Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 07:15

General

  • Target

    NEAS.837e95e2cf296e26712186c895f4c200.exe

  • Size

    1.4MB

  • MD5

    837e95e2cf296e26712186c895f4c200

  • SHA1

    8c5995383c0c59169577cddd1e201c117532a688

  • SHA256

    29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786

  • SHA512

    70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c6GvLXFq3X.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:5828
        • C:\Users\Default User\services.exe
          "C:\Users\Default User\services.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5348
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ca8331e-03b2-421c-98af-87fef2c10169.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5644
            • C:\Users\Default User\services.exe
              "C:\Users\Default User\services.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3196
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee91de6-6e79-4802-86c4-3e84b3cb0b0e.vbs"
                6⤵
                  PID:5288
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4a8fa7e-3c1f-4c1e-a06a-fec99a88df2f.vbs"
                  6⤵
                    PID:880
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e554e97-58e9-47cd-a639-c9bacdb5166a.vbs"
                4⤵
                  PID:5732
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2816
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\odt\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4508
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3268
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4856
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\pt-BR\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4428
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\System32\pt-BR\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:368
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\pt-BR\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1580
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4164
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3588
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1560
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:60
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1816
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2456
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4864
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3872
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2480
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4704
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2424
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1544
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2292
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3900
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\taskhostw.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2004
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4500
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\odt\upfc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4372
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4604
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3200
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3720
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:468

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

                  Filesize

                  1KB

                  MD5

                  9b0256da3bf9a5303141361b3da59823

                  SHA1

                  d73f34951777136c444eb2c98394f62912ebcdac

                  SHA256

                  96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

                  SHA512

                  9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  28d4235aa2e6d782751f980ceb6e5021

                  SHA1

                  f5d82d56acd642b9fc4b963f684fd6b78f25a140

                  SHA256

                  8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

                  SHA512

                  dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  a8e8360d573a4ff072dcc6f09d992c88

                  SHA1

                  3446774433ceaf0b400073914facab11b98b6807

                  SHA256

                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                  SHA512

                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  a8e8360d573a4ff072dcc6f09d992c88

                  SHA1

                  3446774433ceaf0b400073914facab11b98b6807

                  SHA256

                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                  SHA512

                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  a8e8360d573a4ff072dcc6f09d992c88

                  SHA1

                  3446774433ceaf0b400073914facab11b98b6807

                  SHA256

                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                  SHA512

                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  28d4235aa2e6d782751f980ceb6e5021

                  SHA1

                  f5d82d56acd642b9fc4b963f684fd6b78f25a140

                  SHA256

                  8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

                  SHA512

                  dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  a8e8360d573a4ff072dcc6f09d992c88

                  SHA1

                  3446774433ceaf0b400073914facab11b98b6807

                  SHA256

                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                  SHA512

                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  293a5e452e148112857e22e746feff34

                  SHA1

                  7a5018bf98a3e38970809531288a7e3efb979532

                  SHA256

                  05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

                  SHA512

                  7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  a8e8360d573a4ff072dcc6f09d992c88

                  SHA1

                  3446774433ceaf0b400073914facab11b98b6807

                  SHA256

                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                  SHA512

                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  293a5e452e148112857e22e746feff34

                  SHA1

                  7a5018bf98a3e38970809531288a7e3efb979532

                  SHA256

                  05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

                  SHA512

                  7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  293a5e452e148112857e22e746feff34

                  SHA1

                  7a5018bf98a3e38970809531288a7e3efb979532

                  SHA256

                  05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

                  SHA512

                  7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  c2ce5f364d6f19da44a34ce23f13e28b

                  SHA1

                  a7fc544cc9e62c759c0b0aeaecf324d7196a127e

                  SHA256

                  443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

                  SHA512

                  fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

                • C:\Users\Admin\AppData\Local\Temp\0ee91de6-6e79-4802-86c4-3e84b3cb0b0e.vbs

                  Filesize

                  710B

                  MD5

                  b666dac4337959f0c14b559c224f895d

                  SHA1

                  44e39e9ec7c9f917ffdcafb2cc0a9a104c1e5bb9

                  SHA256

                  8d7884e2f734bb97cffaa32c687f4260e4421b60308f60601e3cc8efda8be38f

                  SHA512

                  53fb33217401e1677b765e435eb668c1c193bf4954d50979ae8b1bd27eeaacd5f62a2f6271457286ccd0d74800f0fd50ed3f4cc8fb39beba5aa37b90d9b22998

