Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 01:02

General

  • Target

    0924b9eca922c9227c4f426be5174bae.exe

  • Size

    4.8MB

  • MD5

    0924b9eca922c9227c4f426be5174bae

  • SHA1

    8d2abdecd0fc744ee836d75ad5c3b52585d8041f

  • SHA256

    e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8

  • SHA512

    47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2

  • SSDEEP

    49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/

Malware Config

Signatures

  • DcRat 44 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 14 IoCs
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
  • DCRat payload 23 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 28 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe
    "C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\driversessioncrt\winRefMonitor.exe
          "C:\driversessioncrt\winRefMonitor.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2600
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2920
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1628
              • C:\driversessioncrt\winRefMonitor.exe
                "C:\driversessioncrt\winRefMonitor.exe"
                6⤵
                • Modifies WinLogon for persistence
                • UAC bypass
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1704
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xe7arYpjg5.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2708
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2808
                    • C:\driversessioncrt\WmiPrvSE.exe
                      "C:\driversessioncrt\WmiPrvSE.exe"
                      8⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2608
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f962c14a-9068-49a5-be27-510a23b75307.vbs"
                        9⤵
                          PID:2532
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\450c16c7-ee9f-4ebc-a927-cf3f8b05165f.vbs"
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2480
                          • C:\driversessioncrt\WmiPrvSE.exe
                            C:\driversessioncrt\WmiPrvSE.exe
                            10⤵
                            • UAC bypass
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            • System policy modification
                            PID:1228
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs"
                              11⤵
                                PID:1720
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\637d706c-a1ce-4ce4-9b33-b227fbbb446d.vbs"
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:584
                                • C:\driversessioncrt\WmiPrvSE.exe
                                  C:\driversessioncrt\WmiPrvSE.exe
                                  12⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:1156
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5030860-20de-45de-aba2-0db5efd833d6.vbs"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2132
                                    • C:\driversessioncrt\WmiPrvSE.exe
                                      C:\driversessioncrt\WmiPrvSE.exe
                                      14⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:2560
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d713c53-cb1c-43d2-94e6-a72fad8eb119.vbs"
                                        15⤵
                                          PID:2136
                                          • C:\driversessioncrt\WmiPrvSE.exe
                                            C:\driversessioncrt\WmiPrvSE.exe
                                            16⤵
                                            • UAC bypass
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:2508
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6fcf201-70c8-4236-a9f3-8f49afea59e0.vbs"
                                              17⤵
                                                PID:1436
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1fe53a8-5110-4358-8cd2-25d748242543.vbs"
                                                17⤵
                                                  PID:2456
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f6889d3-8327-4e2e-9322-6ca8dca686c4.vbs"
                                              15⤵
                                                PID:1920
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b15092e8-533d-459d-a089-5f50c20e1ca8.vbs"
                                            13⤵
                                              PID:1056
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            4⤵
                            • Modifies registry key
                            PID:2960
                      • C:\Windows\SysWOW64\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"
                        2⤵
                          PID:2064
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:764
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1488
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2424
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1948
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winRefMonitor" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1956
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2544
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\lsm.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1092
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\lsm.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:664
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\lsm.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1936
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:808
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1256
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1648
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\audiodg.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:832
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\driversessioncrt\audiodg.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2320
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\driversessioncrt\audiodg.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2948
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1156
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:356
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2852
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\driversessioncrt\taskhost.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1512
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\driversessioncrt\taskhost.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1496
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\driversessioncrt\taskhost.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1808
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1868
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:984
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1996
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\System.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2232
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1056
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2164
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2416
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2092
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:572
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:880
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:3028
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1160
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\System.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1600
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\System.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1240
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\System.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2628
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:3060
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2724
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2144
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1440
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1980
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2656

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\2f6889d3-8327-4e2e-9322-6ca8dca686c4.vbs

                              Filesize

                              484B

                              MD5

                              5c3b61c4fb8c5d44a5d1c4fcb3d7ae53

                              SHA1

                              eb903b8b7d92a1ce784d9f615be419726326a5f3

                              SHA256

                              e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9

                              SHA512

                              aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

                            • C:\Users\Admin\AppData\Local\Temp\3d713c53-cb1c-43d2-94e6-a72fad8eb119.vbs

                              Filesize

                              708B

                              MD5

                              511ee97dc9e9de1a531bc3a6337e6680

                              SHA1

                              2b9ec24ca8b6435b6a715a5f7e7f6f8a4bca5c0c

                              SHA256

                              dfaa0931ae6e3bac5a769962a523f9029734c2ff5bf85d348ea269300029be58

                              SHA512

                              22d0fc3c89b54461fdd8e0ab1220368e7d9e154914624adda620699ccc1221671ff04b847a888db4d926a5b3eca957bbba3990d9c80037702fc36927b45690ef

