Analysis

  • max time kernel
    23s
  • max time network
    77s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/10/2022, 22:04

General

  • Target

    e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe

  • Size

    1.3MB

  • MD5

    6208038b6a641fa1fdd98f07e5bffcb4

  • SHA1

    19cc212851bf39ca14a4abf86a8236898d5a0814

  • SHA256

    e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1

  • SHA512

    953d9e987897e9d0a7f6f5e979e81876b4a053f3fbbd902784566ce48d1d9b819b74aca2a8c96e55aa6243731b4318aed2afc05f89952982b4cc44a3cf1223bc

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe
    "C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5096
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4284
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1416
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\HoloShell\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'
            5⤵
              PID:2124
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1732
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\spoolsv.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3500
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\sihost.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4820
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4060
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3584
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4920
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gjUnKFcqIu.bat"
              5⤵
                PID:4280
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:3868
                  • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
                    "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
                    6⤵
                      PID:3360
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
                        7⤵
                          PID:3972
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            8⤵
                              PID:4284
                            • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
                              "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
                              8⤵
                                PID:2736
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
                                  9⤵
                                    PID:4288
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      10⤵
                                        PID:4456
                                      • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
                                        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
                                        10⤵
                                          PID:3860
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
                                            11⤵
                                              PID:3736
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                12⤵
                                                  PID:4376
                                                • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
                                                  "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
                                                  12⤵
                                                    PID:688
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:3964
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4488
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:3804
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4684
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4648
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4628
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\dllhost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4572
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4612
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4424
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\HoloShell\spoolsv.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4728
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\HoloShell\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4704
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\HoloShell\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4596
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\odt\ShellExperienceHost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:3184
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:428
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4376
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4372
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4396
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4712
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:444
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:3996
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:3792
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4772
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4668
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4088
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4740
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1928
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1136
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\ShellExperienceHost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1096
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1640
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1484
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\spoolsv.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:388
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:432
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:840
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4604
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:676
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:188
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:196
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:216
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:324
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:164
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2256
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4020

                            Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

                                    Filesize

                                    1KB

                                    MD5

                                    d63ff49d7c92016feb39812e4db10419

                                    SHA1

                                    2307d5e35ca9864ffefc93acf8573ea995ba189b

                                    SHA256

                                    375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                    SHA512

                                    00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                    Filesize

                                    3KB

                                    MD5

                                    ad5cd538ca58cb28ede39c108acb5785

                                    SHA1

                                    1ae910026f3dbe90ed025e9e96ead2b5399be877

                                    SHA256

                                    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                    SHA512

                                    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    bce22f3249adef446b596ec2da8cd6c6

                                    SHA1

                                    7af5f2c1c554c2659426dec0e1fafc8b8d5fb321

                                    SHA256

                                    ff7369b744ee394bb4a0b448512cb542600e70ec3e35be684d9566f9caec55f5

                                    SHA512

                                    0dcef7cb51d9afbdd6d6ca51d1493f928484246c059bbeb7de091f5363f5d08ce9d69173ecce4c6d3315d9b2f9da0a3241a4971ba2d4bb4d52c20a1a137d40fd

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    4c5055728d0bb83f641130546c3c0413

                                    SHA1

                                    5ed164bfdb2db61d0f554412939e9bdba035e032

                                    SHA256

                                    c583a9ac27748092a995aa00dec36c1645875c2d36efd1e3a917f25e09d6a8bf

                                    SHA512

                                    d61544f9b68da9d89ccfa17bdf90d1d66adc441e0ff0a987c39b35dbdc3eeca4a065a635ff22afbe18790cd27ac0edd6e9071a8195fb46c0d3e919ae0ddd3f2b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    733b77ac2e4becb9124f515bfbf2a435

                                    SHA1

                                    8789627012ffaee7c48d6c27bad245033953f45c

                                    SHA256

                                    a46eac7b10fa8ce7874194f5e72bed5d03184564aa4229c91273a034ea34765b

                                    SHA512

                                    ce32d93e9cccd9b5f0dfd22e208b30ac33ebd369ea6bb37e4b5e98379ba92c539af8141d61de2c4c007cb5881b233c879af1300a9f35039c57e528b0d1e7bd14

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    92fe93503a034e0d14274b069869276a

                                    SHA1

                                    d46e8e47538119562f5aaa6e9a1ccfb9084c8de8

                                    SHA256

                                    bb54c6654a2b74d86cd6d6cae4a2a83d27ec036b402066aa5c675de3bcfaab77

                                    SHA512

                                    3e9280ddc19c26b479f52bd07c7e446f7e583db529b639b4bd3942670c850d4d447bb02a0512edaebd346a75a4d55778b072ac6f52c147c239df8ea1870cede8

