Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2023, 02:31

General

  • Target

    NEAS.12512b9fc15ed49fb1066046fb8fed90.exe

  • Size

    1.4MB

  • MD5

    12512b9fc15ed49fb1066046fb8fed90

  • SHA1

    480b04304f83fa8b96d28e060068fbc11c9b3a05

  • SHA256

    cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

  • SHA512

    d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 16 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1316
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3385657-9550-4bad-b6a6-5a47c31ff50f.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:240
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e519c43d-a289-4f38-92f0-4e38ae0cac89.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1188
            • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
              "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1524
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de58d141-469c-4030-9999-879023294bbb.vbs"
                7⤵
                  PID:2052
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d76157d-d710-451b-b78e-2d8731a4cf10.vbs"
                  7⤵
                    PID:1884
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a378960-6ad0-4294-a6a5-b7ec17b1447e.vbs"
                5⤵
                  PID:1296
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7f90b85-bd02-4549-a77e-18150b3f4b48.vbs"
              3⤵
                PID:2704
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2512
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Downloads\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2536
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2380
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1200
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winlogon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1420
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2776
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2800
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1124
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:864
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2156
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1652
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1964
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2032
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1900
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1620
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2328
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2580
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2664
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3036
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2392
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2340
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:444
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1960
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1168
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1028
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1732
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2816
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1716
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2180
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2856
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2072
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2432
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2696
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2988

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

                  Filesize

                  1.4MB

                  MD5

                  12512b9fc15ed49fb1066046fb8fed90

                  SHA1

                  480b04304f83fa8b96d28e060068fbc11c9b3a05

                  SHA256

                  cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

                  SHA512

                  d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

                • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

                  Filesize

                  1.4MB

                  MD5

                  12512b9fc15ed49fb1066046fb8fed90

                  SHA1

                  480b04304f83fa8b96d28e060068fbc11c9b3a05

                  SHA256

                  cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

                  SHA512

                  d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

                • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

                  Filesize

                  1.4MB

                  MD5

                  12512b9fc15ed49fb1066046fb8fed90

                  SHA1

                  480b04304f83fa8b96d28e060068fbc11c9b3a05

                  SHA256

                  cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

                  SHA512

                  d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

                • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

                  Filesize

                  1.4MB

                  MD5

                  12512b9fc15ed49fb1066046fb8fed90

                  SHA1

                  480b04304f83fa8b96d28e060068fbc11c9b3a05

                  SHA256

                  cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

                  SHA512

                  d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

                • C:\Program Files (x86)\Google\Update\System.exe

                  Filesize

                  1.4MB

                  MD5

                  79ca8c449813f1494a0e97cbd8b67175

                  SHA1

                  a6a8a3d763c71c32b096c3b1b0d183f777696255

                  SHA256

                  bc5e8bc054b851b8fee46fdf682271834030aeac49c395425463b93daec93081

                  SHA512

                  e6cdd3584bafe212edf29c6818d1d7c74f2346fb186a676236d1a8283fbdaa3ebd36e2a15e2f329deeb1df9b60c0f658b4663494123fe1ccb50946d2b70b0080

                • C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

                  Filesize

                  1.4MB

                  MD5

                  89a0aeda40f0bb3a00b749692ed362b3

                  SHA1

                  33f48c6d2742ef2ff02a1c4b62bdfa1d6cf7b69f

                  SHA256

                  ab1a1eb7b109a0ddd23a4f0bdf270a50a9f9a55f16c42dc8439195367a891401

                  SHA512

                  83309404242009c9bac93e114c436300325bc5cac98ad64f7711dd85fe25df006a7a9e336e56e8126b0d3093a79e1866861bf30cb94e0ab8928ff70fe890bd2c

                • C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe

                  Filesize

                  1.4MB

                  MD5

                  26d63ae006f72613796303cd258e8cd5

                  SHA1

                  d4c4143a4ea4781494e22044359ac8a748902575

                  SHA256

                  9c4dc1c01093be5b1bd0b2599a13e22a1d114d3e625ce999d5735efbdd929a36

                  SHA512

                  83dca9c75ce6eb4e992dc6b741597760a32045cf178e596c0ed38a977b25487bbfd3a53415bb8a6bbad8a9dd0698e241880bd8690364f4c7b03a609e97bfadfb

