Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 02:31

General

  • Target

    NEAS.12512b9fc15ed49fb1066046fb8fed90.exe

  • Size

    1.4MB

  • MD5

    12512b9fc15ed49fb1066046fb8fed90

  • SHA1

    480b04304f83fa8b96d28e060068fbc11c9b3a05

  • SHA256

    cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

  • SHA512

    d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:404
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P5Gj8VmPD3.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3776
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:5952
        • C:\odt\backgroundTaskHost.exe
          "C:\odt\backgroundTaskHost.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5436
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b1d779-692b-4770-8bbb-2d46d5b7df9a.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5832
            • C:\odt\backgroundTaskHost.exe
              C:\odt\backgroundTaskHost.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5132
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4db556d6-1db3-4f25-9272-2e713f3a6062.vbs"
                6⤵
                  PID:4448
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\600259e1-1932-4b2a-ae21-d3b49c2bbc36.vbs"
                  6⤵
                    PID:5032
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc67fda2-50a5-4cc2-bb40-cd4b18ed469f.vbs"
                4⤵
                  PID:5908
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4164
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\odt\unsecapp.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4480
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4860
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3456
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2284
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2180
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4248
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1984
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\odt\TextInputHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2128
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1692
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3304
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\odt\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4276
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2764
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4312
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2860
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1372
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2660
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90N" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90N" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5072
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3188
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1236
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1312
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2200

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe

                  Filesize

                  1.4MB

                  MD5

                  a6aed1429a806016f08a6f39a17cd1e8

                  SHA1

                  fa09aa2f6eeeac777e0d86afcc943309a425d056

                  SHA256

                  00b7a0580d1c12c142be5f12cab1ba1672b6bfb0a2543d372e095569093197f2

                  SHA512

                  7340be3706b5304350ae7a3f18a4cec8fc7226f0d2a6a43428ba3b59a34dd0a547258c4919463a59a75323a97536daad98deee9becb36ff852308ab2598b1b10

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

                  Filesize

                  1KB

                  MD5

                  9b0256da3bf9a5303141361b3da59823

                  SHA1

                  d73f34951777136c444eb2c98394f62912ebcdac

                  SHA256

                  96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

                  SHA512

                  9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  a8e8360d573a4ff072dcc6f09d992c88

                  SHA1

                  3446774433ceaf0b400073914facab11b98b6807

                  SHA256

                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                  SHA512

                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  a8e8360d573a4ff072dcc6f09d992c88

                  SHA1

                  3446774433ceaf0b400073914facab11b98b6807

                  SHA256

                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                  SHA512

                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                • C:\Users\Admin\AppData\Local\Temp\4db556d6-1db3-4f25-9272-2e713f3a6062.vbs

                  Filesize

                  705B

                  MD5

                  9a31c951f04889231e8d26a196fb5514

                  SHA1

                  66a121716fb6c653cf96f2da52ace7a3beea20d4

                  SHA256

                  10c27c103d11dd7475be13690f65a0bb688a58875023ae8e3a126c4fceb25166

                  SHA512

                  afa83c8a1e4e2fb62d5ec4697edecbdbf3b5d6ae2ed3bb4f6eb84bee2d54458dd9e0338e0ce14a466023e37b9538897f3c662285090ff69e88677cfcc2f4b985

                • C:\Users\Admin\AppData\Local\Temp\600259e1-1932-4b2a-ae21-d3b49c2bbc36.vbs

                  Filesize

                  481B

                  MD5

                  8f2dc3bdc9004ce03a6f79d348a1da4d

                  SHA1

                  a63427416e6bfaf0698b0f25db0e6aa089ba73f6

                  SHA256

                  d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538

                  SHA512

                  d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024

                • C:\Users\Admin\AppData\Local\Temp\600259e1-1932-4b2a-ae21-d3b49c2bbc36.vbs

                  Filesize

                  481B

                  MD5

                  8f2dc3bdc9004ce03a6f79d348a1da4d

                  SHA1

                  a63427416e6bfaf0698b0f25db0e6aa089ba73f6

                  SHA256

                  d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538

                  SHA512

                  d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024

                • C:\Users\Admin\AppData\Local\Temp\P5Gj8VmPD3.bat

                  Filesize

                  194B

                  MD5

                  93cc5e6659b0d5f81a607be4b7f66862

                  SHA1

                  9cface1233684dbda38366bb6876e9a833b18b62

                  SHA256

                  bd8f7a3fa6d6e46befb0f43ba3ed9ff6dd16ceca5de17f7faeae9e45d4c3f884

                  SHA512

                  caecd5e1ff367aff4faa9b7f173cbd78142ef5a004962ba21fbb9ea6ec79730b855b67253479ca7b3d01b8de1c5bf4ffde8956d3551c1fc273bdbf31d7c4ca4c

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ia4oigyj.yea.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Admin\AppData\Local\Temp\ab41a0df16d92f4034711e456d4c313a7ac7a831.exe

