9b40e0652ee230f3ade282ecf93bdf016d33543358e9166402f47f1c47181a3e4dde014fe34742ba49cdb1e663dbfd5aa7

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                97b14663be775e32d0cc41d78134d6eb

                                                SHA1

                                                d241a154331d5bfa64d7ccbfa2580d122d075402

                                                SHA256

                                                69b0dc302c87db15b96c476b8d45eefd110d765551a131e66ffa2fffa4b16579

                                                SHA512

                                                0d2c7dca6affbad1cac7f04d609ea41335c974fdb56e783c560cc69b9579248d20ad41ea55504f73cc645e755441bf71837c6e1e7058a841028573fa67f66108

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                7ff35987e8cb655bbe1bd2e66a275ed7

                                                SHA1

                                                ec6d9c4a6e9bdf05dc90cc72822dc9b10fdc1a7d

                                                SHA256

                                                6563911ae23e0ffb69ed44b2fca3df0d7060568c7c891b47b83fa0d4fe8974ee

                                                SHA512

                                                70f2f830e56869932c387bd00c526e8fd073feb64de90e56a772fd87f269285f96c9d63991e3073ab62dd1687abfc0f1babc1b52a58896a6a92b517dd6343ea9

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                7ff35987e8cb655bbe1bd2e66a275ed7

                                                SHA1

                                                ec6d9c4a6e9bdf05dc90cc72822dc9b10fdc1a7d

                                                SHA256

                                                6563911ae23e0ffb69ed44b2fca3df0d7060568c7c891b47b83fa0d4fe8974ee

                                                SHA512

                                                70f2f830e56869932c387bd00c526e8fd073feb64de90e56a772fd87f269285f96c9d63991e3073ab62dd1687abfc0f1babc1b52a58896a6a92b517dd6343ea9

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                1488f354afb98ba2457d9dc864a365da

                                                SHA1

                                                fccb09a5edf67b6578109cd9007d3750e689ae1e

                                                SHA256

                                                253b7961e7a52f9713810ebaee3f751953c48989dbb84f7202ebfb5496fc99c7

                                                SHA512

                                                6d2b1b1c38c16507395c97d0a13f7a4020db702558a1a52e2d9f6a229e09d0d2acda3192406fc7a3646ef7a0a4fd63d8ab958376a89e3dd617b4115a4a19a06c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                728626f943ea1c38299fcb2c2d10f15a

                                                SHA1

                                                7fbc7446bde20ba67b6a71319eb873007c29258e

                                                SHA256

                                                35ea4443dea27b8dd62727eb5e1f63814fb955325ba02dedde435fcd0700b044

                                                SHA512

                                                57b6caa34e7194459a981a2eba03a79ebc71edb2253ed5f9491d839c1a365dfa8b73db2cea0d669ea07c3375cd9927eb1643237505c71788b2a6db30a31ed3ef

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                728626f943ea1c38299fcb2c2d10f15a

                                                SHA1

                                                7fbc7446bde20ba67b6a71319eb873007c29258e

                                                SHA256

                                                35ea4443dea27b8dd62727eb5e1f63814fb955325ba02dedde435fcd0700b044

                                                SHA512

                                                57b6caa34e7194459a981a2eba03a79ebc71edb2253ed5f9491d839c1a365dfa8b73db2cea0d669ea07c3375cd9927eb1643237505c71788b2a6db30a31ed3ef

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                0671e061cef525069ed8bfb11348e499

                                                SHA1

                                                53aa6cea45d79410643a419e8a9dbf71f2ffee6b

                                                SHA256

                                                f9c1eb456165bce6650eb80f644b1f8ccd93d0fc0477cce4816ea7bee092fdd9

                                                SHA512

                                                d5436e48e262e09cb121e3d4322b0452f0e88052d6039956688e67097ca346d2a69245b69e597d94d6b97225814b859edfea10021839f9ddd50156eb8c7053fd