                            • C:\Users\Admin\AppData\Local\Temp\450c16c7-ee9f-4ebc-a927-cf3f8b05165f.vbs

                              Filesize

                              708B

                              MD5

                              0aec6349b4d56d44e28c77c8c5405463

                              SHA1

                              4556a90d3c5b6f0897a51504e1f01d1ec6c94dc4

                              SHA256

                              2661308329712c966dcb8d79036d4f9d67f6c3454142518921a6e34db21d0f5d

                              SHA512

                              e6ed17f22ff45c2d0387f112bcdc340ee51df16fb1e594eb2822083ba035332c9b1feb1f02ae8b7d474ca8dfa1fadf95834669e720ccab7dbd051fdecdf678e0

                            • C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat

                              Filesize

                              202B

                              MD5

                              0bc99b36ffd928554df8059cdad89664

                              SHA1

                              3250fc8aecbfa46eb5f9e621daa123fc235e4fdd

                              SHA256

                              afd56dd8bc6fb82b10e83ccc91fb6403e5b6e4c1f2ac180152afe53e3606244d

                              SHA512

                              d0a97728914bdc6bd64056377e1ef654ab08dc92327f509a3f4d9e8a302987502c34262febdb4fca8ae7a0c1725258a9cadd0a25cd5db29d9d91dce1de7b8ae6

                            • C:\Users\Admin\AppData\Local\Temp\637d706c-a1ce-4ce4-9b33-b227fbbb446d.vbs

                              Filesize

                              708B

                              MD5

                              2b95c1c6867ffbe2930f9d719d56d416

                              SHA1

                              9e93ce929fa91d21836341c2dcbfb4553bd8cecd

                              SHA256

                              dfab9690789d887b9391c971424f5a823ffe72d8694d37713eb1e73f3aede646

                              SHA512

                              41ff5b2ee04e4e07cee4dbc7c2702e5bed9bfb2385dd06f02ed1833c87b33f67b1066ccba65e4c826292273f7e9a4ece19d0c998fcddbb209f432daaa29d0e86

                            • C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\Users\Admin\AppData\Local\Temp\a6fcf201-70c8-4236-a9f3-8f49afea59e0.vbs

                              Filesize

                              708B

                              MD5

                              88137f82f4e244a665d2ccc03aacb609

                              SHA1

                              70b4c2dbcf3fd3eae9bfd9cbfdf9c13d4872116e

                              SHA256

                              83eb170234daf01456c7875f9c8e9f9f1349aea5c10ac872aab080b95bf3f699

                              SHA512

                              81424ae9c795fb2106384e16746d1c4701a4b6b2b8f79e522a458b6d9750232f6532e39887d949f23a1b816e9c37b7077a2052d5dffb374188194f7fce303208

                            • C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs

                              Filesize

                              484B

                              MD5

                              5c3b61c4fb8c5d44a5d1c4fcb3d7ae53

                              SHA1

                              eb903b8b7d92a1ce784d9f615be419726326a5f3

                              SHA256

                              e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9

                              SHA512

                              aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

                            • C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs

                              Filesize

                              484B

                              MD5

                              5c3b61c4fb8c5d44a5d1c4fcb3d7ae53

                              SHA1

                              eb903b8b7d92a1ce784d9f615be419726326a5f3

                              SHA256

                              e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9

                              SHA512

                              aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

                            • C:\Users\Admin\AppData\Local\Temp\b15092e8-533d-459d-a089-5f50c20e1ca8.vbs

                              Filesize

                              484B

                              MD5

                              5c3b61c4fb8c5d44a5d1c4fcb3d7ae53

                              SHA1

                              eb903b8b7d92a1ce784d9f615be419726326a5f3

                              SHA256

                              e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9

                              SHA512

                              aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

                            • C:\Users\Admin\AppData\Local\Temp\d5030860-20de-45de-aba2-0db5efd833d6.vbs

                              Filesize

                              708B

                              MD5

                              3ac74fe9a39410eddf94b58512e53818

                              SHA1

                              6b50a212f305ee9a36cf0cbd49c3409c6842d1e2

                              SHA256

                              81a10f3c0549fdd5f9e8a87fff6a3b6730089afc189679c0ec7594da2c39dee9

                              SHA512

                              bfae59ea84604a9f061137e52df1cb99971d6ff9404f8b4663c5147a8812c2c647ec6b8c0d77b5bcb48deb99c506aa2867aa27897abfebd287a4471966cbd0e5