                • C:\Users\Admin\AppData\Local\Temp\1e554e97-58e9-47cd-a639-c9bacdb5166a.vbs

                  Filesize

                  486B

                  MD5

                  df544400d963d4be10608294946489f5

                  SHA1

                  f18384e181d1a252e3d6a61e35797f0b19bd6283

                  SHA256

                  6645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a

                  SHA512

                  98830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa

                • C:\Users\Admin\AppData\Local\Temp\1fbc89d4907331aa0cd5a67264a034a9053406b2.exe

                  Filesize

                  1.4MB

                  MD5

                  837e95e2cf296e26712186c895f4c200

                  SHA1

                  8c5995383c0c59169577cddd1e201c117532a688

                  SHA256

                  29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786

                  SHA512

                  70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

                • C:\Users\Admin\AppData\Local\Temp\5ca8331e-03b2-421c-98af-87fef2c10169.vbs

                  Filesize

                  710B

                  MD5

                  01311552732a62c2cf15210f60c837ca

                  SHA1

                  986f540ed14abaaa809f163a58aadd0ef2f9da38

                  SHA256

                  614a223655e42be8a98c20c76f869c3d71452a2fa1e611b77410a19cc9c2d689

                  SHA512

                  9c92e50bc10b0d09c4c498892297ff00e0f4bf0074fe09da8c8e44adf7c714f8ba87c1458f78124898500aa73370de566c33ac275a03e59f244621352c0e40ac

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5jjbaxy.ypj.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Admin\AppData\Local\Temp\a4a8fa7e-3c1f-4c1e-a06a-fec99a88df2f.vbs

                  Filesize

                  486B

                  MD5

                  df544400d963d4be10608294946489f5

                  SHA1

                  f18384e181d1a252e3d6a61e35797f0b19bd6283

                  SHA256

                  6645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a

                  SHA512

                  98830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa

                • C:\Users\Admin\AppData\Local\Temp\a4a8fa7e-3c1f-4c1e-a06a-fec99a88df2f.vbs

                  Filesize

                  486B

                  MD5

                  df544400d963d4be10608294946489f5

                  SHA1

                  f18384e181d1a252e3d6a61e35797f0b19bd6283

                  SHA256

                  6645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a

                  SHA512

                  98830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa

                • C:\Users\Admin\AppData\Local\Temp\c6GvLXFq3X.bat

                  Filesize

                  199B

                  MD5

                  efd4342e3e8307318179cff164543da4

                  SHA1

                  fb986fbd11d034468363fea48bb83187cf6cf455

                  SHA256

                  441dba715555a009f5cb92a163454e60ecf28043dfe97a92e9353837f3f23bb6

                  SHA512

                  51f54152f15a4348e160a75553fc70103e963105308b14eb769d0de5d4b95f28438afe4b45df8eb655d7a0e99be9936efda234576678064d9f69e6beec04972b

                • C:\Users\Default User\services.exe

                  Filesize

                  1.4MB

                  MD5

                  837e95e2cf296e26712186c895f4c200

                  SHA1

                  8c5995383c0c59169577cddd1e201c117532a688

                  SHA256

                  29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786

                  SHA512

                  70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

                • C:\Users\Default\services.exe

                  Filesize

                  1.4MB

                  MD5

                  837e95e2cf296e26712186c895f4c200

                  SHA1

                  8c5995383c0c59169577cddd1e201c117532a688

                  SHA256

                  29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786

                  SHA512

                  70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

                • C:\Users\Default\services.exe

                  Filesize

                  1.4MB

                  MD5

                  837e95e2cf296e26712186c895f4c200

                  SHA1

                  8c5995383c0c59169577cddd1e201c117532a688

                  SHA256

                  29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786

                  SHA512

                  70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

                • C:\Windows\System32\pt-BR\System.exe

                  Filesize

                  1.4MB

                  MD5

                  837e95e2cf296e26712186c895f4c200

                  SHA1

                  8c5995383c0c59169577cddd1e201c117532a688

                  SHA256

                  29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786

                  SHA512

                  70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

                • memory/688-432-0x000001A793170000-0x000001A793180000-memory.dmp

                  Filesize

                  64KB

                • memory/688-431-0x000001A793170000-0x000001A793180000-memory.dmp

                  Filesize

                  64KB

                • memory/688-430-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/888-435-0x000001BA78270000-0x000001BA78280000-memory.dmp

                  Filesize

                  64KB

                • memory/888-406-0x000001BA78270000-0x000001BA78280000-memory.dmp

                  Filesize

                  64KB

                • memory/888-407-0x000001BA78270000-0x000001BA78280000-memory.dmp

                  Filesize

                  64KB

                • memory/888-396-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1544-318-0x000002BE73CE0000-0x000002BE73CF0000-memory.dmp

