Analysis

  • max time kernel
    130s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 05:14

General

  • Target

    86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe

  • Size

    2.7MB

  • MD5

    86ef16b6eb613bff73f73a75b7236310

  • SHA1

    3de6bea5685131148fb7ef9b07c6dcce2d643929

  • SHA256

    ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9

  • SHA512

    9fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94

  • SSDEEP

    49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 16 IoCs
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 32 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4920
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yrrQ2TPTZL.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3568
        • C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe
          "C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:4848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe

      Filesize

      2.7MB

      MD5

      ebe817f87b24a99851c6f46a7894be98

      SHA1

      59dc201ee89301aeb73b7c79371797eb72dd7b73

      SHA256

      b2357320db336178a732f49634f6a18737ea80457556c2bad4342878babaa988

      SHA512

      3b3d44c157d78bb545ff6365c4ce8ea7c32ff131aeffa7fb15089a8244cad4b343844f982ed2ba72ec51edf67309d5193f6c9768f9b39379edfb64521ac332ca

    • C:\Program Files\Uninstall Information\lsass.exe

      Filesize

      2.7MB

      MD5

      86ef16b6eb613bff73f73a75b7236310

      SHA1

      3de6bea5685131148fb7ef9b07c6dcce2d643929

      SHA256

      ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9

      SHA512

      9fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94

    • C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe

      Filesize

      2.7MB

      MD5

      2b73a6c5cf947899032706265c447e0d

      SHA1

      c0782f51c7951c4512dab56173b5a83de88bf688

      SHA256

      b3bf4f0ab0b416c9981d4598efb5e935380d7ac0a5e925447510011e201d6bb6

      SHA512

      00cf94d6035f30e6b7d683bfb037ad81eac73db50204358b75609d00f3025dd6fd77608452f6ce469570f9a7de30b7bec8d87ff1c5ddc16c8c25c04fab2428ff

    • C:\Program Files\Windows Security\BrowserCore\en-US\RCX4821.tmp

      Filesize

      2.7MB

      MD5

      395cdc96dbd8bec939c886d1052a2b4d

      SHA1

      ce9bbc64046293cdce0a51bdeac4144caba1c6cf

      SHA256

      726e46088cb7390f9893f907bb1acfd430edd61dbe95e7aaad8b4a0bf791388b

      SHA512

      0bd939b43830c9022347390bb753b8211211b8b285554cc54c3b233c268561883d16c2682739156e9a962ef30e51fc884206d5304229a73435acabb1f5083f7e

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1vttkiig.fly.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\yrrQ2TPTZL.bat

      Filesize

      229B

      MD5

      bd7af1b95ec039343adeda82c320079b

      SHA1

      1c4a092a0e5eb8f780671db9cece3411678ce4fe

      SHA256

      11efaaebc5d7eca2d0062c6eca96458b142a1e00bc82198b8a564d90f7f22aeb

      SHA512

      911b6e615edb60569b95237d8ec16064118789a431d23e2b7a58cd0e63952f1479478efbcd3f359c510e0d4b227bdbbe0362062370f0838ffc8cea091dcf9b7e

    • C:\Windows\debug\RuntimeBroker.exe

      Filesize

      2.7MB

      MD5

      2df515d11745c82c609702cc146c38b0

      SHA1

      b30976043bb09cdf7fa7f097358704babd68afae

      SHA256

      5528a5b6f8b86239dcf8a5e66f7e5ef2c8aa0eeb8321f670a603f1c0ad606b15

      SHA512

      b7c46c57f327cf3c05387843c5c4f48d06b3de1ab188dae2624935a81730bbd049a5be3b14917dd7a3919726c5a06fdbd102c716227549b7290f92567bde24cd

    • memory/2408-10-0x000000001C340000-0x000000001C348000-memory.dmp

      Filesize

      32KB

    • memory/2408-22-0x000000001C590000-0x000000001C59C000-memory.dmp

      Filesize

      48KB

    • memory/2408-11-0x000000001C350000-0x000000001C360000-memory.dmp

      Filesize

      64KB

    • memory/2408-0-0x00007FF91B6D3000-0x00007FF91B6D5000-memory.dmp

      Filesize

      8KB

    • memory/2408-8-0x000000001BD00000-0x000000001BD16000-memory.dmp

      Filesize

      88KB

    • memory/2408-12-0x000000001C360000-0x000000001C36A000-memory.dmp

      Filesize

      40KB

    • memory/2408-13-0x000000001C3E0000-0x000000001C436000-memory.dmp

      Filesize

      344KB

    • memory/2408-18-0x000000001C450000-0x000000001C45C000-memory.dmp

      Filesize

      48KB

    • memory/2408-17-0x000000001C440000-0x000000001C448000-memory.dmp

      Filesize

      32KB

    • memory/2408-16-0x000000001C430000-0x000000001C43C000-memory.dmp

      Filesize

      48KB

    • memory/2408-15-0x000000001C380000-0x000000001C388000-memory.dmp

      Filesize

      32KB

    • memory/2408-19-0x000000001C460000-0x000000001C46C000-memory.dmp

      Filesize

      48KB

    • memory/2408-14-0x000000001C370000-0x000000001C378000-memory.dmp

      Filesize

      32KB

    • memory/2408-20-0x000000001C570000-0x000000001C578000-memory.dmp

      Filesize

      32KB

    • memory/2408-24-0x000000001C6B0000-0x000000001C6B8000-memory.dmp

      Filesize

      32KB

    • memory/2408-25-0x000000001C700000-0x000000001C70A000-memory.dmp

      Filesize

      40KB

    • memory/2408-23-0x000000001C6A0000-0x000000001C6AC000-memory.dmp

      Filesize

      48KB

    • memory/2408-7-0x000000001BCF0000-0x000000001BD00000-memory.dmp

      Filesize

      64KB

    • memory/2408-26-0x000000001C710000-0x000000001C71C000-memory.dmp

      Filesize

      48KB

    • memory/2408-27-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp

      Filesize

      10.8MB

    • memory/2408-21-0x000000001C580000-0x000000001C588000-memory.dmp

      Filesize

      32KB

    • memory/2408-30-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp

      Filesize

      10.8MB

    • memory/2408-9-0x000000001BD20000-0x000000001BD28000-memory.dmp

      Filesize

      32KB

    • memory/2408-6-0x00000000032C0000-0x00000000032C8000-memory.dmp

      Filesize

      32KB

    • memory/2408-5-0x000000001C390000-0x000000001C3E0000-memory.dmp

      Filesize

      320KB

    • memory/2408-3-0x0000000003180000-0x0000000003188000-memory.dmp

      Filesize

      32KB

    • memory/2408-174-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp

      Filesize

      10.8MB

    • memory/2408-4-0x00000000032A0000-0x00000000032BC000-memory.dmp

      Filesize

      112KB

    • memory/2408-1-0x0000000000DF0000-0x00000000010B0000-memory.dmp

      Filesize

      2.8MB

    • memory/2408-2-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp

      Filesize

      10.8MB

    • memory/4848-191-0x00000000003D0000-0x0000000000690000-memory.dmp

      Filesize

      2.8MB

    • memory/4848-192-0x000000001B390000-0x000000001B3E6000-memory.dmp

      Filesize

      344KB

    • memory/4920-175-0x00000209B1FE0000-0x00000209B2002000-memory.dmp

      Filesize

      136KB