Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 06:20

General

  • Target

    8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe

  • Size

    4.9MB

  • MD5

    bfb301610f83af1d4383ee8816d436c0

  • SHA1

    843d1c6fcb394dd8c1d66352fb4d188440604d9d

  • SHA256

    8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2

  • SHA512

    dd736c99af88d44e86d09fc43a42feadce506c37633ff531fe19bc2a402f3eaa4a1f5cdb22bc9858a73b7f711382df174cc6c42a16924d0baa251bcdb427b6e6

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 33 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 22 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H1xDWFpPgM.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2768
        • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
          "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1436
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33a3f094-8cfc-4d80-84ec-bc4e955b9f26.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
              "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1068
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca940d7-d2c8-48d6-ab5e-2332bde7eaa8.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1064
                • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                  "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2724
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9e4da4d-c3ed-48d7-9123-475e1148d2cd.vbs"
                    8⤵
                      PID:832
                      • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                        "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2500
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eae690de-b2c9-4ded-9219-e43552c0c551.vbs"
                          10⤵
                            PID:2848
                            • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                              "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2044
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\631786d4-7a45-46ed-9a06-b3b354d5dfd7.vbs"
                                12⤵
                                  PID:1288
                                  • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                                    "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2324
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c9ea6f4-1175-493f-bae7-c4cb53535351.vbs"
                                      14⤵
                                        PID:2760
                                        • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                                          "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2872
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06db582b-2ffd-4de5-8460-3b9d11746644.vbs"
                                            16⤵
                                              PID:1204
                                              • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                                                "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1724
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c714bfb3-8b7e-475c-9b92-6ab611bec6e9.vbs"
                                                  18⤵
                                                    PID:2296
                                                    • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                                                      "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2464
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\777d416a-296e-4f19-92b4-6d7f329d886e.vbs"
                                                        20⤵
                                                          PID:920
                                                          • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                                                            "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:1104
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30d0444a-5751-41c8-9534-4d0d9d21e13d.vbs"
                                                              22⤵
                                                                PID:2420
                                                                • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe
                                                                  "C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe"
                                                                  23⤵
                                                                  • Executes dropped EXE
                                                                  PID:1432
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28481d43-24ac-461c-b451-5513e2c0c399.vbs"
                                                                22⤵
                                                                  PID:3040
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9b84c42-fdad-433e-9757-9846a0619617.vbs"
                                                              20⤵
                                                                PID:1232
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8e71716-f8d3-40e1-a835-bac904e7999c.vbs"
                                                            18⤵
                                                              PID:2020
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\051583a4-5d67-4619-8273-cae5594bb4f5.vbs"
                                                          16⤵
                                                            PID:2040
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47eda0a3-062f-4d5f-a070-2a3137c65789.vbs"
                                                        14⤵
                                                          PID:444
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f711c9-0a0f-44b8-b949-71f6f7404d88.vbs"
                                                      12⤵
                                                        PID:1000
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35f5e290-795a-4187-8ec8-11c5c287c68a.vbs"
                                                    10⤵
                                                      PID:1636
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c22bf86-ac73-4b4a-8ea7-5bda142e9d89.vbs"
                                                  8⤵
                                                    PID:2880
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f633b09c-40f2-4c44-aea9-67f31127f094.vbs"
                                                6⤵
                                                  PID:2784
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c108fb07-23c4-44d2-acde-33a2248931f9.vbs"
                                              4⤵
                                                PID:2248
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N8" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2800
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N" /sc ONLOGON /tr "'C:\Users\All Users\Templates\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2828
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N8" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2664
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2648
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2884
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2840
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2528
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2580
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1100
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3000
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3008
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:328
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1700
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2760
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\temp\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1152
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\assembly\temp\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1876
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\temp\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N8" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1132
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2632
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N8" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1120
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1816
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2384
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2140
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2156
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2100
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2208
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2708
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2768
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1600
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1980
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:896
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2088
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1400
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1524

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files\Windows Journal\es-ES\8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2N.exe

