Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:41

General

  • Target

    JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe

  • Size

    1.3MB

  • MD5

    8dcdf997cb48e2b4106d667557d8f819

  • SHA1

    a046ecc1acd78be06c690d4e39cde3342c17dd45

  • SHA256

    5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694

  • SHA512

    c89a0e0a872cbbf4cf3f9722f91d4b001df6953b610c31a2d324d2e26809afc4e82915ca0bb05fa5e0a98b2d940b9bfa64effc9ecec4f484bcc562bca68c7646

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\Transliteration\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
          • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
            "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1260
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1620
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2296
                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2884
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"
                    8⤵
                      PID:1728
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2476
                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2356
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
                            10⤵
                              PID:2636
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2548
                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2324
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
                                    12⤵
                                      PID:1968
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2872
                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1276
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
                                            14⤵
                                              PID:2748
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2544
                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:320
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
                                                    16⤵
                                                      PID:1140
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2356
                                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2732
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
                                                            18⤵
                                                              PID:1600
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2144
                                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1596
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
                                                                    20⤵
                                                                      PID:2140
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2168
                                                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                                                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2400
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"
                                                                            22⤵
                                                                              PID:612
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:380
                                                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                                                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2876
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
                                                                                    24⤵
                                                                                      PID:2688
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2472
                                                                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                                                                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2760
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2348
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1744
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1968
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2620
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2884
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1488
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:664
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2000
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2004
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:352
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:308
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1528
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:568
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:580
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2648
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2792
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2072
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2772
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2172
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\ELS\Transliteration\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2196
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ELS\Transliteration\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1628
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:964
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2252
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1704
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1244
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1960
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2208
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2104

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                adec174ce45735801a5da4cb6cbe734d

                                                SHA1

                                                fa39b4f40ea10192469c4a259713c143022dc205

                                                SHA256

                                                5e50c5406387eaa48146c040fe6e6880ded2c8454a15f939e2251aaadb461480

                                                SHA512

                                                298e574b1d19bbd2c188b5ae27b047a335bf1a6bd5ed05d927476e75a5e12d876db663d1c64141b67e25b291d53f32ad54fc3128266aa8bc299ca2d161af5c58

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                6ccc4cb1bfe11d47745a85c388b6cd8e

                                                SHA1

                                                01049383bdcd6b3cc3895b3acbd0d311c4ad457b

                                                SHA256

                                                90a83c769f2c81cf63ce53216f5748948fc1802c4193fe8cb12dff625a95c614

                                                SHA512

                                                bf00744ef6b984375c1775ce4f3b08368c55a130fc185c1e08ffe16c2fe963e7857aef4934c42d8d2a1f3fba1a924565d7c289f4cb63719c0dec631cd35925fe

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                64edb0ca369280bcc90f0fedb6dbce2e

                                                SHA1

                                                19e92563cc04132015ff3c5e8c72f0a3d1bda9a6

                                                SHA256

                                                e49f2435d916bdd174debae6cae67919d4adb60cbd97eddde919dc9ad528d446

                                                SHA512

                                                00e5c95f8d1e904e3e1f487af3c4cb2e5fb4d5a125ff482df83b51a350554b20be0fdba3edcb364e69de4b0bc0f317d5bb7ee57e248b18127b6fd95157c7004a

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                3f7e74b2f3146133e69c7bb5dac78689

                                                SHA1

                                                0a0453699bee26495db32cd95fe2009bbbf1b664

                                                SHA256

                                                25e34b000fca5382dd4994d95ba991ab4a4728d3076ccb8ec4a171df4c40478c

                                                SHA512

                                                b035fd49ddf486bc020007c35f24d032fb434038ac2690d425ce74531642c8a6298032247d6985c6477120e7e09d9b0d45bfadbdd74d4b7ac8de1d7fb1f4579a

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                b93fb8fd0906d8419ea6ae7814c1c90d

                                                SHA1

                                                a55f54c321fed74ada30c879d800dd4da84b8faf

                                                SHA256

                                                84c6ff21fe8207d7f949c619a2489784357232eda548e3a584bf0951bf018ee5

                                                SHA512

                                                121f87eefbc1373c404f77f33aa94c508a96ebf40e0b1d6597ca523dd1c6dc1d903ed4296b61908899931276f21ec9fa8b9153e0179bfdf1ce800871d40b5f86

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                94fc706815bf60182ba6cabfba2a8724

                                                SHA1

                                                bf069b06b7468d1fdb463d0f9e3306f52349bd23

                                                SHA256

                                                cdbf3601ba51c6f04524f3bbc8620846dc3e089cb1c7e6f2ca02727b1de21976

                                                SHA512

                                                aab0886ebab0b9a66066c224cc7b99974a74e0596288956da1f0151e19c2db9a67b7803026c2be97b0350110149a3f6b5974742a7563453e008e32ec7ab2e7bc

