Analysis

  • max time kernel
    146s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:06

General

  • Target

    JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe

  • Size

    1.3MB

  • MD5

    596fa7efb6978c8cb9463f1b9f362284

  • SHA1

    2fdac4fb18abdb83cd16c1a6d4cf7d48050e5003

  • SHA256

    afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2

  • SHA512

    68dffb7d32b027cd142dcdd88bd973fbb3b4fb5759e6faf2a72f6072da1a710da4874a0e0e6ca6facab3cdbbffa30aa10e2da4291cfe4ae1097021f0f651c567

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\fr-FR\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
          • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
            "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2068
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2644
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2336
                • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                  "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2144
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
                    8⤵
                      PID:1244
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:1644
                        • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                          "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:444
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
                            10⤵
                              PID:2424
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:1252
                                • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                                  "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1964
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
                                    12⤵
                                      PID:2328
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2964
                                        • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                                          "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2160
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
                                            14⤵
                                              PID:2280
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:1368
                                                • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                                                  "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:996
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
                                                    16⤵
                                                      PID:2660
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:608
                                                        • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                                                          "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2620
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
                                                            18⤵
                                                              PID:1800
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1432
                                                                • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                                                                  "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2640
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
                                                                    20⤵
                                                                      PID:1864
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2780
                                                                        • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                                                                          "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1860
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
                                                                            22⤵
                                                                              PID:1588
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2108
                                                                                • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                                                                                  "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3036
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
                                                                                    24⤵
                                                                                      PID:984
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:1304
                                                                                        • C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
                                                                                          "C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3004
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1224
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2748
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1424
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2604
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2656
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2304
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2152
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:576
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1084
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2952
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1184
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1136
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:580
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2896
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1700
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1920
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1144
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\fr-FR\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2156
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\fr-FR\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2180
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\fr-FR\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1044
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2292
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2204
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2188
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:404
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1120
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2800
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1368
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:540
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:276
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2504
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1352
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:664

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5033f7d17739554ccc7fe6d10d8e1522

                                          SHA1

                                          88b8522731354f6c8706dc8ba2f71a760238227a

                                          SHA256

                                          f81a786fdf3ca8931a526a4cccb162ebb86cdfa8fa5e665eb1626c5544148cb1

                                          SHA512

                                          bc8ec9ce9de21092d24da50edc5b5bae00f403bb17263615346a1fdb4cde75b00e20486560a5383f54083bf01a13240e75167cf82a0810bf4b56ae09c8df68a3

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          de341cb98d73583337a57b2638387f55

                                          SHA1

                                          d421b32f86a99415c34f88f18125f00127423e37

                                          SHA256

                                          97314d7b04016c762b59f40525476f9f802f3cb4d2f04dfa5f92372fb62c04ee

                                          SHA512

                                          e97bd7329c2e9676381a608cf5b47b6b8bcf64304e8ea504b69a11422ae9ec4869655da7ba3e6792b8c68664f09e4fe637f0e8d9d30fb0988b8d1497ff4665ec

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          76306e9de3c7efc582764ca5b0fa1a79

                                          SHA1

                                          1822bbd5297a776cd7dc8837a35a3a03be2ed16d

                                          SHA256

                                          56a61c41920e54d181b375f4053b2271ac4d72329f05629bfc0ab88b9ae08b82

                                          SHA512

                                          5d0b567c11776f63a35db54f871f2a2e2497e86dc0e06b6f50d5bbf1b0fefba7f7b6e0dbb1dec59b3a5ce4f70d600d5e7b94b07b7ba9c30126a782bbd811df96

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          585c544134b37196e63186c9d1f89cb5

                                          SHA1

                                          1c428ba1be9bff865ec71a7c42efd0792116e484

                                          SHA256

                                          1ade3038705f7a715c1829a8a099268a779193abc38eb3f4a8f73e4198b267b2

                                          SHA512

                                          07630bab8d43b8f67ac01c8bdcc4f9208e3dfd7c222a65285c0736c5ead9db412f31f0a2313bf2085b374cc7904720184b6f5a50615c8f323e24c4e3dd3063dd

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          90eb950e04086a41694df6a98a9d8adf

                                          SHA1

                                          75498f5bdcdc0ccaf7b92097ea72eb58b38b59b7

                                          SHA256

                                          df5d453edd75bd137017ac4203f08356f6cc77bca765c90955d371c896d98214

                                          SHA512

                                          adecbfe969512f022f424142305e96638b2ada61732d3a8e512f55cc8cf53984b94d4792808f990aabcb34800f95f90e8ea81aa0671b055191f8d2d56791b62c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          23b7a868ed4706f7f3e6350c83b9a021