                                          Filesize

                                          4.9MB

                                          MD5

                                          85f45fa26825b3bcc991f391678aa3bd

                                          SHA1

                                          bdf94e35afb71f4f958414c00787d8886c44eac8

                                          SHA256

                                          6779fd042294e63dfea78d1094e53a37acdd91fe2b716c9199f4bb808b338471

                                          SHA512

                                          236e85631aa533951c39c5af4fc598839a0bbebcacfb8fb0e878c15f8b01f75068896bbf22686d810245ac9a00c42acea52865092c566356cd87177e29d9c0ee

                                        • C:\Program Files\Windows Portable Devices\sppsvc.exe

                                          Filesize

                                          4.9MB

                                          MD5

                                          bfb301610f83af1d4383ee8816d436c0

                                          SHA1

                                          843d1c6fcb394dd8c1d66352fb4d188440604d9d

                                          SHA256

                                          8d83e5b4ac12f481def08e0364e37dbd9050e30cfc4c8845193c305e63f0f7e2

                                          SHA512

                                          dd736c99af88d44e86d09fc43a42feadce506c37633ff531fe19bc2a402f3eaa4a1f5cdb22bc9858a73b7f711382df174cc6c42a16924d0baa251bcdb427b6e6

                                        • C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\RCX519.tmp

                                          Filesize

                                          4.9MB

                                          MD5

                                          2512d0ed4575ffac200e5cd14209d52a

                                          SHA1

                                          9f465649b38502304c9a218b9ec0e0998ced93ae

                                          SHA256

                                          84a2fb7c927489cf3972fcbc4583e2ed39365a9d6916ddf81322fc7341618b04

                                          SHA512

                                          8cdbcf339a8032398a489afa54cf10325dd8f01a95bdc5476f4d628782c6da32fc4246c396279a4ab5c628081397a257ca4c3ca370392dcfee2bbc96133858fa

                                        • C:\Users\Admin\AppData\Local\Temp\06db582b-2ffd-4de5-8460-3b9d11746644.vbs

                                          Filesize

                                          784B

                                          MD5

                                          abab78725777e9fb21f378a355997d6c

                                          SHA1

                                          b046d58a73745e03e6bba1f959f7afe1bc468213

                                          SHA256

                                          d0632ebcd48e2010a64da2906bf83c296039b5ee4742788c36fa0b2f3027e253

                                          SHA512

                                          659cc0ccd6a48d281a59dc6258b69032067871cca63ebfce3854b67daa4b00565ecc9a24652e76795d114f14a90442bbe41f843772e2c6df95713f9813007f6d

                                        • C:\Users\Admin\AppData\Local\Temp\2c9ea6f4-1175-493f-bae7-c4cb53535351.vbs

                                          Filesize

                                          784B

                                          MD5

                                          e06df2bcd01697fc80962f6112b41714

                                          SHA1

                                          480d70bf5464f7846fb7f5213b0a8e9084dc3cf2

                                          SHA256

                                          557348dbcf2e6b7a2c16959ddcdd1b1988f104f99d83cf3c3a66ccbd7bcfc9ba

                                          SHA512

                                          ce82f1cf222ea2f514816bd874325178596863481f371cc8b193760e5167c1146afa1092af95f0bbb987eae56efccd21bcec667104a2c531bae0845cd87faf01

                                        • C:\Users\Admin\AppData\Local\Temp\30d0444a-5751-41c8-9534-4d0d9d21e13d.vbs

                                          Filesize

                                          784B

                                          MD5

                                          27a74800634a2d7f5eebaceb6d876156

                                          SHA1

                                          b64d9da2e15ce3e9d983b31fe24ccee4272ce6c0

                                          SHA256

                                          96c601944c0cec55f0652d7d4184ff95661775c41ddcc9f23dcf375b00aba24d

                                          SHA512

                                          9a55cccf1e8b456b1436bddb50d120588bf0dbcfd14991bbee5e2e861a8e900d627c4376141187c535aa8d4d1e31406f7148be7e8daabeb41e3449f467ae4f74

                                        • C:\Users\Admin\AppData\Local\Temp\33a3f094-8cfc-4d80-84ec-bc4e955b9f26.vbs

                                          Filesize

                                          784B

                                          MD5

                                          5d4b7294da5731fe21696a376473f614

                                          SHA1

                                          34e7c31eeaef4e5ca14774722b84696852582236

                                          SHA256

                                          a8c08283edb6212e01ff4426e602dc3238a23cc6792fcdf01565ce23afc7f025

                                          SHA512

                                          49dff034c8f738f5c4802eff42808c3daf1d1f55f6572b8a516abed2ec635f59c16d27163d173acb30347a5bcbd9e6aa19b55bab490e88d3afbe122cd384406e