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                1fd916bcce6ff940c039be02bb52183c

                                                SHA1

                                                d01c71a45aff97500fde3fc3f15caa137be1b9d9

                                                SHA256

                                                f569155907d28554ab67341db41391845d354cb8e9e22fb3851f83eb64f39900

                                                SHA512

                                                8e76fde4d2cc49295120ff1fab6dfe5c6bdd15eaa856d8da62e1861796ac5e7e17602d5ea18f0a86fc70013ed5b85a424fd441f8167bb8f6604618604d895c8b

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                31cc08701216174cc29983bfb33685c4

                                                SHA1

                                                9dbbe66bd3d2a32b1f3b22119e87c399af584cc5

                                                SHA256

                                                5dcbbc789d1d679705e718c46df9fa266580808d949710fbf809d1ebadc957f8

                                                SHA512

                                                d2f46baa173e9b106a96d4d5a8f4a565d5009bd2dcb9fb723556c85278a93348ce19818ea90e6675484b88e3a5ed672a0daa322bfd64db6610aa4e0368f65577

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                c71ab5f6193bac142ee6689de259c289

                                                SHA1

                                                f0e753e002e46ae94751760fb256ca8e53d15240

                                                SHA256

                                                e08123b906fb94ec81715bd2ad6cb3ecb27deba0e9e56a3fd2b85e8db13df449

                                                SHA512

                                                82d64fde0f41b465ea4a3b3ecee270f5252c5ef2a56127005656f811a3fab4fa4300878311cec9c97d47aef0844d96da775fa9ee3385ad9102caaeb4d0955f6f

                                              • C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

                                                Filesize

                                                238B

                                                MD5

                                                d5dd0302419dbf9633ab3775fb7afa7c

                                                SHA1

                                                391cdde12160d1976760e00d8b15eb0066a9a777

                                                SHA256

                                                c3972a456c01e299ef098bb0f14570c10243ba4529efa93c7ae15c027e1a54fe

                                                SHA512

                                                796d75bb76fe10aa05ce1cb8bf0653a89cb6f8d4f29b1238ed9f244d9c5d1369b23d8d95a24d5a1596bf98ff455b0dd78488b0ab4e27a00a7855bd42c5608a96

                                              • C:\Users\Admin\AppData\Local\Temp\Cab37B5.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

                                                Filesize

                                                238B

                                                MD5

                                                eee2c79c9100c00b17bc426d5e45c4a9

                                                SHA1

                                                6f9b34af0699bd6c9be2c1268e3c3045bc4ad977

                                                SHA256

                                                805d757c34e92ba53a5b97848f7b535ae33de2d06bb3a86200932cc2bc27be12

                                                SHA512

                                                85463806b3717000ac1c08a7133f14685e1a5e124fdc164444619b6fb79a1a07f0abf79f5672b2d0ec9ddc36389c2d56629bb3a4a477b89d381e23b583264914

                                              • C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

                                                Filesize

                                                238B

                                                MD5

                                                59a191fdeafa355d801d2a62d523a798

                                                SHA1

                                                80a81c027c792078f1c3e84183613539fb66e16d

                                                SHA256

                                                5b065365cafc8d55cd6d749da44bc9af323f2b94d562e6450928eccde243a425

                                                SHA512

                                                8bf7053867d7711f05f3c13ea70f372589dbf209bac493a2f4afd2d4a82277b037a79d39630e8f428372e9481a4d8bc14fafdd732f473a6531d86114148e8c4c

                                              • C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

                                                Filesize

                                                238B

                                                MD5

                                                739f7783da461bebf2628072e573ce65

                                                SHA1

                                                02358e020a9429420f3773113b9f72776e702ab3

                                                SHA256

                                                ed463b29c0c14dc6f5436d9d2539aba303d85db38c07dd88562ed39557280ce1

                                                SHA512

                                                a22e3f81173c4eec21c360156f8af91c541348bf77e7c7c3330ad01596b5294b317d04b263075cea3b82cc8d6d85bb3bd5f6e4672637abe711423fb99175fdba

                                              • C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

                                                Filesize

                                                238B

                                                MD5

                                                b488894514bd2cc2e5f0d1b48944cbed

                                                SHA1

                                                86fbe2ff431b9331d6a1abd8e74e37a2893e364f

                                                SHA256

                                                8261738460c5b2e51f2a22773a20c3a40dd872957f673c8f89d15104b6bf207b

                                                SHA512

                                                f49da5942486d7dd50ada01fe335c81132c022993311d3894fc1ac43fed4ba395ba43f271c6d0ba21e36821ec48147dc0bcca3b49a843e7ecf7ddf833bf23832

