Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2023, 01:01

General

  • Target

    0924b9eca922c9227c4f426be5174bae.exe

  • Size

    4.8MB

  • MD5

    0924b9eca922c9227c4f426be5174bae

  • SHA1

    8d2abdecd0fc744ee836d75ad5c3b52585d8041f

  • SHA256

    e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8

  • SHA512

    47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2

  • SSDEEP

    49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/

Malware Config

Signatures

  • DcRat 53 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
  • DCRat payload 26 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 34 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 13 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe
    "C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\driversessioncrt\winRefMonitor.exe
          "C:\driversessioncrt\winRefMonitor.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4064
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4dawC7zntr.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4580
              • C:\Windows\CbsTemp\sppsvc.exe
                "C:\Windows\CbsTemp\sppsvc.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3944
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c03230-0cda-40b9-a22a-7eb2ef881c70.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1376
                  • C:\Windows\CbsTemp\sppsvc.exe
                    C:\Windows\CbsTemp\sppsvc.exe
                    8⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:1884
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6255feca-8eea-48fe-9e78-c46733273804.vbs"
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:812
                      • C:\Windows\CbsTemp\sppsvc.exe
                        C:\Windows\CbsTemp\sppsvc.exe
                        10⤵
                        • UAC bypass
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:3176
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d82c474-4950-4bb2-b272-cc4be1f5bfd0.vbs"
                          11⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3592
                          • C:\Windows\CbsTemp\sppsvc.exe
                            C:\Windows\CbsTemp\sppsvc.exe
                            12⤵
                            • UAC bypass
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            • System policy modification
                            PID:4432
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d1d2063-8252-4ead-8920-eaad7f8e1802.vbs"
                              13⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4160
                              • C:\Windows\CbsTemp\sppsvc.exe
                                C:\Windows\CbsTemp\sppsvc.exe
                                14⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                • System policy modification
                                PID:1716
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fda44d9-cde8-45a2-bd63-2adb96f3b438.vbs"
                                  15⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2852
                                  • C:\Windows\CbsTemp\sppsvc.exe
                                    C:\Windows\CbsTemp\sppsvc.exe
                                    16⤵
                                    • UAC bypass
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    • System policy modification
                                    PID:4676
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\647596ca-851c-4574-a46d-4443b39e168e.vbs"
                                      17⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1384
                                      • C:\Windows\CbsTemp\sppsvc.exe
                                        C:\Windows\CbsTemp\sppsvc.exe
                                        18⤵
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Modifies registry class
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        • System policy modification
                                        PID:532
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fac16e73-ff57-44f5-9727-f60b606e5f90.vbs"
                                          19⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:4852
                                          • C:\Windows\CbsTemp\sppsvc.exe
                                            C:\Windows\CbsTemp\sppsvc.exe
                                            20⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            • System policy modification
                                            PID:740
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b703ae-ae96-4a51-9cd5-ad50b596d704.vbs"
                                              21⤵
                                                PID:3012
                                                • C:\Windows\CbsTemp\sppsvc.exe
                                                  C:\Windows\CbsTemp\sppsvc.exe
                                                  22⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:3520
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16dac168-a431-4c4f-b6a2-8ee789555481.vbs"
                                                    23⤵
                                                      PID:4256
                                                      • C:\Windows\CbsTemp\sppsvc.exe
                                                        C:\Windows\CbsTemp\sppsvc.exe
                                                        24⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:1548
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a272f8a2-f8fa-4713-8e62-1a5a30d51efc.vbs"
                                                          25⤵
                                                            PID:4644
                                                            • C:\Windows\CbsTemp\sppsvc.exe
                                                              C:\Windows\CbsTemp\sppsvc.exe
                                                              26⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:1760
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5c137ff-c275-4a22-89aa-44938c686f1a.vbs"
                                                                27⤵
                                                                  PID:2760
                                                                  • C:\Windows\CbsTemp\sppsvc.exe
                                                                    C:\Windows\CbsTemp\sppsvc.exe
                                                                    28⤵
                                                                    • UAC bypass
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:964
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0174bee6-d263-4e4f-93af-522f35c4b8fc.vbs"
                                                                  27⤵
                                                                    PID:2000
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\620f32a2-4845-4af9-b69a-1e3027b0a8c0.vbs"
                                                                25⤵
                                                                  PID:3900
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64905966-98d5-4adb-8756-374607d03e5f.vbs"
                                                              23⤵
                                                                PID:2244
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a55438d-bcc8-4712-9c67-735eac7b212d.vbs"
                                                            21⤵
                                                              PID:4240
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d82b782-fe67-48fc-8ec6-01bb1840bd9b.vbs"
                                                          19⤵
                                                            PID:4052
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f3a2a3b-4646-4bf7-a541-1f79980fddc3.vbs"
                                                        17⤵
                                                          PID:3704
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55b888ed-d9a6-459d-ac45-6d9713b76875.vbs"
                                                      15⤵
                                                        PID:4492
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\073f376f-ded4-40b9-b7fe-d46f112e1884.vbs"
                                                    13⤵
                                                      PID:3396
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0adcba0-2998-4cc3-a212-0e965ded242c.vbs"
                                                  11⤵
                                                    PID:4976
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\547ec857-57a5-49fc-ada9-8c05654c2f21.vbs"
                                                9⤵
                                                  PID:5064
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34bd29d7-a25c-4cd3-9463-8b98a96b2958.vbs"
                                              7⤵
                                                PID:4564
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                          4⤵
                                          • Modifies registry key
                                          PID:4540
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"
                                      2⤵
                                        PID:1820
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4716
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4804
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1740
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1636
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3560
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2384
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4580
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:976
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3492
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3952
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2044
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4312
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\winlogon.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3864
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4612
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2532
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3892
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3816
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2660
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4676
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1700
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3012
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4976
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2984
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1316
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4588
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4912
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4544
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1172
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4224
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:964
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3852
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4468
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3240
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1820
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4452
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3160
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:5108
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4864
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2092
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2760
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3444
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4876
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\cmd.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1360
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1436
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3356
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4216
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:740
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1932
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\odt\TrustedInstaller.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1736
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4076
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:4472