                                          SHA1

                                          bde37f171c0f43f442fedd2b0673da0afda86fd8

                                          SHA256

                                          e1c93ade746ad46275fa90f7a0d2da92c283d3b05b0981b49ac213f566084886

                                          SHA512

                                          950b76b01ef4c43f8d487dde4eff22cc12d637c724546f9b91fafc7397830c9756db273351629a3e1b4b95fbca4362d230c53cb44b6e577f7fdb7a88712c1fc0

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          93509cbf33d7419c66d75ee11d36be8f

                                          SHA1

                                          96fe2f39981984dcfcafefd8f63d4aa8b0f19ce6

                                          SHA256

                                          45c12461acd0ffc17ee7c3c8434bf3f10a6898caf1977baed521c78784b336e1

                                          SHA512

                                          492ff64a1fdcb967bc209facf0f3212f7d7573fac080d9867608f462ca2b082adacc3fbd47ef10e7b2bbcfcbf4b02e7264a7fa6ed3cf8b6c58deead8da9dd40f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          ed24f956883451a1b00a1471227ebe62

                                          SHA1

                                          bb1c452227d89ef5bdfdc49f59c660d1d60ec884

                                          SHA256

                                          ca9de125c21eac6448529fd1af86243bafffcbbc5bd3da364b9590341e2c8cef

                                          SHA512

                                          c645ed080a5f8ac200b8e051d099b575e1774dc49431862b35d57f47e8e0b71a15030480c9701cddcacc0ebb0195c4e777f4bfdcf7a64bf8fdb4143edec8d537

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          8053be96de24a13c10c5ad20b14e74ff

                                          SHA1

                                          04c93e1664040212520020c1dcb5f7ae1137f734

                                          SHA256

                                          c85eccfb74e8e491396766da9d7ae2013ad346fe578651e8732ad9d91534ca6a

                                          SHA512

                                          d7622a7d54a1a49234e1ebced8f7d95ea0946ea2d8d0c72f457322d8b0ef3cabc009de90173895606804360e14457d206dd27ddb2a6c492aa18ed10a2f17ba48

                                        • C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

                                          Filesize

                                          222B

                                          MD5

                                          74c9c01b3ea87c58e0cea6877ffc2a5c

                                          SHA1

                                          5e4df5dcb166081ed1fe59775596bbe0c8f025cb

                                          SHA256

                                          363eca8bd40d638ad482e6e890301e7657c3dc692fc790006015cfd22bbb1e92

                                          SHA512

                                          c3a6602ad7ce8b98a0d13101257f79359cf0c751e1435bfa3c8612da702c3c7cc95496e4cc5ecaccea9bb74c46bd5299c934bc492facc395dc7efe5d6cfc7dae

                                        • C:\Users\Admin\AppData\Local\Temp\CabDC2E.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

                                          Filesize

                                          222B

                                          MD5

                                          24bda648d92e8c10a25c5aca4802d326

                                          SHA1

                                          dbc8f56371f4bab691732531f45c807c083aab06

                                          SHA256

                                          f1ebee473a497b70ed03b65396c66df226abd49c86d19d4e81d35baab3c88ca4

                                          SHA512

                                          87486a6b5289fe9297522e1c7ed38820bc4dbd4ec0afe8fd5fd2eb6a3d2e9f740586e74054ead28343d2e5a1b8d5eb3c99f06ab04815377608d801b3b8f83c60

                                        • C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

                                          Filesize

                                          222B

                                          MD5

                                          efe86b5376653454b1986c5e547906a9

                                          SHA1

                                          836763e537d9b06435c68f6b861a05d20aac83c0

                                          SHA256

                                          43029484c2467c691b4364ff87ebe1d6c1cb1c1fe7a0c41421f948c5bc4cb29e

                                          SHA512

                                          ba2dd2bf40245bc1ee2c485612055147093917985b11f00883f1b156c502702176526366248087bf043fb240c2f8f553fa179715b30358c1e837289a03eb8fc7

                                        • C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

                                          Filesize

                                          222B

                                          MD5

                                          fc6f0a81dd0d60ff4838fb4bc44f4d39

                                          SHA1

                                          3ebfeec450ce2538062851d5a54a4cbdfc96744d

                                          SHA256

                                          65c46ca8cf7a28998a31622a4332ca59dae6d9431077df74c89a03e729b52e97

                                          SHA512

                                          7d1d66cd6ca4a2008aaef05db1cbffdc3b4764def074ad5923168439434b2f5ac46f45d2c151d754a18208fc67ff40e2d77a9126242717d6270c89bb2fd6a9b6