                  Filesize

                  64KB

                • memory/1544-436-0x000002BE73CE0000-0x000002BE73CF0000-memory.dmp

                  Filesize

                  64KB

                • memory/1972-321-0x0000019BC84C0000-0x0000019BC84D0000-memory.dmp

                  Filesize

                  64KB

                • memory/1972-320-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2460-429-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2588-19-0x000000001BF50000-0x000000001BF58000-memory.dmp

                  Filesize

                  32KB

                • memory/2588-15-0x000000001B690000-0x000000001B69C000-memory.dmp

                  Filesize

                  48KB

                • memory/2588-1-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2588-2-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-304-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2588-3-0x0000000001280000-0x000000000128E000-memory.dmp

                  Filesize

                  56KB

                • memory/2588-5-0x0000000002BA0000-0x0000000002BBC000-memory.dmp

                  Filesize

                  112KB

                • memory/2588-4-0x0000000001290000-0x0000000001298000-memory.dmp

                  Filesize

                  32KB

                • memory/2588-123-0x000000001C500000-0x000000001C600000-memory.dmp

                  Filesize

                  1024KB

                • memory/2588-93-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-6-0x000000001B640000-0x000000001B690000-memory.dmp

                  Filesize

                  320KB

                • memory/2588-86-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-75-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-7-0x0000000002BC0000-0x0000000002BC8000-memory.dmp

                  Filesize

                  32KB

                • memory/2588-74-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-73-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-72-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2588-8-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-9-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

                  Filesize

                  88KB

                • memory/2588-67-0x000000001C500000-0x000000001C600000-memory.dmp

                  Filesize

                  1024KB

                • memory/2588-10-0x000000001B5F0000-0x000000001B600000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-40-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-29-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-26-0x0000000002B90000-0x0000000002B9C000-memory.dmp

                  Filesize

                  48KB

                • memory/2588-25-0x0000000002B80000-0x0000000002B8A000-memory.dmp

                  Filesize

                  40KB

                • memory/2588-11-0x000000001B600000-0x000000001B60A000-memory.dmp

                  Filesize

                  40KB

                • memory/2588-12-0x000000001B610000-0x000000001B61C000-memory.dmp

                  Filesize

                  48KB

                • memory/2588-24-0x0000000002B70000-0x0000000002B78000-memory.dmp

                  Filesize

                  32KB

                • memory/2588-23-0x0000000002B60000-0x0000000002B6C000-memory.dmp

                  Filesize

                  48KB

                • memory/2588-13-0x000000001B620000-0x000000001B62C000-memory.dmp

                  Filesize

                  48KB

                • memory/2588-0-0x0000000000900000-0x0000000000A6C000-memory.dmp

                  Filesize

                  1.4MB

                • memory/2588-21-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-22-0x000000001B6A0000-0x000000001B6AE000-memory.dmp

                  Filesize

                  56KB

                • memory/2588-20-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                  Filesize

                  64KB

                • memory/2588-18-0x000000001BF40000-0x000000001BF4E000-memory.dmp

                  Filesize

                  56KB

                • memory/2588-17-0x000000001BF30000-0x000000001BF3A000-memory.dmp

                  Filesize

                  40KB

                • memory/2588-16-0x000000001BF10000-0x000000001BF18000-memory.dmp

                  Filesize

                  32KB

                • memory/2588-124-0x000000001C500000-0x000000001C600000-memory.dmp

                  Filesize

                  1024KB

                • memory/2588-14-0x000000001B630000-0x000000001B638000-memory.dmp

                  Filesize

                  32KB

                • memory/2632-428-0x0000023E46FC0000-0x0000023E46FD0000-memory.dmp

                  Filesize

                  64KB

                • memory/2632-425-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3196-322-0x000002743EFC0000-0x000002743EFD0000-memory.dmp

                  Filesize

                  64KB

                • memory/3196-437-0x000002743EFC0000-0x000002743EFD0000-memory.dmp

                  Filesize

                  64KB

                • memory/3640-427-0x0000026FB1260000-0x0000026FB1270000-memory.dmp

                  Filesize

                  64KB

                • memory/3640-307-0x0000026FB1260000-0x0000026FB1270000-memory.dmp

                  Filesize

                  64KB

                • memory/3640-305-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4192-433-0x000001A499840000-0x000001A499850000-memory.dmp

                  Filesize

                  64KB

                • memory/4192-434-0x000001A499840000-0x000001A499850000-memory.dmp

                  Filesize

                  64KB

                • memory/4604-319-0x0000023AE3D20000-0x0000023AE3D42000-memory.dmp

                  Filesize

                  136KB

                • memory/4604-308-0x0000023ACB960000-0x0000023ACB970000-memory.dmp

                  Filesize

                  64KB

                • memory/4604-306-0x0000023ACB960000-0x0000023ACB970000-memory.dmp

                  Filesize

                  64KB

                • memory/4604-303-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

                  Filesize

                  10.8MB