                  Filesize

                  1.4MB

                  MD5

                  662290f458afb73df9df2e3245b4c0b6

                  SHA1

                  6278b4a95a718b42b91b9714a32dded4fd6ffc0e

                  SHA256

                  aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640

                  SHA512

                  58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

                • C:\Users\Admin\AppData\Local\Temp\cc67fda2-50a5-4cc2-bb40-cd4b18ed469f.vbs

                  Filesize

                  481B

                  MD5

                  8f2dc3bdc9004ce03a6f79d348a1da4d

                  SHA1

                  a63427416e6bfaf0698b0f25db0e6aa089ba73f6

                  SHA256

                  d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538

                  SHA512

                  d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024

                • C:\Users\Admin\AppData\Local\Temp\e4b1d779-692b-4770-8bbb-2d46d5b7df9a.vbs

                  Filesize

                  705B

                  MD5

                  2a95f82ae5efa9d75b75df78cdf6ea47

                  SHA1

                  1a57cfa6e27aa91a6c5ef80aba247548ad96360b

                  SHA256

                  9065b36e9226c6cc91372503b304760d5b5f7c14cec559c0293181269d2642b9

                  SHA512

                  5fceff9b454577e1634d5a09bcca0e30224a68c1d47ef6441afa99845bc30a7ad430f9f7e4d2c77c3e6ddfcfbb38be3ed8fb1929eb5f88f9d9bb0dc34ca36555

                • C:\Users\Admin\AppData\Roaming\csrss.exe

                  Filesize

                  1.4MB

                  MD5

                  e36003ccaeed48476f1bb1aa4ec6bfe2

                  SHA1

                  8154f23ec6b4a8df17c0edb982dc0e200b28251c

                  SHA256

                  0f90b25254754f6c988153efbbc26b9a3f121f15c638249b06962ce52c066b58

                  SHA512

                  0b9f951acd8df55d62c6c2d1bb1a35a461e3d60a734391d07bf75ce53a55e25be493a8e8324f5bb10bd156d6f7acae4436a5ecfd38cb0f5953ee25253c898258

                • C:\odt\RuntimeBroker.exe

                  Filesize

                  1.4MB

                  MD5

                  12512b9fc15ed49fb1066046fb8fed90

                  SHA1

                  480b04304f83fa8b96d28e060068fbc11c9b3a05

                  SHA256

                  cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

                  SHA512

                  d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

                • C:\odt\TextInputHost.exe

                  Filesize

                  1.4MB

                  MD5

                  c460c9d52f216a2d7a43e9bcef493df2

                  SHA1

                  5cecd227f317c2131734e9ea69a6c59e7f17cd8b

                  SHA256

                  bf8af2bd976f2fcc0648edc2d7537b8f7739e7c12593f6af8a981c13f0658f7c

                  SHA512

                  ce212460d735bd8fb08b0dee9cde7d69fc3d1f00fa7f8f9da4781c71a52959a5349a8bea985ad607cc92bfe2e41c6c049ff8d76d879a260a61f87222b2c270d1

                • C:\odt\backgroundTaskHost.exe

                  Filesize

                  1.4MB

                  MD5

                  662290f458afb73df9df2e3245b4c0b6

                  SHA1

                  6278b4a95a718b42b91b9714a32dded4fd6ffc0e

                  SHA256

                  aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640

                  SHA512

                  58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

                • C:\odt\backgroundTaskHost.exe

                  Filesize

                  1.4MB

                  MD5

                  662290f458afb73df9df2e3245b4c0b6

                  SHA1

                  6278b4a95a718b42b91b9714a32dded4fd6ffc0e

                  SHA256

                  aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640

                  SHA512

                  58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

                • C:\odt\backgroundTaskHost.exe

                  Filesize

                  1.4MB

                  MD5

                  662290f458afb73df9df2e3245b4c0b6

                  SHA1

                  6278b4a95a718b42b91b9714a32dded4fd6ffc0e

                  SHA256

                  aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640

                  SHA512

                  58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

                • C:\odt\backgroundTaskHost.exe

                  Filesize

                  1.4MB

                  MD5

                  662290f458afb73df9df2e3245b4c0b6

                  SHA1

                  6278b4a95a718b42b91b9714a32dded4fd6ffc0e

                  SHA256

                  aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640

                  SHA512

                  58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

                • C:\odt\unsecapp.exe

                  Filesize

                  1.4MB

                  MD5

                  bda00b2e1ce2afc699185e3babb0c967

                  SHA1

                  7c15c36a61e8ec824d59e3cead34b10d7bb23fa3

                  SHA256

                  1c1bd72699bfa0b02e2f1523d0f93f65339309655f4d61b80aa8cc6de7c604ee

                  SHA512

                  681748916cb9d6d967ef192837e8e7d8cfc0c8f37a2555d6f16c787a50aeca9b2369d113f856adfa0a191a1f5f876f3882048d2b186de4c6ccf841af671c169c

                • memory/404-287-0x00000212F5600000-0x00000212F5622000-memory.dmp

                  Filesize

                  136KB

                • memory/404-367-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/644-371-0x0000022408A20000-0x0000022408A30000-memory.dmp