                • C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe

                  Filesize

                  1.4MB

                  MD5

                  3fdd85eefd01c0a2df96654a86ed664a

                  SHA1

                  2a5257557c3651562db1a1fe491273dc0fb401ac

                  SHA256

                  c45d1ed3469f2e5f2a99f8abe2ac29b2e7c4a22b3f0ce7668c748d19b0646926

                  SHA512

                  c128fb27d97fb5c28116715285910c8188ce87176742cd4da88d810ea89e4df394e896a0ed7214b9c7ff775dd5b00ede8f0afc4d8bc86bde1dd675eb712cce8f

                • C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winlogon.exe

                  Filesize

                  1.4MB

                  MD5

                  12512b9fc15ed49fb1066046fb8fed90

                  SHA1

                  480b04304f83fa8b96d28e060068fbc11c9b3a05

                  SHA256

                  cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

                  SHA512

                  d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

                • C:\Users\Admin\AppData\Local\Temp\0d76157d-d710-451b-b78e-2d8731a4cf10.vbs

                  Filesize

                  523B

                  MD5

                  a69945be1ff60bc611bf8f3924b9bf39

                  SHA1

                  5325ede08307ddb15ad07473701ec2d4e8395802

                  SHA256

                  b1d984c7d8003824776045625893ee35f9c3b42241898203622722b4f23e5ffb

                  SHA512

                  b8fdb81cc813e7b5f5c3f85a2d25890143483de4c351a9a470c96afec86f4305405dc6edd2578df6ba8506a945de929b410148c4cd687db9ebe1ed53d4f45986

                • C:\Users\Admin\AppData\Local\Temp\2a378960-6ad0-4294-a6a5-b7ec17b1447e.vbs

                  Filesize

                  523B

                  MD5

                  a69945be1ff60bc611bf8f3924b9bf39

                  SHA1

                  5325ede08307ddb15ad07473701ec2d4e8395802

                  SHA256

                  b1d984c7d8003824776045625893ee35f9c3b42241898203622722b4f23e5ffb

                  SHA512

                  b8fdb81cc813e7b5f5c3f85a2d25890143483de4c351a9a470c96afec86f4305405dc6edd2578df6ba8506a945de929b410148c4cd687db9ebe1ed53d4f45986

                • C:\Users\Admin\AppData\Local\Temp\2a378960-6ad0-4294-a6a5-b7ec17b1447e.vbs

                  Filesize

                  523B

                  MD5

                  a69945be1ff60bc611bf8f3924b9bf39

                  SHA1

                  5325ede08307ddb15ad07473701ec2d4e8395802

                  SHA256

                  b1d984c7d8003824776045625893ee35f9c3b42241898203622722b4f23e5ffb

                  SHA512

                  b8fdb81cc813e7b5f5c3f85a2d25890143483de4c351a9a470c96afec86f4305405dc6edd2578df6ba8506a945de929b410148c4cd687db9ebe1ed53d4f45986

                • C:\Users\Admin\AppData\Local\Temp\c3385657-9550-4bad-b6a6-5a47c31ff50f.vbs

                  Filesize

                  747B

                  MD5

                  0153b21ede76dabd04dd8640ff9539e7

                  SHA1

                  54785e6a2f5a1c0b1e55243641019ed250671872

                  SHA256

                  22d4ab715093b083ae854374ab4aacfc83a40a7cee31a218ea46d914dd7db360

                  SHA512

                  c960049b4f64a318dd94e083631c67e1ef3bbb9a145aeda2b3ec645a9c1795cef8732f6e10cf4c79f0ddffbb92a2a89f8b6f33312c5c99ee89c4477077712198

                • C:\Users\Admin\AppData\Local\Temp\de58d141-469c-4030-9999-879023294bbb.vbs

                  Filesize

                  747B

                  MD5

                  9b0d9f7b52c05551a8e47eec07256e67

                  SHA1

                  90f4d8f9933a61128aeeb006a6d63898c14ee95e

                  SHA256

                  ce815ad99757940e5ba002e04784d03dc4c281a9eeb0181acd882e59f2b2f9e1

                  SHA512

                  b61ee5ef0b65e97b955083b9149cc67ff6b1c285192952a3bd2bc6d798abb52129636f3474f00a5d6f568ca593e8e87983152d91ade9c6313cb5cb5aa54bd50e