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Recovery\WindowsRE\System.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            49b64127208271d8f797256057d0b006

                                            SHA1

                                            b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                                            SHA256

                                            2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                                            SHA512

                                            f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                                          • C:\Users\Admin\AppData\Local\Temp\0174bee6-d263-4e4f-93af-522f35c4b8fc.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\073f376f-ded4-40b9-b7fe-d46f112e1884.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\0d1d2063-8252-4ead-8920-eaad7f8e1802.vbs

                                            Filesize

                                            705B

                                            MD5

                                            efaa724b56bc41736f4d8a924ecbf4ae

                                            SHA1

                                            f26f602ace9fba99400a83248a0dacc54ca48405

                                            SHA256

                                            3373f944abf5b7d677c519d43fe8a5c569d9108625ed4d59caecd01c1e175024

                                            SHA512

                                            b37e705c5ebd9a268404fab6d8ab68681da438db6f7eca90a87029d54e06b5e840e10096c43ba6ca091971b47ee2e9df6521d3e4fd75f16b3a3f911356051ff3

                                          • C:\Users\Admin\AppData\Local\Temp\16dac168-a431-4c4f-b6a2-8ee789555481.vbs

                                            Filesize

                                            705B

                                            MD5

                                            f0c39e58d1c922d42f5e6d6995a549e9

                                            SHA1

                                            b5b2ddc8250238891fbca778114efa273d77d79d

                                            SHA256

                                            c2ae7bbce1b936285eb02ae052c78c504c204dcddecebb0a48478e89155290e1

                                            SHA512

                                            db860f937adcdfae724e61a47b5705772f63b30dec2e6175c6e48ebd74a3d71f1bf2b1a8e99e2f65e608ff6ec1b41aa3da49581f688110ea750d3317aefe2d9d

                                          • C:\Users\Admin\AppData\Local\Temp\1d82c474-4950-4bb2-b272-cc4be1f5bfd0.vbs

                                            Filesize

                                            705B

                                            MD5

                                            226086e0b064c005fde1eeff83f159c6

                                            SHA1

                                            30c9c8b259fbcf65d12cbeaea5b452dad258b429

                                            SHA256

                                            f04132abf5325cd38a7ebb1f1d20cc0dae15ba680646dc27ea227955aab34295

                                            SHA512

                                            fd279aefc20bf6d3ff4ea0bccf3c178e324288ea15c8d183fb1703aecf6d5e04f7ff856f950c9c01972089cafa009d5ba5c550d774802818afd82c909149d8a0