                                        • C:\Users\Admin\AppData\Local\Temp\631786d4-7a45-46ed-9a06-b3b354d5dfd7.vbs

                                          Filesize

                                          784B

                                          MD5

                                          75093faad1a4eb2986c14e02ec6c4feb

                                          SHA1

                                          61b494400e978b645ca6ec79df906d53b649dc3b

                                          SHA256

                                          e69e5b6b77130f1897fd9abffbf83689677cd4f0761069aefea33a91ca5ddee2

                                          SHA512

                                          8c0b7202842a51f88912e3d7a0102680c3181cb8ee63066b099d419b702c4c85079eb00c3dc9f1f0cc2c33ec2806ca104f0b053b3ba2ad6ca14e101cd7bb76b2

                                        • C:\Users\Admin\AppData\Local\Temp\777d416a-296e-4f19-92b4-6d7f329d886e.vbs

                                          Filesize

                                          784B

                                          MD5

                                          2eaed77efe6a5d38543b2903ae8d9da4

                                          SHA1

                                          dc0a4fc7b8b6a96341e8ab62b092eea566fc706a

                                          SHA256

                                          c258cacfab09309730e83fbdd8f3ed516debf44b4f9b9da945e0996381078d21

                                          SHA512

                                          733a19a4dc75f1def4757fed375ab59588f655b127f00d7d8be21a2a47c5f7fd7548eb614bc7c9df21e276043eb44b509577f9e800888cf56204c57914bef6d8

                                        • C:\Users\Admin\AppData\Local\Temp\9ca940d7-d2c8-48d6-ab5e-2332bde7eaa8.vbs

                                          Filesize

                                          784B

                                          MD5

                                          346de1535a3344d888ac1a8e08e28f17

                                          SHA1

                                          e52b7f7a3a9fee2cd242e3c28546ba9918682e6e

                                          SHA256

                                          f86095dee1a6dc573d52d8a86a39004e2596e3161f711f354edfdab72271a398

                                          SHA512

                                          8e4d580494c076e7e7fe7b7d0e9635d3ff753dc4d63b262e238e6f2031803830661dc240dc4c0b93774393b6de8829ccb2f15c1da0e24d49fdfae4f5028a175d

                                        • C:\Users\Admin\AppData\Local\Temp\H1xDWFpPgM.bat

                                          Filesize

                                          273B

                                          MD5

                                          8fd0bd8b49db6e3529e2fa824d830221

                                          SHA1

                                          30332ff27da55a93f000cde88d912fbff8c3d25f

                                          SHA256

                                          c30603cee65981073326321f4053aa8e67a3e16811b7c805d9f51515bd160199

                                          SHA512

                                          32021b7d8283d1a9a1e02d6b46f811185650ef5aed450ad079e0791b79c475e8231899d2603f0d82e4222f7e82a2f200a248daa2214a0898493720f7bc237a09

                                        • C:\Users\Admin\AppData\Local\Temp\b9e4da4d-c3ed-48d7-9123-475e1148d2cd.vbs

                                          Filesize

                                          784B

                                          MD5

                                          db4f9bad4095d9e22eb003bf9b30f58b

                                          SHA1

                                          596c6fe96651095537e622fc0086543823e10167

                                          SHA256

                                          e2797a1dd32e1431659c77977b9df59343d2f1f0163d0824affdf0ec94df9fe0

                                          SHA512

                                          3adcea8e8e2be368fe67a8666cc23fd49f0516e8275af8e8bec2e6294155fe0b451741a4a37c0a71637e3b61fb0450514216ce1c47e7a1153ee70394d26169eb

                                        • C:\Users\Admin\AppData\Local\Temp\c108fb07-23c4-44d2-acde-33a2248931f9.vbs

                                          Filesize

                                          560B

                                          MD5

                                          d7189f212eee1f58a13963abe20dffd3

                                          SHA1

                                          3e3fd4d940e6398af1ccd05e6ffa495eb2403a27

                                          SHA256

                                          747c446f20e5f6fb9052eba3da711eeac38bc8001d85bdc42bb9d450c87ff55f

                                          SHA512

                                          4c491f0bbfb87a7698ad91db9162cd9950c4bc073c405474f377bca657a01161b1b8d14f983bac6875dbfcadd0149d002f8efa098efa7bcf9115be812479d280