                                        • C:\Users\Admin\AppData\Local\Temp\TarDC40.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

                                          Filesize

                                          222B

                                          MD5

                                          0b0fd7f682514dc1e2b50f51d16035df

                                          SHA1

                                          2b41b8d69514e866bc13968b7bf5b2fc9d3b0602

                                          SHA256

                                          10a2b05afe0720aeaa808afd5ed0af4372d2f1b2867fbf1cf5886cdc3ea90ccc

                                          SHA512

                                          23db7384e1f84adae20e73f26086f933907fea1ae4e1deb8505b4dd8811242ea487757e32d31ced570846ab139746feb7e36cfbfe99fcd20b87a163d101f9d9a

                                        • C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

                                          Filesize

                                          222B

                                          MD5

                                          76300f269201654d2e78888cb7f41a44

                                          SHA1

                                          1b4b82b35cb13956d39e31202ac72e0773792611

                                          SHA256

                                          a0f3d51301a2c3f4d0df6eb4de7165c51942bd7435f785e80e75262ff4c2dbf6

                                          SHA512

                                          4c1d0a089dba3e09f3958f949aff2c84ddf8e44086df85ebbd99d65fe4b15c933cbddd0ef1f16123bf338355288c637609a6eafa35da66ecf3e2b580bb0cc8f5

                                        • C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

                                          Filesize

                                          222B

                                          MD5

                                          6c08e08da3e168192fd79ed1a8f8e63a

                                          SHA1

                                          f432709493c19f148cfc4ad1c2dfa26dbef9fc4a

                                          SHA256

                                          fb77c64cb7f26cbb8df31d4dc74e578b9962410ce26b6eaf590cc886e9f28a92

                                          SHA512

                                          482a17f48fe7993add04729b5b834e9a7f3bc992a330ab96dbda7b058795f9e23cfbc2af724710e8e4f5ba797474a156c66f52a118c91c6ca44d2d366bc0d7d4

                                        • C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

                                          Filesize

                                          222B

                                          MD5

                                          e34a7839cc966eb65e44adc4e3b7f3e8

                                          SHA1

                                          4611405a7e0ddcdf9ba65083b1b5ec7870ef0ae3

                                          SHA256

                                          70a4ac0e3e8d966bd1c1a195aac1a26e18b996de08f906c523dcec0ae53967b9

                                          SHA512

                                          77560bb708c198cd01988cc8cbf227cb4ae1eaab9c6e530b6138b1adc43dec202223cf7ef7e7ea7a731cae368c9d9b90f8f605c683df31ad4773eb2a0917560a

                                        • C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

                                          Filesize

                                          222B

                                          MD5

                                          283bd27ff0943f63353e1fee6ad4bf82

                                          SHA1

                                          75de928a2c89c6a7879c0028a25c4754da6d79c7

                                          SHA256

                                          a5871563779fab64c4e95e49b2f9e7e0abe8afa0df3f700e61f0519a7e5a1b12

                                          SHA512

                                          36b5e94fdb03db3cd9e23df60a6ab72756d894618f336353ea9428055d55536e8a0cd77ec936f2458658fd541794ab76a315b1780395014f912c68669ceb5732

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          4c1265fdebe552b6d756eec197e8a484

                                          SHA1

                                          963aac49d3ed3d8e6a300a09662991524712190a

                                          SHA256

                                          8668304fdcad53fac0b58de0616236eb5abbb1e72a309fee2e96a85e011f17ae

                                          SHA512

                                          1d8f438862f048e67d3c02bd8a5e850548c15c66f02e82e04b6870de4309664f93b580351682591c4eeaf5537d0bd38ac20cee8f942158570d1f887d1bc88132

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/812-71-0x0000000002340000-0x0000000002348000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/996-417-0x0000000000540000-0x0000000000552000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1472-66-0x000000001B770000-0x000000001BA52000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1860-597-0x00000000005C0000-0x00000000005D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1860-596-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2068-122-0x0000000000240000-0x0000000000252000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2068-59-0x0000000000890000-0x00000000009A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2144-181-0x0000000000F80000-0x0000000001090000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2256-17-0x00000000006F0000-0x00000000006FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2256-13-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2256-15-0x0000000000650000-0x000000000065C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2256-16-0x0000000000660000-0x000000000066C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2256-14-0x0000000000440000-0x0000000000452000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2640-536-0x0000000000240000-0x0000000000350000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3004-717-0x0000000001090000-0x00000000011A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3036-657-0x0000000000F10000-0x0000000001020000-memory.dmp

                                          Filesize

                                          1.1MB