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    bab495d4b1142179fd5d7a33405830ed

                                    SHA1

                                    0ca8d4f1a86cdd0f8ef51554a6561e473f45edb9

                                    SHA256

                                    f6bc15c18e5d7d2222a524897b78d8cd8caad868ca4c2356b6d08643b908dddf

                                    SHA512

                                    eebd4fd6ac99a30feb0828967e335734ee8494ed2617194cb4428765cc74eeab2a451294e648e830bdbac66c213139bfa393cdc9f52ca98eb98b04e140c9654a

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    317eec61e1127ca6a0abc7200c3cd6f0

                                    SHA1

                                    006c049d8b808b0546c144594b629ca26108e48f

                                    SHA256

                                    911bca8e26f59f96909d141d103b2e9b9b196850bfac8fc336d05b77de529f2b

                                    SHA512

                                    5eb2ffeca8ca63540f1cac7c3c7d375f07e0c62450c05fb521d54d6ac51f85a880fe5dc0f80635d84c889aea48e945cc3e07f8914fad09e1903ca7244885184c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    317eec61e1127ca6a0abc7200c3cd6f0

                                    SHA1

                                    006c049d8b808b0546c144594b629ca26108e48f

                                    SHA256

                                    911bca8e26f59f96909d141d103b2e9b9b196850bfac8fc336d05b77de529f2b

                                    SHA512

                                    5eb2ffeca8ca63540f1cac7c3c7d375f07e0c62450c05fb521d54d6ac51f85a880fe5dc0f80635d84c889aea48e945cc3e07f8914fad09e1903ca7244885184c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    280cf58000723aab5bd8583ffff35cff

                                    SHA1

                                    07e63bcd7a6ee2c11aa714400b8f89c17761c30f

                                    SHA256

                                    f8cad4f71280f710b2b7a739b1e3aa82d2a579beaf33d0a6a4e3b3ebf3f2c822

                                    SHA512

                                    334a4b0b7570470a0f161f77fca96944368e85fafd889f55bd7dd0b37e44f1fe29d0d5e635e0b7a13065c042af6da9231e4cfc3c9af490209e1d7e78b8fae409

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    9803395c7f202e10ce817db9c474c195

                                    SHA1

                                    49df81d595d2d0ecb06b38d7c31ed5b685e82d9c

                                    SHA256

                                    ec61c989d4b7d2845ec96604fa83a2258f8614149c91198da96aa29ac0580d16

                                    SHA512

                                    f958c4ec79ce82e998e61f73a9a6e586bd9d8a7ca317b252f012cb45b6a7e77bd5695c6c52ed1bd9f2debdee9257f16420677f6e78173213b8980234876a6b30

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    4c984ef72186b63ec54114af80436af3

                                    SHA1

                                    bf1d555b8c280c0198c98288e3e7df840feccfca

                                    SHA256

                                    b2ff10b065b25ea2c74d1659196b34e565f3fc79be340ca8a3c66843283110d8

                                    SHA512

                                    bdc1532a67b81da75d7cd504b0cc63ee217f509bfe811a4dd5835273464752c8d8347bbea7e50ca5f6a4479e0887a3ac79ac2b0da2e9a2e030af40e2fdff12f3

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    4c984ef72186b63ec54114af80436af3

                                    SHA1

                                    bf1d555b8c280c0198c98288e3e7df840feccfca

                                    SHA256

                                    b2ff10b065b25ea2c74d1659196b34e565f3fc79be340ca8a3c66843283110d8

                                    SHA512

                                    bdc1532a67b81da75d7cd504b0cc63ee217f509bfe811a4dd5835273464752c8d8347bbea7e50ca5f6a4479e0887a3ac79ac2b0da2e9a2e030af40e2fdff12f3

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    b8305bcdae8e0238226106ca9de7d989

                                    SHA1

                                    d7deb81ee9d3044073c30f87ea78eb0c7132ad4a

                                    SHA256

                                    22c16f82a3b6904cc5594888f454f6868e9f16887c7f0ec1d84558fd42d89a71

                                    SHA512

                                    83b3d39c61899167b6106f0f80d143773112737be388e22e7ae1497d002217bc13cd8a348abc76db9910cb86e1ed6d7e700b377cf57af4acba6ce2333afb20e5

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    e9a856a3f434b4a6a99b6bcaf8155056