                  Filesize

                  64KB

                • memory/644-369-0x0000022408A20000-0x0000022408A30000-memory.dmp

                  Filesize

                  64KB

                • memory/644-368-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/760-17-0x000000001B3B0000-0x000000001B3BA000-memory.dmp

                  Filesize

                  40KB

                • memory/760-15-0x000000001B390000-0x000000001B39C000-memory.dmp

                  Filesize

                  48KB

                • memory/760-27-0x000000001B730000-0x000000001B738000-memory.dmp

                  Filesize

                  32KB

                • memory/760-145-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-26-0x000000001B720000-0x000000001B72C000-memory.dmp

                  Filesize

                  48KB

                • memory/760-25-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/760-24-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-268-0x000000001BFD0000-0x000000001C0D0000-memory.dmp

                  Filesize

                  1024KB

                • memory/760-23-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-19-0x000000001BB70000-0x000000001BB78000-memory.dmp

                  Filesize

                  32KB

                • memory/760-20-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-0-0x0000000000590000-0x00000000006FC000-memory.dmp

                  Filesize

                  1.4MB

                • memory/760-22-0x000000001BB80000-0x000000001BB8E000-memory.dmp

                  Filesize

                  56KB

                • memory/760-21-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-277-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/760-18-0x000000001BB60000-0x000000001BB6E000-memory.dmp

                  Filesize

                  56KB

                • memory/760-28-0x000000001B740000-0x000000001B74A000-memory.dmp

                  Filesize

                  40KB

                • memory/760-36-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-16-0x000000001B3A0000-0x000000001B3A8000-memory.dmp

                  Filesize

                  32KB

                • memory/760-110-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-14-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

                  Filesize

                  32KB

                • memory/760-13-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

                  Filesize

                  48KB

                • memory/760-12-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

                  Filesize

                  48KB

                • memory/760-11-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

                  Filesize

                  40KB

                • memory/760-10-0x0000000002870000-0x0000000002880000-memory.dmp

                  Filesize

                  64KB

                • memory/760-73-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-72-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/760-29-0x000000001B750000-0x000000001B75C000-memory.dmp

                  Filesize

                  48KB

                • memory/760-9-0x000000001B370000-0x000000001B386000-memory.dmp

                  Filesize

                  88KB

                • memory/760-37-0x000000001BFD0000-0x000000001C0D0000-memory.dmp

                  Filesize

                  1024KB

                • memory/760-8-0x0000000002860000-0x0000000002870000-memory.dmp

                  Filesize

                  64KB

                • memory/760-7-0x0000000002850000-0x0000000002858000-memory.dmp

                  Filesize

                  32KB

                • memory/760-1-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/760-6-0x000000001B3C0000-0x000000001B410000-memory.dmp

                  Filesize

                  320KB

                • memory/760-5-0x0000000002830000-0x000000000284C000-memory.dmp

                  Filesize

                  112KB

                • memory/760-4-0x0000000002820000-0x0000000002828000-memory.dmp

                  Filesize

                  32KB

                • memory/760-3-0x0000000002810000-0x000000000281E000-memory.dmp

                  Filesize

                  56KB

                • memory/760-2-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/932-374-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1660-273-0x0000022A98390000-0x0000022A983A0000-memory.dmp

                  Filesize

                  64KB

                • memory/1660-275-0x0000022A98390000-0x0000022A983A0000-memory.dmp

                  Filesize

                  64KB

                • memory/2144-288-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2144-350-0x00000277CE720000-0x00000277CE730000-memory.dmp

                  Filesize

                  64KB

                • memory/2144-363-0x00000277CE720000-0x00000277CE730000-memory.dmp

                  Filesize

                  64KB

                • memory/2412-366-0x0000022057C80000-0x0000022057C90000-memory.dmp

                  Filesize

                  64KB

                • memory/2412-365-0x0000022057C80000-0x0000022057C90000-memory.dmp

                  Filesize

                  64KB

                • memory/2412-364-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3004-382-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3004-400-0x00000215AA5E0000-0x00000215AA5F0000-memory.dmp

                  Filesize

                  64KB

                • memory/3020-340-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3020-402-0x000001D25C380000-0x000001D25C390000-memory.dmp

                  Filesize

                  64KB

                • memory/3136-271-0x000001B1817A0000-0x000001B1817B0000-memory.dmp

                  Filesize

                  64KB

                • memory/3136-270-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3136-272-0x000001B1817A0000-0x000001B1817B0000-memory.dmp

                  Filesize

                  64KB

                • memory/3492-298-0x00000179F1C30000-0x00000179F1C40000-memory.dmp

                  Filesize

                  64KB

                • memory/3492-276-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4168-370-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4168-373-0x00000207F8480000-0x00000207F8490000-memory.dmp

                  Filesize

                  64KB

                • memory/4168-372-0x00000207F8480000-0x00000207F8490000-memory.dmp

                  Filesize

                  64KB