                                          • C:\Users\Admin\AppData\Local\Temp\2d82b782-fe67-48fc-8ec6-01bb1840bd9b.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\34bd29d7-a25c-4cd3-9463-8b98a96b2958.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\49c03230-0cda-40b9-a22a-7eb2ef881c70.vbs

                                            Filesize

                                            705B

                                            MD5

                                            fd181e405acd701fa96881d4ce0bcc9e

                                            SHA1

                                            e072a5f5c607e68792e1c8654273604697cb8a2b

                                            SHA256

                                            7245e0da5f770c70306b0f59c71a317c4a592538a9568b208fac638c341646b0

                                            SHA512

                                            d9effdba34777efbeeab43d1eff646f1e6709a9e975f6ec59cabad2997555123032fc172a7c2f668f4ec69372971ee2006084292237b6188925973b05cf40da7

                                          • C:\Users\Admin\AppData\Local\Temp\4dawC7zntr.bat

                                            Filesize

                                            194B

                                            MD5

                                            bf703388a4b39ef8a948394b8775f6e3

                                            SHA1

                                            d240f2900c87b932d6db7889164248df288902c3

                                            SHA256

                                            a494b811cd994efdb6471818578373fa96246bcc2e0dcde0abbe6df7a64dcdd2

                                            SHA512

                                            0716772857217ff92dd35c5bfd648f70a7d1483ef95a6aeb1f1bb66e5102fe0b68eb1cac65ba8d5bf690bdb5177d45d3d68d0614c6ba160adc2bff6b7eb9f8d8

                                          • C:\Users\Admin\AppData\Local\Temp\547ec857-57a5-49fc-ada9-8c05654c2f21.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\547ec857-57a5-49fc-ada9-8c05654c2f21.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Users\Admin\AppData\Local\Temp\55b888ed-d9a6-459d-ac45-6d9713b76875.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\59b703ae-ae96-4a51-9cd5-ad50b596d704.vbs

                                            Filesize

                                            704B

                                            MD5

                                            7e02b28556e955178620a4920de922eb

                                            SHA1

                                            431bfedf4ee084592410826a1c1353e9b505a8a6

                                            SHA256

                                            d43954359edb407d78127fef7fdfe2ec87fd0f48c6444176d9475e3ae377eaf6

                                            SHA512

                                            dc8dc444df3ca6f1428714f5213501392fbd4c2fbd6e7a55dd640009e5083ac627dd9c442c5668ada06c5cc90bc36858818e20c80188b74142b133525e826ce5

                                          • C:\Users\Admin\AppData\Local\Temp\620f32a2-4845-4af9-b69a-1e3027b0a8c0.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\6255feca-8eea-48fe-9e78-c46733273804.vbs

                                            Filesize

                                            705B

                                            MD5

                                            836eb0eb0627d4ace3c50c48098e08b5

                                            SHA1

                                            b5db99c9b166b354f84f5919b130c088f3e595b5

                                            SHA256

                                            6eba10f0c75e6c7854f60d3bbaa7f5645cccdb15aff0d47432fccb7760ee6259

                                            SHA512

                                            fb72a7f53bf18738f84c13e852f656a60fc2853a565640786d0402438c2b69fd975f3a3d772265eb3a14fc16f3b5d1a3e3f28bd8d8ee782349d26b79eacd293a

                                          • C:\Users\Admin\AppData\Local\Temp\647596ca-851c-4574-a46d-4443b39e168e.vbs

                                            Filesize

                                            705B

                                            MD5

                                            7bdb6ec84b384161ad22b02b62815228

                                            SHA1

                                            2c191a2bf0238a9ff3a651997952895118da6c61

                                            SHA256

                                            085b24de0e5ba69c59489b8e4af9db6c01d1ad3e3238b74df141f403d8551593

                                            SHA512

                                            9b9bdec3627b206e968292555a6fbbfe5431861cefc4efc85c93afc0dc6286beb61210b31e4909f5af9162599972c35175bff5f5686ca8a53be8d70c3acbdbcc