                            • C:\Users\Admin\AppData\Local\Temp\e1fe53a8-5110-4358-8cd2-25d748242543.vbs

                              Filesize

                              484B

                              MD5

                              5c3b61c4fb8c5d44a5d1c4fcb3d7ae53

                              SHA1

                              eb903b8b7d92a1ce784d9f615be419726326a5f3

                              SHA256

                              e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9

                              SHA512

                              aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

                            • C:\Users\Admin\AppData\Local\Temp\f962c14a-9068-49a5-be27-510a23b75307.vbs

                              Filesize

                              484B

                              MD5

                              5c3b61c4fb8c5d44a5d1c4fcb3d7ae53

                              SHA1

                              eb903b8b7d92a1ce784d9f615be419726326a5f3

                              SHA256

                              e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9

                              SHA512

                              aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

                            • C:\Users\Admin\AppData\Local\Temp\xe7arYpjg5.bat

                              Filesize

                              197B

                              MD5

                              58f7105be112bc3a14fdcb21145cd649

                              SHA1

                              608e43e9aa73e65e31003e492b874f8735fc9365

                              SHA256

                              6bf9d10f6e7f0dbd1318881e20bf34b98088a29e3c68a45350576e4be26a790c

                              SHA512

                              31cb23a1ad61955ce562148f71a3a9ef8d61a116722c7d32849a285a4cb6cab41351e43afdd03b87ad5241134440ebd62494e8cf55bb3316455eca26fdfd5950

                            • C:\Windows\Resources\Themes\lsm.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat

                              Filesize

                              151B

                              MD5

                              40a5023d150998b4ba256dd94ea31230

                              SHA1

                              36702bfd3e71b3495e61ea589003bb856b959aca

                              SHA256

                              e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc

                              SHA512

                              6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15

                            • C:\driversessioncrt\WmiPrvSE.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\WmiPrvSE.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\WmiPrvSE.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\WmiPrvSE.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\WmiPrvSE.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\WmiPrvSE.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\file.vbs

                              Filesize

                              34B

                              MD5

                              677cc4360477c72cb0ce00406a949c61

                              SHA1

                              b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

                              SHA256

                              f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

                              SHA512

                              7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

                            • C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe

                              Filesize

                              223B

                              MD5

                              d7664d494b1b6e05334ada9accc57d06

                              SHA1

                              2cc50d284a600e30287fdef5efe56a586199eb28

                              SHA256

                              531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6

                              SHA512

                              7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6

                            • C:\driversessioncrt\winRefMonitor.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\winRefMonitor.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • C:\driversessioncrt\winRefMonitor.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • \driversessioncrt\winRefMonitor.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • \driversessioncrt\winRefMonitor.exe

                              Filesize

                              3.4MB

                              MD5

                              20ec8d347f674ebadc53399ef6aa49cb

                              SHA1

                              f418d228eb276f216b4986b55b2c762d11991a31

                              SHA256

                              9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

                              SHA512

                              e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

                            • memory/1156-153-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1156-140-0x0000000001070000-0x00000000013DA000-memory.dmp

                              Filesize

                              3.4MB

                            • memory/1156-141-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1156-142-0x0000000000740000-0x0000000000752000-memory.dmp

                              Filesize

                              72KB

                            • memory/1228-125-0x00000000008E0000-0x00000000008F2000-memory.dmp

                              Filesize

                              72KB

                            • memory/1228-123-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1228-122-0x0000000000150000-0x00000000004BA000-memory.dmp

                              Filesize

                              3.4MB

                            • memory/1228-138-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1228-137-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1228-126-0x00000000009B0000-0x00000000009C2000-memory.dmp

                              Filesize

                              72KB

                            • memory/1228-124-0x000000001B3B0000-0x000000001B430000-memory.dmp

                              Filesize

                              512KB

                            • memory/1704-70-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1704-103-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1704-73-0x00000000024F0000-0x0000000002546000-memory.dmp