                                        • C:\Users\Admin\AppData\Local\Temp\c714bfb3-8b7e-475c-9b92-6ab611bec6e9.vbs

                                          Filesize

                                          784B

                                          MD5

                                          6e94e25ae8fa920735ac4ecddea70135

                                          SHA1

                                          ee8949b707c05bff6ffa13c48e256bd1491752dc

                                          SHA256

                                          96455200afd06094821d046d7b3d9e21dbe53c9b335e9ca02e01ac7816a24ab0

                                          SHA512

                                          1b82a15654dfc342690e17e51a55eb685d8f7230631381d561b36fbab0b4f56fcf336abcb1918ca8ec4f80489e2141b8bdab83d8e69d10dbd711a63236a7ca57

                                        • C:\Users\Admin\AppData\Local\Temp\eae690de-b2c9-4ded-9219-e43552c0c551.vbs

                                          Filesize

                                          784B

                                          MD5

                                          c6cd2fb39509ec03817a622322dac1ce

                                          SHA1

                                          0ddd17e6ca08ce017fd8ccf982451f2558d41c3a

                                          SHA256

                                          3914d90c1dd3a50fe32c9bde957345dbf2807db23cabc904692c08a22683a247

                                          SHA512

                                          94b0765ed3b388bffa2bba613474697582cba46bba563358067e846b6df3598fb44764424ac7bf1cfc3bdc7da52b095813af5cda4006a6f66e8172af9a60ad90

                                        • C:\Users\Admin\AppData\Local\Temp\tmp3F32.tmp.exe

                                          Filesize

                                          75KB

                                          MD5

                                          e0a68b98992c1699876f818a22b5b907

                                          SHA1

                                          d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                          SHA256

                                          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                          SHA512

                                          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          06f07e5c9b68307033a93413eee2b680

                                          SHA1

                                          a89130353fe29778c737cb86a71727d2a08e790d

                                          SHA256

                                          3b5f9938222b77843fa9d00440466f4943fe3d4aaf028543cc35d70e892af8a7

                                          SHA512

                                          90f2a33177ed4dae31dc9c070d89954fab3144056a7e93eea44851a6d46a02d347a031d7cc963d9d084fea52ee1c59999b3ce4a5e486bc532bf77ada0bbd93ca

                                        • memory/944-4-0x00000000001B0000-0x00000000001CC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/944-6-0x00000000001D0000-0x00000000001E0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/944-121-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/944-136-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

                                          Filesize

                                          9.9MB

                                        • memory/944-149-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

                                          Filesize

                                          9.9MB

                                        • memory/944-0-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/944-12-0x0000000000640000-0x000000000064E000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/944-11-0x0000000000620000-0x000000000062A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/944-14-0x0000000000660000-0x0000000000668000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/944-13-0x0000000000650000-0x000000000065E000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/944-3-0x000000001B5F0000-0x000000001B71E000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/944-16-0x0000000000680000-0x000000000068C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/944-1-0x0000000000B20000-0x0000000001014000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/944-2-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

                                          Filesize

                                          9.9MB

                                        • memory/944-7-0x00000000001E0000-0x00000000001F6000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/944-5-0x0000000000170000-0x0000000000178000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/944-9-0x0000000000480000-0x000000000048A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/944-8-0x0000000000200000-0x0000000000210000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/944-10-0x0000000000490000-0x00000000004A2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/944-15-0x0000000000670000-0x0000000000678000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1068-230-0x0000000000510000-0x0000000000522000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1104-345-0x0000000000C80000-0x0000000001174000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/1436-216-0x0000000000810000-0x0000000000822000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1436-215-0x0000000000E30000-0x0000000001324000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/1724-315-0x0000000000080000-0x0000000000574000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2464-330-0x0000000000160000-0x0000000000654000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2996-191-0x0000000000500000-0x0000000000508000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2996-190-0x000000001B610000-0x000000001B8F2000-memory.dmp

                                          Filesize

                                          2.9MB