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                0671e061cef525069ed8bfb11348e499

                                                SHA1

                                                53aa6cea45d79410643a419e8a9dbf71f2ffee6b

                                                SHA256

                                                f9c1eb456165bce6650eb80f644b1f8ccd93d0fc0477cce4816ea7bee092fdd9

                                                SHA512

                                                d5436e48e262e09cb121e3d4322b0452f0e88052d6039956688e67097ca346d2a69245b69e597d94d6b97225814b859edfea10021839f9ddd50156eb8c7053fd

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                3dfac0307d8327e3d4167f3963144847

                                                SHA1

                                                beac2898d4dc2f80478a850e3bbdf8e3d3eb9a80

                                                SHA256

                                                abe9badb7e88a3e4694396520a2356f4c0b9f56a42bbd5b6b1064a454a7d08c3

                                                SHA512

                                                d2364cf53ff67598d056a76d1d5e2f6cf4bba5ac64900ec251d2cdda5387b88e263c4251debcce3f1db0e3297cb8e254938d05a9bb1944108f995b70d0bee39d

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                3dfac0307d8327e3d4167f3963144847

                                                SHA1

                                                beac2898d4dc2f80478a850e3bbdf8e3d3eb9a80

                                                SHA256

                                                abe9badb7e88a3e4694396520a2356f4c0b9f56a42bbd5b6b1064a454a7d08c3

                                                SHA512

                                                d2364cf53ff67598d056a76d1d5e2f6cf4bba5ac64900ec251d2cdda5387b88e263c4251debcce3f1db0e3297cb8e254938d05a9bb1944108f995b70d0bee39d

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                f4d443c7b4a9abe6ab3a6125e40614e5

                                                SHA1

                                                fa72c5c2196fd51ebecd1f79a4619cd3b53db094

                                                SHA256

                                                bc2a665f349bbda6d57a75f562ef8c3d2c518ac6802b130b94ba759b82e63659

                                                SHA512

                                                d938a0d27212cce0f342bda7ffd3e674a35abfd64b9647cd4437688939af603812b4685484b82d9367fb44da8673111294f0e0c8c1d85a09d181adaf5dfbf6ce

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                f4d443c7b4a9abe6ab3a6125e40614e5

                                                SHA1

                                                fa72c5c2196fd51ebecd1f79a4619cd3b53db094

                                                SHA256

                                                bc2a665f349bbda6d57a75f562ef8c3d2c518ac6802b130b94ba759b82e63659

                                                SHA512

                                                d938a0d27212cce0f342bda7ffd3e674a35abfd64b9647cd4437688939af603812b4685484b82d9367fb44da8673111294f0e0c8c1d85a09d181adaf5dfbf6ce

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                7cc9d0d8a92db6ee0dcf5b86e817b045

                                                SHA1

                                                16f420f3c9e38e4eea9dc8c81ed247b607b321be

                                                SHA256

                                                3322b3acb6fe98777c4d1fe63d9fc57bf8104db3ec1ebc0be656bce983eedb2f

                                                SHA512

                                                d4f1763fb78d7e005cf9968e5aad22d0aeb889ee94392c23309c07d0206cd23dae0b53a51872a6ac0de833c507f01a271622985aeb1f3b490e8babb52869a832

                                              • C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

                                                Filesize

                                                216B

                                                MD5

                                                cc08685f9e0d1623b4c4bb9d62d93317

                                                SHA1

                                                3b346d89d0d1e3a679807c7150e982740e59896a

                                                SHA256

                                                cf2a9b82832787e9a7babd802d1d19e8eb6d9ac075a004a5d384ec4870dba41d

                                                SHA512

                                                77f5203c0962c5868a485aa9b53558997ac32cc64fd683a5fae464acd9b25b44608dce72d3f615f5220cb9d6aee611cd92e5e94e723d3c851adda1054a7d58e1