                • C:\Users\Admin\AppData\Local\Temp\e519c43d-a289-4f38-92f0-4e38ae0cac89.vbs

                  Filesize

                  746B

                  MD5

                  8d8a66375abb6f008938bcf36466adfe

                  SHA1

                  f4d12328ca814d6464e9a3591f97ae112c06fc13

                  SHA256

                  b979b6b608af706e13443222c89c6a91c51f320110757fedb231c78869e1b85e

                  SHA512

                  5b3ed140f031a2591ade7ba172bec1f013fdad7485e966ee521321629a618e8b1f8151fb91196d96b19870619cf7c880871b9fbb24fddbc15f4a1335c106d132

                • C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

                  Filesize

                  1.4MB

                  MD5

                  12512b9fc15ed49fb1066046fb8fed90

                  SHA1

                  480b04304f83fa8b96d28e060068fbc11c9b3a05

                  SHA256

                  cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

                  SHA512

                  d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

                • C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

                  Filesize

                  1.4MB

                  MD5

                  12512b9fc15ed49fb1066046fb8fed90

                  SHA1

                  480b04304f83fa8b96d28e060068fbc11c9b3a05

                  SHA256

                  cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

                  SHA512

                  d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

                • C:\Users\Admin\AppData\Local\Temp\f7f90b85-bd02-4549-a77e-18150b3f4b48.vbs

                  Filesize

                  523B

                  MD5

                  a69945be1ff60bc611bf8f3924b9bf39

                  SHA1

                  5325ede08307ddb15ad07473701ec2d4e8395802

                  SHA256

                  b1d984c7d8003824776045625893ee35f9c3b42241898203622722b4f23e5ffb

                  SHA512

                  b8fdb81cc813e7b5f5c3f85a2d25890143483de4c351a9a470c96afec86f4305405dc6edd2578df6ba8506a945de929b410148c4cd687db9ebe1ed53d4f45986

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H6O8VBSU4G56F2P0D9I6.temp

                  Filesize

                  7KB

                  MD5

                  775d4dc37b7cd0cb6dadfbdcbea8f6e3

                  SHA1

                  ac20bc2f2c6a372fb42d06e1886a06d66f44a741

                  SHA256

                  397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18

                  SHA512

                  f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

                • C:\Users\Default\services.exe

                  Filesize

                  1.4MB

                  MD5

                  5549fd69497d9d677c5562a508329408

                  SHA1

                  a0a2e72a0b5cbf4b44ba0bfc0521f8cad9806270

                  SHA256

                  59d34aae6ef5deeb074aae1debbeec3ebf5176db141077abd52fde602ab65d6e

                  SHA512

                  608bd00604c98d674769dbed27bca3843d7a54700e5338cc9a328ed5d4ed93685fccb62f4659e1933697d58abe81e83e3affcf29d9bd4d3d3d969100db077077

                • C:\Windows\ModemLogs\audiodg.exe

                  Filesize

                  1.4MB

                  MD5

                  2996965987e3264e25dff4072ec4a6d8

                  SHA1

                  fcb6d017b45e31055d7877d6bcd06f2bb9fb003e

                  SHA256

                  d3b54a5cebc40e26e5acfcd345db439763771a41c7ad65de0c7382caa88aa256

                  SHA512

                  962eb8da6c546876ac254e502e76bdbd3db292cc3321838f9f0c1bf7d4dbc21593d3ec4210c4d0cefa071c31f92afe1f2277c8f6fc16ba77eb91c9725aeedb7a