                                          • C:\Users\Admin\AppData\Local\Temp\64905966-98d5-4adb-8756-374607d03e5f.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\7a55438d-bcc8-4712-9c67-735eac7b212d.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\7fda44d9-cde8-45a2-bd63-2adb96f3b438.vbs

                                            Filesize

                                            705B

                                            MD5

                                            1bdc160398e3e6b1a1d4ebe9d8967fc8

                                            SHA1

                                            aaff089f4474d168ee17cfe6416920237706f8ef

                                            SHA256

                                            d32c8b9cb646f52095b5a15cf6852e682aee2a4aa48a490b1d9144e1f1e480d0

                                            SHA512

                                            e461847bcc048f9c1a35785c12bd916652760444b1fad76c8d3e63fac734100af803e461743fb6f0f7ad271f2f22350e8ae469960594d499aaafabf842f59160

                                          • C:\Users\Admin\AppData\Local\Temp\9f3a2a3b-4646-4bf7-a541-1f79980fddc3.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\a0adcba0-2998-4cc3-a212-0e965ded242c.vbs

                                            Filesize

                                            481B

                                            MD5

                                            75fe9a54cb7e3a10162044b51a648ea4

                                            SHA1

                                            1ee335a8b62888134098c978796e9b04f154c98f

                                            SHA256

                                            54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44

                                            SHA512

                                            581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

                                          • C:\Users\Admin\AppData\Local\Temp\a272f8a2-f8fa-4713-8e62-1a5a30d51efc.vbs

                                            Filesize

                                            705B

                                            MD5

                                            553136ac84406057d285bf24e7c3716b

                                            SHA1

                                            d4348d5677b4991b010e83440e3035f558656bbf

                                            SHA256

                                            aac2345cbd6bd428ffddfeb07550b1f897c38f8874a2f4616b442c49adceac3b

                                            SHA512

                                            4f366a4cb692a765bb1bc0c3809f5016353db9f72fd1375034ada166f4329dd0da17b38ea5efbd20e9eb66e5231ea8ecb981a3bf427ca4912129870f1ab4b790

                                          • C:\Users\Admin\AppData\Local\Temp\f5c137ff-c275-4a22-89aa-44938c686f1a.vbs

                                            Filesize

                                            705B

                                            MD5

                                            7514c53493f24b8bd438620d805807d1

                                            SHA1

                                            45b267248f0da0e873fd8aa30f487dc31e22b757

                                            SHA256

                                            b57ce882ca1069f7e0b95960f197b2483fda794b5d13aceeeb6d0fb75846b893

                                            SHA512

                                            6131a050b704b1cf1b1d11ce57b7aa033513d87e20a7fa7d2950a6e371dc2284bed1c745f39585d59af7a06c3c3010b43df385b63d35cd847d767ef029dea881

                                          • C:\Users\Admin\AppData\Local\Temp\fac16e73-ff57-44f5-9727-f60b606e5f90.vbs

                                            Filesize

                                            704B

                                            MD5

                                            85e9d47282a9082a6efa7b600fce6995

                                            SHA1

                                            88995d07d4ade929030c712aa95ff58f11e5b051

                                            SHA256

                                            c2be94438c2270a44c0f75bb5ae3647532fbc3743982b635303b39a277058a27

                                            SHA512

                                            ee70a0f6664bade0fb498ab72d2edb89c20dd00a373ac824ac2d19a8285d754d9da008b9f6ea6b16fb1ec1c93d28c47630e49da2dfc1f8fa4b48b963e28cf808

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\Windows\CbsTemp\sppsvc.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat

                                            Filesize

                                            151B

                                            MD5

                                            40a5023d150998b4ba256dd94ea31230

                                            SHA1

                                            36702bfd3e71b3495e61ea589003bb856b959aca

                                            SHA256

                                            e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc

                                            SHA512

                                            6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15

                                          • C:\driversessioncrt\file.vbs

                                            Filesize

                                            34B

                                            MD5

                                            677cc4360477c72cb0ce00406a949c61

                                            SHA1

                                            b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

                                            SHA256

                                            f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

                                            SHA512

                                            7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

                                          • C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe

                                            Filesize

                                            223B

                                            MD5

                                            d7664d494b1b6e05334ada9accc57d06

                                            SHA1

                                            2cc50d284a600e30287fdef5efe56a586199eb28

                                            SHA256

                                            531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6

                                            SHA512

                                            7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6

                                          • C:\driversessioncrt\winRefMonitor.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • C:\driversessioncrt\winRefMonitor.exe

