Overview

overview

10

Static

static

10

97a5e51d92...dN.exe

windows7-x64

10

97a5e51d92...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    17-01-2025 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe

  • Size

    1.7MB

  • MD5

    ef0eaa6480733054309ffbbd02f057d0

  • SHA1

    43d3b54ecc3ad577e887b3ce30a94e7ed65d7281

  • SHA256

    97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366d

  • SHA512

    7e8c601bfcd6f37989e7ff196c83d1657c6f63d5a4cdc788035955c7f2d0d4e21ce93305245d9ba9d852dd9b436cbe16b39c79ce7a2546914f961a12f54fdd9f

  • SSDEEP

    24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 33 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe
    "C:\Users\Admin\AppData\Local\Temp\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eiSKMyn5o9.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1788
        • C:\Users\Admin\AppData\Local\Temp\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe
          "C:\Users\Admin\AppData\Local\Temp\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
          • C:\Users\Public\Documents\My Pictures\WMIADAP.exe
            "C:\Users\Public\Documents\My Pictures\WMIADAP.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2336
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eca8d9ed-9827-4ec0-aa34-fa98a9a0d642.vbs"
              5⤵
                PID:984
                • C:\Users\Public\Documents\My Pictures\WMIADAP.exe
                  "C:\Users\Public\Documents\My Pictures\WMIADAP.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1744
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7a6e95d-76a0-4f2b-afb8-70fc5015a55e.vbs"
                5⤵
                  PID:664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\ro-RO\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\ro-RO\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\ro-RO\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2308
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN9" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:1268
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN9" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN9" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN9" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1176
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:1560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\de-DE\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:2980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1952
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2148
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\fr-FR\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:676
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2072
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:2904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1272
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\OSPPSVC.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:2644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN9" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:1748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:3012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN9" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\en-US\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3036
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1824
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:2864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:2372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f
          1⤵
            PID:2756
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f
            1⤵
              PID:1240
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\lsass.exe'" /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2264
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2076
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:856
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2992
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:768
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1528
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /f
              1⤵
                PID:1476
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f
                1⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2736
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f
                1⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2376
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /f
                1⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2320
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /rl HIGHEST /f
                1⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2720
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /rl HIGHEST /f
                1⤵
                  PID:2576
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\WMIADAP.exe'" /f
                  1⤵
                    PID:2192
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\WMIADAP.exe'" /rl HIGHEST /f
                    1⤵
                      PID:836
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\WMIADAP.exe'" /rl HIGHEST /f
                      1⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1124

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe
                      Filesize

                      1.7MB

                      MD5

                      ed6333f1a875dc80d209c783d1094ea3

                      SHA1

                      defce08d6dbbfbf664137ac63e42d4bd1af5903d

                      SHA256

                      b1dd580e18a7eba2c514a09272c94eecfa46b399d9eeba4d93c96db0366cb8a5

                      SHA512

                      7714361487b93e6e1c99cce6075df8087746d8bd01aa7bad2c1abe0fbdd1fb39843885b89f128746b6d676d3def9b117814df9beb6dc0a26d24990a51230f9a6

                      Download Submit

                    • C:\Program Files\Uninstall Information\smss.exe
                      Filesize

                      1.7MB

                      MD5

                      bb4614478560291e1b60155b7d85c5da

                      SHA1

                      628fff5dfb9ccd23eeda1e979a4915d5bccf2548

                      SHA256

                      cb451ac1f8f433296f43192ec1ea620c2f3a1fecfb63642cf2702ddf56a5956b

                      SHA512

                      e9f34b3dcfe7c0126e302509926cf931cfa92f3eae4b375da9805a7e49441d451fc22416edf2aa2f7fdb58e53f6f8c5691b66fa9666cdb1690123bbe9f239c42

                      Download Submit

                    • C:\Program Files\Windows Mail\de-DE\wininit.exe
                      Filesize

                      1.7MB

                      MD5

                      7349ec2676d692e1e20fa31dfe5af69c

                      SHA1

                      80e9a554966e7f0e1f89dc0435af76a00d2384ab

                      SHA256

                      022ca155f25c1e3ef7ced181d2dd3dedaf3115b5bd68ed66f63e8664741b2bbd

                      SHA512

                      bd694ab2d08956ccced6179632e740db7d69e359d02b2a3cf346cc25e4df54228e05e052c3ba998aecc795252ee1bf74093a0d285e4d5ceea450e7e61bf82a83

                      Download Submit

                    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366dN.exe
                      Filesize