                                              • C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

                                                Filesize

                                                216B

                                                MD5

                                                4a7162c87abef77d3ebe0cbf2c74583f

                                                SHA1

                                                1cc8da99f8f6433f319af7cf75def028da2fcad0

                                                SHA256

                                                e928cbb1fd187bf9eec0e87d502096c017e3f6583047417ac2313e30d009bc2f

                                                SHA512

                                                a618822fbe4721e0b4d59e1af74d1d5e8051bc199f3749adaf94ea4a64deb1b1b1f8d6a2e51451914eceecb336cd507d41245e1aaec6c66998fe53c8719d334e

                                              • C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

                                                Filesize

                                                216B

                                                MD5

                                                fdb53026d0e27f2bd0417b1ba90f0b94

                                                SHA1

                                                d224dd7ec31563b03e73f55893cebdb7e2592119

                                                SHA256

                                                ae16ead192c1094d57514b3ac38f6dcc0c5aa9b9f2661ebfd44a8f8dc37d8a2b

                                                SHA512

                                                76e6480820848df7d440da14610116726f2ef493ee7d9edf05284b3973dc02a6a75d9ef9ff511c949beac6b9fe829b322154f0af9babc0eeb3ccb2a474106b1d

                                              • C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

                                                Filesize

                                                216B

                                                MD5

                                                e5e8ba84bd0ffb14d3c570089fa46597

                                                SHA1

                                                5ef13dba9c4970c948994d485a60bb9983214d96

                                                SHA256

                                                d815aacea47f122c14ac370249f0b87d7b4a47610cc3d0112dec5a85d7b81b3c

                                                SHA512

                                                310257f4fdf9303914c6c111b321062c2bcf1c1849107960243dea1e4a802b4e7ca31a2da478b81a74b9fbf1bc7eab57d542d9593e70f0ba68c00c184ed79d55

                                              • C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

                                                Filesize

                                                216B

                                                MD5

                                                4de341373f31eacae325ac46ace20fb0

                                                SHA1

                                                64336ad918fa2e00500d14f8074eef4bc3e1d6a9

                                                SHA256

                                                69036e54d61b80510a59aa84823efcb15faa94a25b9840a3336e549cd44167ef

                                                SHA512

                                                027a27e1f567f28df045b643aacd8f444e93423527294fcc633e1e9b75c4b298145188ea166b4379afb1c6aa27c212f1492a931c88b64adfaaae57f564554eaa

                                              • C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat

                                                Filesize

                                                216B

                                                MD5

                                                989fd95c6c29ee3d58d6004ce1d8bdc4

                                                SHA1

                                                560990b58082ca5506d6b86cb12e091d81b819a9

                                                SHA256

                                                1215d04cdce43b980f3da80d70689ea148b9e31fa2cddabb0b07222d3f3a47b6

                                                SHA512

                                                1b59a09992b3e8c8588afe273100725b60c8bbbf99d7046fea4bb958e6b3a520cf90f5415c7f98f5cdd6369e9c8b9211290e40d5921b353ffeec6164e2f50533

                                              • C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

                                                Filesize

                                                216B

                                                MD5

                                                76ab68a8972cbbe844302bf8806de464

                                                SHA1

                                                d1913e1d71b1965c68b04cffe8818af7e3f8b07d

                                                SHA256

                                                43b175c63e7a89c77323de0cb7d99a4496514bbe768b79db963e3a426c01e9bd

                                                SHA512

                                                673b108b24e8912832385a86eece9b2fe8044ada1c41b693ad456309c79ef96b98d71be114e1977f1fe943a8e2dee31b05e897a23a6205d138081f6b6f954212

