Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2024, 14:46

General

  • Target

    1994f3ef2118aeecbb74e6c8976fd47b.exe

  • Size

    3.2MB

  • MD5

    1994f3ef2118aeecbb74e6c8976fd47b

  • SHA1

    8f157fc5c2af51db24b66085f29d3c1240be36b2

  • SHA256

    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

  • SHA512

    48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

  • SSDEEP

    49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 33 IoCs
  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 10 IoCs
  • Checks whether UAC is enabled 1 TTPs 22 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe
    "C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2676
    • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
      "C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2568
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\114f6a21-7494-4334-8074-77afa40c308e.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
          C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1992
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aabf0ab-2ca8-4e25-9e90-fd6359e0ce4e.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:592
            • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
              C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1860
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3276c21-a30b-480f-b54f-4854570b9b51.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2536
                • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                  C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2936
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78dd1a97-3ac8-4cc1-8f52-8615fffd81a1.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2036
                    • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                      C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                      10⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:1476
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\650f3208-2d92-41fa-96f3-520d311947f0.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2308
                        • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                          C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                          12⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2652
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1a49d39-dce3-4f3a-bdbc-b647d87d8d6d.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2848
                            • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                              C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                              14⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2560
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d3ea02f-765c-4bcb-a91b-73c8b711f941.vbs"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2208
                                • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                                  C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                                  16⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:2732
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\109399d3-78ce-4cb5-bca2-09e3541df3ae.vbs"
                                    17⤵
                                      PID:2996
                                      • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                                        C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                                        18⤵
                                        • UAC bypass
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:1748
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa59f44-724d-4e15-87e1-493a539137b7.vbs"
                                          19⤵
                                            PID:3056
                                            • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                                              C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
                                              20⤵
                                              • UAC bypass
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:2676
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01196dfb-b8d2-435f-a7bf-fdc36e7d7b1f.vbs"
                                                21⤵
                                                  PID:1608
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bed549e-638a-4ba2-9792-bccf9ae0fb92.vbs"
                                                  21⤵
                                                    PID:2868
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7601085-0ccb-4b87-b1f9-0c1ddc9f49a2.vbs"
                                                19⤵
                                                  PID:2400
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45f7fb4b-c75e-405d-a081-ffd2ead2119e.vbs"
                                              17⤵
                                                PID:2552
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a51dcd-c12d-4d29-8c60-595d3441931e.vbs"
                                            15⤵
                                              PID:2716
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0c4dbd5-da1b-4890-9e41-152744547ea3.vbs"
                                          13⤵
                                            PID:1232
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f5e63ea-683c-4d09-9c47-0e828b4c152b.vbs"
                                        11⤵
                                          PID:1940
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0df75ae-27fe-4fed-8cef-ce67e8e60432.vbs"
                                      9⤵
                                        PID:2680
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55968cf4-b7c3-4757-8ccd-92ab406f18fc.vbs"
                                    7⤵
                                      PID:2656
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c646af0-a85d-4c51-80d3-efd1ec323331.vbs"
                                  5⤵
                                    PID:1096
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8062ef-78ba-4bf9-86a7-d3d807d11357.vbs"
                                3⤵
                                  PID:1752
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\wininit.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2576
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\schemas\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2604
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2408
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2908
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:3048
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2172
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2652
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2724
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2740
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2856
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2896
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:996
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1208
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2000
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1060
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:760
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:384
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:488
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1092
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1900
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1856
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\spoolsv.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2952
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:660
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1560
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2372
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2180
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2104
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2292
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2592
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2816
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:292
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1904
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:412
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2128
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2140
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1604
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1656
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1540
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1352
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1620
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1232
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:916
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2996
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1368
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2268
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b1" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:3068
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2184
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b1" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:884
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\services.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2340
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2348
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:1696
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2196
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2600
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:2056

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe

                                    Filesize

                                    3.2MB

                                    MD5

                                    1994f3ef2118aeecbb74e6c8976fd47b

                                    SHA1

                                    8f157fc5c2af51db24b66085f29d3c1240be36b2

                                    SHA256

                                    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

                                    SHA512

                                    48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

                                  • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

                                    Filesize

                                    3.1MB

                                    MD5

                                    10351094464ff5a8cec8d7ab586cc198

                                    SHA1

                                    59e091db9170a890882f347d376f77cd26b57b53

                                    SHA256

                                    2cd34c1d385c590fcd7a314fbf6931b20f2e35bc8307a26e7377ea8bd5497c14

                                    SHA512

                                    bf0a8d5aa65e51abedc206d10b6fb0941d2ebd18638a4405cd33c927454c3f74307667ddb927258ffe561c5c65fbffcc5763423284a80281714048987ebd3962