                      1.7MB

                      MD5

                      ef0eaa6480733054309ffbbd02f057d0

                      SHA1

                      43d3b54ecc3ad577e887b3ce30a94e7ed65d7281

                      SHA256

                      97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366d

                      SHA512

                      7e8c601bfcd6f37989e7ff196c83d1657c6f63d5a4cdc788035955c7f2d0d4e21ce93305245d9ba9d852dd9b436cbe16b39c79ce7a2546914f961a12f54fdd9f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\e7a6e95d-76a0-4f2b-afb8-70fc5015a55e.vbs
                      Filesize

                      501B

                      MD5

                      d74af75fbc3c0a61dd053e7ee1df903d

                      SHA1

                      acf36cbe8605b495f93034a40e791e91a025ef20

                      SHA256

                      71a3451f2c113a4a68c85e43b43a2462465ed861ec445f3cae4691339b4e5f73

                      SHA512

                      3962e37d8800320657bdb9e72382004d8530271758641c7dffd65ae4e32aaaae02a756109ea5388c0d926b9de707de97dcb938fea1d1bcedd59e4f01f110bb4c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\eca8d9ed-9827-4ec0-aa34-fa98a9a0d642.vbs
                      Filesize

                      725B

                      MD5

                      58b439efec110fede98b460ff2e49cf4

                      SHA1

                      88ec61934c279127467e6c0e28e40d1da7140e25

                      SHA256

                      8fd8be92cf3c4035f7dd990b32ef730241ddb830a3f4a3179e13578ac0b2452c

                      SHA512

                      42b2df2c6a9e002243ace9774863a5b614ffd87286a6f0f76858ef47bc70776e4c4e22fdbfb4c7f3713eef79f95bdde66802685d9f70cec25ea7db45b4258e0f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\eiSKMyn5o9.bat
                      Filesize

                      268B

                      MD5

                      08d5d561fdb7ec9ca8bf386dfe2f2261

                      SHA1

                      d94aa1fb3f50401f3273da344cacaaa967aea8d4

                      SHA256

                      44c85b0c76057a4e1b6e050685c7a9d061239a56cf5d3977d646a9d81e079824

                      SHA512

                      8e9eaad4a9afc30d4301b45241a681d78455f75fd8ec852f3de0bb98bb107d6cc0f4c27930a435adf240094166c826645099b9f7df4b726ce2fc4353c6b6d198

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      2767375d6b048fa488b98c0f1dbe045d

                      SHA1

                      ae9d6aa02fd08ee5e554160632606b2826769fea

                      SHA256

                      ea8f2fce3a0e499264adb0233e8f05fe16917c5c0643f3d5e5961720aea21ffd

                      SHA512

                      639e041d9a93ad844ac10f34a470980ffb256fa519bec8f3ee511b8a49883fcb0eae18369337f74be22dd13d5f202e6c449bf937c54c062e772792c26b60b405

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      1022890a25ee3b1986585a9b31a6316f

                      SHA1

                      f32fb20ba4f08f0879e4d2e7fa3f288c41fceb67

                      SHA256

                      139d1bb43e4a0937dea5ac0608eacd839e540410acc6b1a620f2613927302301

                      SHA512

                      4df684e2d526029e99316e0936ab6a0870ecb557dc5db06285800e6d4527b608de6ee1951afcdd51ba14280060c633f3715de166e4ec1fd71fc2ef4ee660ad91

                      Download Submit

                    • memory/860-280-0x000000001B530000-0x000000001B812000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/860-282-0x00000000027D0000-0x00000000027D8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1744-349-0x00000000003D0000-0x0000000000586000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/1744-350-0x0000000000390000-0x00000000003A2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/1824-166-0x000000001B700000-0x000000001B9E2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/1824-167-0x0000000001E50000-0x0000000001E58000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2188-191-0x0000000000A00000-0x0000000000BB6000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2312-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2312-3-0x0000000000420000-0x000000000043C000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/2312-14-0x00000000006B0000-0x00000000006BA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2312-15-0x0000000000740000-0x0000000000748000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2312-16-0x0000000000760000-0x000000000076C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2312-13-0x0000000000750000-0x000000000075C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2312-12-0x00000000006A0000-0x00000000006AC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2312-18-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2312-1-0x00000000001F0000-0x00000000003A6000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2312-17-0x0000000000770000-0x000000000077C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2312-168-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2312-8-0x0000000000680000-0x0000000000690000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2312-7-0x0000000000660000-0x0000000000672000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2312-6-0x0000000000640000-0x0000000000656000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/2312-5-0x00000000001E0000-0x00000000001F0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2312-10-0x0000000000690000-0x0000000000698000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2312-4-0x0000000000150000-0x0000000000158000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2312-9-0x0000000000670000-0x000000000067C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2312-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2336-308-0x0000000000840000-0x00000000009F6000-memory.dmp

                      Filesize

                      1.7MB

                      Download