                                              • C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

                                                Filesize

                                                216B

                                                MD5

                                                539940dcbc1dfb2a93f8dcb00a6c9abe

                                                SHA1

                                                8afafddc7ca0fccc1960ad2fc399c6cb0da34d07

                                                SHA256

                                                8248d904521bfa884e595fc0dcdf2d5fd90e3f48457e54adad700ccd82ca0577

                                                SHA512

                                                e6f69d2af2485489c9192c2ba843c745bb37c1fc4e95ba6a6aec2eca699aa37ca64da955ce3497769aa69a08242977db50a35edefe232ee922ebc2e6da468de0

                                              • C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

                                                Filesize

                                                216B

                                                MD5

                                                72b6f50c384447697b7eb99e69f48cb6

                                                SHA1

                                                723a06f2b29e630b5498a2eeb9833e1fc09e9b01

                                                SHA256

                                                31ca9bf092f06a1a3e5b9322076f21cbf896977a8080864363e11d268c6e773a

                                                SHA512

                                                66da06c93caac94fe7319f70a1fd783f1c43bb1d978cd329c616a638ecfd8035586cc1d3f1ec2150d8ec20277dacb4b940298a68b304a84bbeec7acdc314df68

                                              • C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

                                                Filesize

                                                216B

                                                MD5

                                                b1bfd3abafebdf2307c19462ecd2f37d

                                                SHA1

                                                40f92e29aabce2a465d18f3e967f60102816e3cb

                                                SHA256

                                                6d0176370e886f7b2a61f00884dffcace089b098eb8309e9f4c0104e24611f90

                                                SHA512

                                                bdc5f0a0d3320ff1bbe98e66949f85fb36bd4e80ba64785924b9ebfc209df6146b1249a80f2a0881573262807bfce0e5006e0769d2e27145d8b174d5819854bc

                                              • C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

                                                Filesize

                                                216B

                                                MD5

                                                d409a80e87c162cbc3611d24b84685d4

                                                SHA1

                                                abac0c1c107a089131a47a63b14a6727f274becb

                                                SHA256

                                                ce2c9b8c85bd2c75d2f3fce97ffc519584299988bcd55dfb648732ae53913c30

                                                SHA512

                                                9db49e75a291b9732164c2fadfe1d5500aca95a02eafb297c1e4c6056c80fffffba892f174cc6f244a1a98f0aeedac7cce545b0ea087cff985e7386b8670c717

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/220-925-0x0000000002380000-0x0000000002392000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/376-385-0x00000000015A0000-0x00000000015B2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1460-144-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-138-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-173-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-174-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-175-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-176-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-177-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-178-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-179-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-180-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-181-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-182-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-183-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-121-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-167-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-166-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-165-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-164-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-163-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-122-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-162-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-161-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-123-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-125-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-126-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-128-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-129-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-130-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-120-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-131-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-160-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-159-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-158-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-132-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-157-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-133-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-134-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-135-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-172-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-136-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-137-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-155-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-170-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-154-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-171-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-153-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-152-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-156-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-151-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-169-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-150-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-149-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-139-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-148-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-147-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-146-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-145-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-168-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-143-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-142-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-141-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/1460-140-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/2248-373-0x0000028DB7EB0000-0x0000028DB7ED2000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/3104-290-0x0000000002B60000-0x0000000002B6C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/3104-289-0x0000000002B50000-0x0000000002B5C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/3104-288-0x0000000002B40000-0x0000000002B4C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/3104-287-0x0000000002B30000-0x0000000002B42000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/3104-286-0x00000000008D0000-0x00000000009E0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/4512-186-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4512-185-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4556-937-0x0000000000F10000-0x0000000000F22000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4704-949-0x0000000002840000-0x0000000002852000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4776-943-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4796-382-0x000001D81D4B0000-0x000001D81D526000-memory.dmp

                                                Filesize

                                                472KB

                                              • memory/5460-909-0x00000000008D0000-0x00000000008E2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/5680-931-0x00000000011A0000-0x00000000011B2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/6132-898-0x00000000013E0000-0x00000000013F2000-memory.dmp

                                                Filesize

                                                72KB