                                  • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

                                    Filesize

                                    2.5MB

                                    MD5

                                    35d97d3770b9081228c1c11884ccb193

                                    SHA1

                                    d2f807f3cebf4338aaa99426b6d7f09d337493c8

                                    SHA256

                                    8a01c02e878894b6fa1fd57fd61abf9f43f8e85a572218f9f08574fa76c5d4eb

                                    SHA512

                                    df5bf9f3cc64ecf1ed04f4ce5fd235f5d90db0e0c67c3ef62fa34cbaaa1851b2f4db09f292b7e32b73709be2847cb83601f28212a1861a60d722289e09b57b98

                                  • C:\Users\Admin\AppData\Local\Temp\01196dfb-b8d2-435f-a7bf-fdc36e7d7b1f.vbs

                                    Filesize

                                    734B

                                    MD5

                                    6dd696f9085432fda768a0033f9661ca

                                    SHA1

                                    acb7102e9fff04900d94169622a73f2a16aca22d

                                    SHA256

                                    50872a4afa4768b4e5fee4d738aa6360c90a61c992680c5e09d56e0ba7745687

                                    SHA512

                                    c2526c5e1ccb6a1e1b0f9687ba2cee261d65045971ed7c1713cebd718de5a6c377adebff55f529db886f4b05f44ba6f912aa9526de8a18973efa1d2e21b4cb2a

                                  • C:\Users\Admin\AppData\Local\Temp\0aabf0ab-2ca8-4e25-9e90-fd6359e0ce4e.vbs

                                    Filesize

                                    734B

                                    MD5

                                    b4f6ad5e5ef28dca36d075c4d7027e82

                                    SHA1

                                    15fff1f951c0d1211223a0db25213bc58099dd30

                                    SHA256

                                    200be860975db79d2eb31466870d1f6bb040f382416cc9d56cf095099a6df870

                                    SHA512

                                    65da3b542f00b58003b196063344428eeb1889fa1a4ebfc02e10b13e8f888d8eed54c40b2067b3fa4261491aa9d0919145075c8ac983d0b748f39d2e03fb5580

                                  • C:\Users\Admin\AppData\Local\Temp\109399d3-78ce-4cb5-bca2-09e3541df3ae.vbs

                                    Filesize

                                    734B

                                    MD5

                                    1e793a217e27feb8c28e54428c6acdf4

                                    SHA1

                                    127fbec65344c4fc9bfbac54905a663dfcdf6a38

                                    SHA256

                                    d4aeb506948864d0723e9d740d694d3d14817d2df0c5133c2f3252875abaa252

                                    SHA512

                                    e6cb8cac037246191f99f1f0d1e4cee7771a0fefb3a63e9e1d312be64d004f4eb13d218a6ee49d1463efb753c4bff8a6fab07f8ff656a40f887a9f31cecba690

                                  • C:\Users\Admin\AppData\Local\Temp\114f6a21-7494-4334-8074-77afa40c308e.vbs

                                    Filesize

                                    734B

                                    MD5

                                    86ab4d9e0324a2786e7414727ce64a76

                                    SHA1

                                    91c0d4e4329a4cb2dc01dc83dee3dd7aad4e402b

                                    SHA256

                                    7c45823b68ed04358ed04adca57f340afe1d483648349fa58f1c98d511806d33

                                    SHA512

                                    f163de95bcaf3d26414c7c226424f1a44a7108a61d84b0c9b188ab684b9808316d8df53d729150c93463d50e33de58cc16966d8d147ec75fa8d116075dfb5b66