                                              • C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

                                                Filesize

                                                238B

                                                MD5

                                                9ce8a6653b8c0d8f437d15624725c0f2

                                                SHA1

                                                1e6ade7b344be57ec08598a5017ceee41b8a944b

                                                SHA256

                                                9e86063fd403fbeb76f569db58d7ec16e72aa516c79a6d0f66b4e8ce78101f6a

                                                SHA512

                                                6e9de0466e1b471b8bd9bee7c4e3797d7bd9bf5e12f26a220f5a4e26265add28e93513c5adb5ca3d7a6a4e017038875e7d06af0be63052bb2de7601bd7cf9993

                                              • C:\Users\Admin\AppData\Local\Temp\Tar37C8.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

                                                Filesize

                                                238B

                                                MD5

                                                5843649fa43e75c30acdad38ab101eb0

                                                SHA1

                                                fe8328919c24c3973ee4ea93410aef2c3393a013

                                                SHA256

                                                ac9d31914c1e90802d87f177d33f8da8bfbe60d1468146d5ef576198299f66a5

                                                SHA512

                                                20f1c2b806fa776db5869dba6b76ea5527c91ca36c3f78f83dab5dc37d3a680c4e8ce5e92b30dea7c26788df6bd0350f309bf5d9272b8d38fe428b43029ddb18

                                              • C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat

                                                Filesize

                                                238B

                                                MD5

                                                76745129b8d1cb52e3f304a63813caea

                                                SHA1

                                                f54cfa6cf6b1403b0961c7ac0e67cf18513a2fb0

                                                SHA256

                                                a59d335835c4573e5de008f017df082730d71f8d129be388dba2063afa98c0e2

                                                SHA512

                                                cfee05faccbe29ef89f18baebce749a1fae2279147a9c7e7d423a287eb82f0678d484bc5b6d90c5c61243da689a59e8fe18eb1ea29cb2392006fa39e466247ea

                                              • C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

                                                Filesize

                                                238B

                                                MD5

                                                41ca048615ec31e800c1a92aea8ce6e4

                                                SHA1

                                                7eb88107bee5321465855a20d7362a04d1489dbb

                                                SHA256

                                                ccb6f08f869726daa1913cef99a5f8140e434fc50cf18a49b6d6f4d7ddda9c7d

                                                SHA512

                                                f4a5c5adeb82448de2ec0e14ae52178749ca68c5158b76c9c5f93fd403df4a2c692e2bb467991f319e9234cb69e5f98e5ecfa14e71a15e80201fd051d364fa62

                                              • C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat

                                                Filesize

                                                238B

                                                MD5

                                                671aa3fc829a8a95cfcc05ae12bf1d5d

                                                SHA1

                                                bae7da6ccd5d8a744d89058adaa6de56fd4cb358

                                                SHA256

                                                b1af7ed16bdaafe251709284f4db81205cef13ec3cd5ef9932f5f2926f1b1cbe

                                                SHA512

                                                6c8b393794de3804fe852a9ac3b9650425d1b07f82be14fedc3860b99f189d5bb6a869a418bef0613ef511ea2baef87aca1116dd7ba5cfe3db1560a2c191bcbf

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                cb1e42840a28a9e9435f14a5edac8e36

                                                SHA1

                                                ef99b3ac6c7adf88dc8300957a8163a1ad0b40f5

                                                SHA256

                                                bf449c19b8f541ed6ec64a4e5e479d6a70b00257e42f3f1424f58fcb928660db

                                                SHA512

                                                676fac44794f2e8166fd62020d8ecdb4c1491601da0ab3f3f78d895f42253adf815ce4cd76f14e4abd0c252f9f5a167c24362720727ab861b1e6fba2553aae78

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • \providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • memory/320-411-0x0000000000240000-0x0000000000350000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/320-412-0x0000000000550000-0x0000000000562000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1260-48-0x0000000000D20000-0x0000000000E30000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1596-532-0x0000000000FE0000-0x00000000010F0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1716-59-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/2356-233-0x0000000001300000-0x0000000001410000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2400-592-0x0000000000370000-0x0000000000382000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2712-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2712-16-0x00000000004C0000-0x00000000004CC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2712-15-0x00000000004D0000-0x00000000004DC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2712-14-0x00000000004B0000-0x00000000004C2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2712-13-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2732-472-0x0000000000010000-0x0000000000120000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2760-711-0x0000000001390000-0x00000000014A0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2884-173-0x0000000000E70000-0x0000000000F80000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2968-60-0x0000000001F40000-0x0000000001F48000-memory.dmp

                                                Filesize

                                                32KB