                                            Filesize

                                            3.4MB

                                            MD5

                                            20ec8d347f674ebadc53399ef6aa49cb

                                            SHA1

                                            f418d228eb276f216b4986b55b2c762d11991a31

                                            SHA256

                                            9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                                            SHA512

                                            e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                                          • memory/532-190-0x000000001BE50000-0x000000001BE60000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/532-189-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/532-191-0x000000001BE10000-0x000000001BE22000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1716-162-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/1716-173-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/1884-130-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/1884-119-0x000000001B260000-0x000000001B270000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/1884-118-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3052-13-0x00000000004C0000-0x00000000008E8000-memory.dmp

                                            Filesize

                                            4.2MB

                                          • memory/3052-0-0x00000000004C0000-0x00000000008E8000-memory.dmp

                                            Filesize

                                            4.2MB

                                          • memory/3176-146-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3176-133-0x000000001B0A0000-0x000000001B0B0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/3176-132-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3176-134-0x0000000002660000-0x0000000002672000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3176-135-0x000000001B100000-0x000000001B156000-memory.dmp

                                            Filesize

                                            344KB

                                          • memory/3944-104-0x000000001BB90000-0x000000001BBA0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/3944-115-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3944-103-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4064-34-0x000000001B000000-0x000000001B010000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4064-44-0x000000001B910000-0x000000001B91C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-40-0x0000000002560000-0x0000000002568000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-38-0x0000000002540000-0x0000000002548000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-56-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-57-0x000000001BBD0000-0x000000001BBDA000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/4064-37-0x0000000002530000-0x000000000253C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-36-0x000000001B8C0000-0x000000001B916000-memory.dmp

                                            Filesize

                                            344KB

                                          • memory/4064-35-0x000000001B060000-0x000000001B06A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/4064-58-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-55-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-41-0x000000001B070000-0x000000001B082000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4064-33-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-32-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-31-0x000000001AFE0000-0x000000001AFF2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4064-42-0x000000001BE40000-0x000000001C368000-memory.dmp

                                            Filesize

                                            5.2MB

                                          • memory/4064-43-0x000000001B0A0000-0x000000001B0AC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-54-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-98-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4064-30-0x000000001AFC0000-0x000000001AFC8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-29-0x00000000025C0000-0x00000000025D6000-memory.dmp

                                            Filesize

                                            88KB

                                          • memory/4064-27-0x00000000025A0000-0x00000000025A8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-53-0x000000001BB90000-0x000000001BB9E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/4064-39-0x0000000002550000-0x000000000255C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-45-0x000000001B920000-0x000000001B928000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-46-0x000000001B930000-0x000000001B93C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-47-0x000000001B940000-0x000000001B94C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-28-0x00000000025B0000-0x00000000025C0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4064-26-0x000000001B010000-0x000000001B060000-memory.dmp

                                            Filesize

                                            320KB

                                          • memory/4064-25-0x0000000002580000-0x000000000259C000-memory.dmp

                                            Filesize

                                            112KB

                                          • memory/4064-48-0x000000001BB50000-0x000000001BB58000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-24-0x0000000002570000-0x0000000002578000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4064-23-0x0000000002510000-0x000000000251E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/4064-22-0x0000000002500000-0x000000000250E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/4064-49-0x000000001BC60000-0x000000001BC6C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4064-21-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4064-20-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4064-19-0x00000000000C0000-0x000000000042A000-memory.dmp

                                            Filesize

                                            3.4MB

                                          • memory/4064-50-0x000000001BB60000-0x000000001BB6A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/4064-51-0x000000001BB70000-0x000000001BB7E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/4064-52-0x000000001BB80000-0x000000001BB88000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4432-160-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4432-149-0x000000001B320000-0x000000001B330000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4432-148-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4676-187-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4676-176-0x000000001B160000-0x000000001B172000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4676-175-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

                                            Filesize

                                            10.8MB