                                  • C:\Users\Admin\AppData\Local\Temp\650f3208-2d92-41fa-96f3-520d311947f0.vbs

                                    Filesize

                                    734B

                                    MD5

                                    02e08fa91fcbf7b5df964fb8a284ab8c

                                    SHA1

                                    783e2f22c46fd89591622c044b1f64f52081dedc

                                    SHA256

                                    beeb9afd03e84713e6d5ad1500f513ebf0a309da22b765d0ff6d11361dd064f1

                                    SHA512

                                    4d3ca10c987f032c52464c899b3637f13f477ce88a2223104546e99cd84a82113ee85ff7d7fa05d333c66d0f2f76955c0e07acfeec6ff4838936342a9e6e1c40

                                  • C:\Users\Admin\AppData\Local\Temp\6d3ea02f-765c-4bcb-a91b-73c8b711f941.vbs

                                    Filesize

                                    734B

                                    MD5

                                    ed95df099d614670df725b0430e3a6ce

                                    SHA1

                                    18a2b08f3cb7b4b11605e59a717a6f14e9e2035d

                                    SHA256

                                    1d8a555741df16a940c792954c36b5503e577ab4cfc6916095c170da88998e63

                                    SHA512

                                    c2dde5e187c809f60cbb1e25211c7ff14bd2de1b132b6f5862d2606348092a95495491401d8a3df271d3e40667fd9430ad0e8d3749c32495059a6b71ba05f57f

                                  • C:\Users\Admin\AppData\Local\Temp\6d8062ef-78ba-4bf9-86a7-d3d807d11357.vbs

                                    Filesize

                                    510B

                                    MD5

                                    817b1cccd60b9a12641d5e89d22983fa

                                    SHA1

                                    27c93b7eb31bbb6f944635795e10966f5e04213c

                                    SHA256

                                    852f4463efbe49f9f2181c83d1142359f6ab212727f70ec8d810a6b64c545058

                                    SHA512

                                    0f9563b9f91f262a87e346682dbd5db3749c830d9f69fec0e9d64bcd8f7b656d71442afd97fc27233670502e41f8e114255c253b26b9c755c2674b5fb3066b97

                                  • C:\Users\Admin\AppData\Local\Temp\78dd1a97-3ac8-4cc1-8f52-8615fffd81a1.vbs

                                    Filesize

                                    734B

                                    MD5

                                    4c84ea20314ff32ecd06a47f1ff7824c

                                    SHA1

                                    4cc0156643924f0c0b9eef8055801433c41cf90d

                                    SHA256

                                    e046cc83badecf4899984d914fca570a4a5b1d6cf00966e81b8f0bf22b54723a

                                    SHA512

                                    5be128874bbac2fd502f71849d175a57accce63f0cb15e6132a22783730b194e6e3b37bb8ccf05d9b7fe82e0c0748da045f863e3fc8f8c046e55c3c79c79c2a4

                                  • C:\Users\Admin\AppData\Local\Temp\83b6ec00b35ef4fdd3e2dec6a5f2845fc0178322.exe

                                    Filesize

                                    3.1MB

                                    MD5

                                    9c554caca3712db2ad77e1a7cb574921

                                    SHA1

                                    de05ba74f605e2b8054545d80a2d3a21dbe99c75

                                    SHA256

                                    a3e3805944e87b75326a843ea6c70c52abbded32b3baef936c8fd5e65c7353ad

                                    SHA512

                                    65d4abd141e641bf40eed7f7bc977352afe5cef8e030a60787aec90b3f21e8f8eaf7e196b4c0c04c4a4ff580eb3f74ac049f9775ef04ada59c526bc9aae51f2c

                                  • C:\Users\Admin\AppData\Local\Temp\83b6ec00b35ef4fdd3e2dec6a5f2845fc0178322.exe

                                    Filesize

                                    2.1MB

                                    MD5

                                    8030330e60bec6185afed4e67a094036

                                    SHA1

                                    a6b170ae88b4051846ccab1b1a3892c6099ef13a

                                    SHA256

                                    85e2ddde0bc6481027b6a58de55fa339696e1faa5e0810e0e8babde62a8a8534

                                    SHA512

                                    0fe1964f31af7c1cfdc3276fff4ef8d1649a7f570599d4c6a82030c7a49c81461585b5848afc42dff5bb77aa44a98bbb29f7d781caf6c34c8f0fdf2e0ef91502