                              Filesize

                              344KB

                            • memory/1704-72-0x0000000000B20000-0x0000000000B32000-memory.dmp

                              Filesize

                              72KB

                            • memory/1704-71-0x000000001B090000-0x000000001B110000-memory.dmp

                              Filesize

                              512KB

                            • memory/1704-69-0x0000000000C70000-0x0000000000FDA000-memory.dmp

                              Filesize

                              3.4MB

                            • memory/2560-155-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2600-32-0x0000000002210000-0x000000000221C000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-30-0x00000000008F0000-0x00000000008F8000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-67-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2600-47-0x000000001A9F0000-0x000000001A9F8000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-57-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-45-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-44-0x000000001A9C0000-0x000000001A9C8000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-56-0x000000001B0B0000-0x000000001B0BA000-memory.dmp

                              Filesize

                              40KB

                            • memory/2600-43-0x0000000002420000-0x000000000242C000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-42-0x0000000002410000-0x000000000241C000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-21-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2600-20-0x0000000000900000-0x0000000000C6A000-memory.dmp

                              Filesize

                              3.4MB

                            • memory/2600-22-0x000000001B100000-0x000000001B180000-memory.dmp

                              Filesize

                              512KB

                            • memory/2600-41-0x00000000023E0000-0x00000000023F2000-memory.dmp

                              Filesize

                              72KB

                            • memory/2600-40-0x00000000023D0000-0x00000000023D8000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-23-0x0000000000440000-0x000000000044E000-memory.dmp

                              Filesize

                              56KB

                            • memory/2600-24-0x0000000000450000-0x000000000045E000-memory.dmp

                              Filesize

                              56KB

                            • memory/2600-25-0x00000000005E0000-0x00000000005E8000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-39-0x00000000023C0000-0x00000000023CC000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-55-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-54-0x000000001AF90000-0x000000001AF9C000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-53-0x000000001AF80000-0x000000001AF88000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-49-0x000000001AF40000-0x000000001AF4A000-memory.dmp

                              Filesize

                              40KB

                            • memory/2600-52-0x000000001AF70000-0x000000001AF7E000-memory.dmp

                              Filesize

                              56KB

                            • memory/2600-38-0x00000000023B0000-0x00000000023B8000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-37-0x0000000002250000-0x000000000225C000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-36-0x00000000022E0000-0x0000000002336000-memory.dmp

                              Filesize

                              344KB

                            • memory/2600-35-0x0000000002240000-0x000000000224A000-memory.dmp

                              Filesize

                              40KB

                            • memory/2600-51-0x000000001AF60000-0x000000001AF68000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-50-0x000000001AF50000-0x000000001AF5E000-memory.dmp

                              Filesize

                              56KB

                            • memory/2600-34-0x0000000002230000-0x0000000002240000-memory.dmp

                              Filesize

                              64KB

                            • memory/2600-33-0x0000000002220000-0x0000000002228000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-48-0x000000001AF30000-0x000000001AF3C000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-31-0x0000000002200000-0x0000000002212000-memory.dmp

                              Filesize

                              72KB

                            • memory/2600-46-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

                              Filesize

                              48KB

                            • memory/2600-29-0x00000000008D0000-0x00000000008E6000-memory.dmp

                              Filesize

                              88KB

                            • memory/2600-28-0x00000000008C0000-0x00000000008D0000-memory.dmp

                              Filesize

                              64KB

                            • memory/2600-27-0x00000000005F0000-0x00000000005F8000-memory.dmp

                              Filesize

                              32KB

                            • memory/2600-26-0x00000000008A0000-0x00000000008BC000-memory.dmp

                              Filesize

                              112KB

                            • memory/2608-120-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2608-119-0x000000001AB90000-0x000000001AC10000-memory.dmp

                              Filesize

                              512KB

                            • memory/2608-118-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2608-108-0x000000001AB90000-0x000000001AC10000-memory.dmp

                              Filesize

                              512KB

                            • memory/2608-106-0x0000000000180000-0x00000000004EA000-memory.dmp

                              Filesize

                              3.4MB

                            • memory/2608-107-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/3052-0-0x00000000012C0000-0x00000000016E8000-memory.dmp

                              Filesize

                              4.2MB

                            • memory/3052-12-0x00000000012C0000-0x00000000016E8000-memory.dmp

                              Filesize

                              4.2MB