                                    SHA1

                                    8ec28b88e8dbbdf4d3fa6809a5fe8dfd06f503bf

                                    SHA256

                                    48cf16ce0943c2ef7ad1e162fb1a98ecc28c96e66885f32f76a8c7d4bc89c60b

                                    SHA512

                                    3aa1c3779d7e2f17168e939a1a878a93b2922c6393bd15db5028199e3c1fa0221feaa6cb3290e01695f034128c8713e8e848edef87bc51e3216f34aa50213152

                                  • C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

                                    Filesize

                                    228B

                                    MD5

                                    ea63afd097f3d323a211f4f767784aee

                                    SHA1

                                    0c648ea55f7f63afc2993be2705a88a7fddcda5c

                                    SHA256

                                    3da578bd9db104cbbaa5f49467610a5241c48b9ba034a5ae4eaac45ad60bf44d

                                    SHA512

                                    071630062230105d66181a92c83d02c3f1a39e4629d10136a6d1909e561b7dd6f0f7bb3dd67fbca1ba3966de8cfb8ab1a65120c4f3af3b581640c36d02d5fff6

                                  • C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

                                    Filesize

                                    228B

                                    MD5

                                    102a0dd1a4409324142f5b546bbdc448

                                    SHA1

                                    1a864a6618a46e44c4f4f08e81d30d15dc856982

                                    SHA256

                                    df3b68db40b9a4e9dfbb15651ae564e4aba5c1cf3378fe767b42b5e5ea0c19b5

                                    SHA512

                                    a40d93a6760cbfe79a2f13426ae7db0eec5d4071871d91b80dcd953fc41fdab6260884a2bb3cb55f5dc947a92f90d8d8c8948f848d9d8234e58788a8cafb5e5e

                                  • C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

                                    Filesize

                                    228B

                                    MD5

                                    c00391b4a026850c280986d51d9ebcb5

                                    SHA1

                                    348b55df945f6361cec9ed421a2e9fd3536a5bcd

                                    SHA256

                                    bacd0e062d2bc8ea92d6c96aa784dc19c647aac099c673100427454c1dc26c1d

                                    SHA512

                                    ea7376aad3c433e10951da98b23deaaa2af6a648383ac1d01540d65b5da5ac18dd917f056ff25290a1ccecbef63a1fb7172f5c8915a21529228cfbec858db8b8

                                  • C:\Users\Admin\AppData\Local\Temp\gjUnKFcqIu.bat

                                    Filesize

                                    228B

                                    MD5

                                    37cf06a88257b85e1a5d602fb517f2c0

                                    SHA1

                                    e9500f19048cb2102a3da5d527c8b38aca4f8d74

                                    SHA256

                                    ac71e3acd580c3160a204aaee739c318bdb6364094d189f0c11b535ec72c9397

                                    SHA512

                                    a040fc4e5272768b0d7e526b5915e412f21f710dc83fd14873b682c604c6d86b41a15322e5fcfeb8b0197eaa8dfc6ad46466fbea6ddc72f5bb2063a7ae33c60b

                                  • C:\providercommon\1zu9dW.bat

                                    Filesize

                                    36B

                                    MD5

                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                    SHA1

                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                    SHA256

                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                    SHA512

                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                  • C:\providercommon\DllCommonsvc.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • C:\providercommon\DllCommonsvc.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                    Filesize

                                    197B

                                    MD5

                                    8088241160261560a02c84025d107592

                                    SHA1

                                    083121f7027557570994c9fc211df61730455bb5

                                    SHA256

                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                    SHA512

                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                  • memory/1112-363-0x00000216394D0000-0x00000216394F2000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/2732-146-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-153-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-162-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-163-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-164-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-165-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-166-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-167-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-168-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-169-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-171-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-172-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-173-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-170-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-174-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-175-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-176-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-177-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-178-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-179-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-180-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-181-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-182-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-183-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-160-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-159-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-158-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-157-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-156-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-155-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-154-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-161-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-152-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-151-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-150-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-149-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-148-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-147-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-145-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-144-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-143-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-142-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-140-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-141-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-139-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-138-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-137-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-136-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-135-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-134-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-133-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-132-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-131-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-130-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-129-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-128-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-126-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-121-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-120-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-125-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-123-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/2732-122-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/3848-286-0x0000000000330000-0x0000000000440000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/3848-287-0x0000000000880000-0x0000000000892000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/3848-288-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/3848-289-0x0000000000890000-0x000000000089C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/3848-290-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/4784-366-0x0000025F60CF0000-0x0000025F60D66000-memory.dmp

                                    Filesize

                                    472KB

                                  • memory/5096-186-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB

                                  • memory/5096-185-0x0000000076F80000-0x000000007710E000-memory.dmp

                                    Filesize

                                    1.6MB