                • memory/880-374-0x0000000002420000-0x00000000024A0000-memory.dmp

                  Filesize

                  512KB

                • memory/880-337-0x000000001B330000-0x000000001B612000-memory.dmp

                  Filesize

                  2.9MB

                • memory/880-371-0x0000000002420000-0x00000000024A0000-memory.dmp

                  Filesize

                  512KB

                • memory/880-372-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

                  Filesize

                  9.6MB

                • memory/880-373-0x0000000002420000-0x00000000024A0000-memory.dmp

                  Filesize

                  512KB

                • memory/880-370-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

                  Filesize

                  9.6MB

                • memory/880-387-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

                  Filesize

                  9.6MB

                • memory/880-339-0x0000000002620000-0x0000000002628000-memory.dmp

                  Filesize

                  32KB

                • memory/936-389-0x0000000002A40000-0x0000000002AC0000-memory.dmp

                  Filesize

                  512KB

                • memory/936-388-0x0000000002A40000-0x0000000002AC0000-memory.dmp

                  Filesize

                  512KB

                • memory/936-385-0x0000000002A40000-0x0000000002AC0000-memory.dmp

                  Filesize

                  512KB

                • memory/1256-390-0x0000000002990000-0x0000000002A10000-memory.dmp

                  Filesize

                  512KB

                • memory/1256-386-0x0000000002990000-0x0000000002A10000-memory.dmp

                  Filesize

                  512KB

                • memory/1316-376-0x000000001B100000-0x000000001B180000-memory.dmp

                  Filesize

                  512KB

                • memory/1316-384-0x000000001B100000-0x000000001B180000-memory.dmp

                  Filesize

                  512KB

                • memory/1316-383-0x000000001B100000-0x000000001B180000-memory.dmp

                  Filesize

                  512KB

                • memory/1316-382-0x000000001B100000-0x000000001B180000-memory.dmp

                  Filesize

                  512KB

                • memory/1316-311-0x0000000000110000-0x000000000027C000-memory.dmp

                  Filesize

                  1.4MB

                • memory/1316-380-0x000000001B100000-0x000000001B180000-memory.dmp

                  Filesize

                  512KB

                • memory/1316-375-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1688-391-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2356-377-0x0000000002B30000-0x0000000002BB0000-memory.dmp

                  Filesize

                  512KB

                • memory/2356-378-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

                  Filesize

                  9.6MB

                • memory/2356-379-0x0000000002B30000-0x0000000002BB0000-memory.dmp

                  Filesize

                  512KB

                • memory/2356-381-0x0000000002B30000-0x0000000002BB0000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-96-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-22-0x000000001ABE0000-0x000000001ABE8000-memory.dmp

                  Filesize

                  32KB

                • memory/2764-171-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-158-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-157-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2764-133-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-108-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-310-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-47-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-38-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-31-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-24-0x000000001AC80000-0x000000001AC8C000-memory.dmp

                  Filesize

                  48KB

                • memory/2764-23-0x000000001ABF0000-0x000000001ABFA000-memory.dmp

                  Filesize

                  40KB

                • memory/2764-0-0x0000000000F70000-0x00000000010DC000-memory.dmp

                  Filesize

                  1.4MB

                • memory/2764-218-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-340-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2764-20-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-265-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-172-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-21-0x000000001ABD0000-0x000000001ABDC000-memory.dmp

                  Filesize

                  48KB

                • memory/2764-16-0x000000001AB80000-0x000000001AB8A000-memory.dmp

                  Filesize

                  40KB

                • memory/2764-18-0x000000001ABB0000-0x000000001ABB8000-memory.dmp

                  Filesize

                  32KB

                • memory/2764-17-0x000000001ABA0000-0x000000001ABAE000-memory.dmp

                  Filesize

                  56KB

                • memory/2764-19-0x000000001ABC0000-0x000000001ABCE000-memory.dmp

                  Filesize

                  56KB

                • memory/2764-15-0x000000001AB90000-0x000000001AB98000-memory.dmp

                  Filesize

                  32KB

                • memory/2764-14-0x000000001AB70000-0x000000001AB7C000-memory.dmp

                  Filesize

                  48KB

                • memory/2764-13-0x000000001AB60000-0x000000001AB68000-memory.dmp

                  Filesize

                  32KB

                • memory/2764-12-0x000000001AB50000-0x000000001AB5C000-memory.dmp

                  Filesize

                  48KB

                • memory/2764-11-0x000000001AB40000-0x000000001AB4C000-memory.dmp

                  Filesize

                  48KB

                • memory/2764-10-0x000000001AB30000-0x000000001AB3A000-memory.dmp

                  Filesize

                  40KB

                • memory/2764-9-0x0000000000F60000-0x0000000000F70000-memory.dmp

                  Filesize

                  64KB

                • memory/2764-8-0x0000000000F40000-0x0000000000F56000-memory.dmp

                  Filesize

                  88KB

                • memory/2764-7-0x0000000000E30000-0x0000000000E40000-memory.dmp

                  Filesize

                  64KB

                • memory/2764-6-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

                  Filesize

                  32KB

                • memory/2764-5-0x00000000003F0000-0x000000000040C000-memory.dmp

                  Filesize

                  112KB

                • memory/2764-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

                  Filesize

                  32KB

                • memory/2764-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

                  Filesize

                  56KB

                • memory/2764-2-0x000000001AF80000-0x000000001B000000-memory.dmp

                  Filesize

                  512KB

                • memory/2764-1-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                  Filesize

                  9.9MB