                                  • C:\Users\Admin\AppData\Local\Temp\c1a49d39-dce3-4f3a-bdbc-b647d87d8d6d.vbs

                                    Filesize

                                    734B

                                    MD5

                                    7b751d2f8958686f4fceb031afaf331e

                                    SHA1

                                    3f672fc64bb6904435c854413a63dfd3e0d8d1a8

                                    SHA256

                                    22f9ae24ca945b82589c6d3fc23127962a51c6dcb9eff9b114bc76058eadeae3

                                    SHA512

                                    30f9d9361c97da2e3ca46fae88b4ac64de3cf157a530f7974f0d3fbacc800572006a46593656df5e6d5075d830f5cdd67adf6a57ed3c0f1e102cf479e009eabf

                                  • C:\Users\Admin\AppData\Local\Temp\c3276c21-a30b-480f-b54f-4854570b9b51.vbs

                                    Filesize

                                    734B

                                    MD5

                                    9009b7d6171a0ea8146e296b7c83eb21

                                    SHA1

                                    99621d9fc21c0707d74cfe985fea9d403005158e

                                    SHA256

                                    8fef1fd376340f2f1c9e0851e9306e3e73dc5384aaf329347a680656987cdd7a

                                    SHA512

                                    f21505edd15d3937c5fd48a604584ac84c761ec33f2c1921f3f65d8bbb53ffa2b041b1c06309dc21b5984b8143ded3935698043d35d181880685801ec1172b99

                                  • C:\Users\Admin\AppData\Local\Temp\dfa59f44-724d-4e15-87e1-493a539137b7.vbs

                                    Filesize

                                    734B

                                    MD5

                                    4ed06989d56ef0235b5162584d532aab

                                    SHA1

                                    b8a3a00f02f045b38c322df199278f50a7877810

                                    SHA256

                                    a84c7a632357b0f577f1f3e3ddd9975a2f0f8b46799fb8e95333d960f469d4ef

                                    SHA512

                                    ff8e54c84c7622bbd83e1145335a98176b721d4ee737ab5091b670008eab2ec7473bde196b9cc5ff6be04561002fb339230a3b917dcdf936f71a4c397c2149aa

                                  • memory/1476-152-0x0000000000620000-0x0000000000632000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/1476-163-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1476-149-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1476-150-0x000000001B6A0000-0x000000001B720000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/1476-151-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/1748-220-0x0000000000BA0000-0x0000000000ED0000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/1860-105-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1860-118-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1860-107-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/1860-106-0x000000001B200000-0x000000001B280000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/1992-103-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/1992-92-0x000000001AF90000-0x000000001B010000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/1992-91-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2560-197-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2560-202-0x000000001B000000-0x000000001B080000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2560-203-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2568-77-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2568-89-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2568-79-0x000000001AE50000-0x000000001AED0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2652-178-0x0000000001380000-0x0000000001392000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2652-189-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2676-23-0x000000001AB20000-0x000000001AB28000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-0-0x0000000001390000-0x00000000016C0000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/2676-15-0x0000000000D90000-0x0000000000DE6000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/2676-14-0x0000000000D80000-0x0000000000D8A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2676-33-0x000000001B070000-0x000000001B07A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2676-13-0x0000000000D70000-0x0000000000D80000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2676-32-0x000000001B060000-0x000000001B068000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-31-0x000000001B050000-0x000000001B05C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-12-0x0000000000C50000-0x0000000000C58000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-30-0x000000001B040000-0x000000001B04E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2676-29-0x000000001B030000-0x000000001B038000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-28-0x000000001AB70000-0x000000001AB7E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2676-27-0x000000001AB60000-0x000000001AB6A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2676-11-0x0000000000C40000-0x0000000000C4C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-26-0x000000001AB50000-0x000000001AB58000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2676-2-0x000000001B120000-0x000000001B1A0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2676-16-0x0000000001360000-0x000000000136C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-3-0x0000000000210000-0x000000000021E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2676-25-0x000000001AB40000-0x000000001AB4C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-34-0x000000001B080000-0x000000001B08C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-24-0x000000001AB30000-0x000000001AB3C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-10-0x0000000000D60000-0x0000000000D72000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2676-9-0x0000000000C30000-0x0000000000C38000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-22-0x000000001AB10000-0x000000001AB1C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-8-0x0000000000C10000-0x0000000000C26000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/2676-17-0x0000000001370000-0x0000000001378000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-7-0x0000000000C00000-0x0000000000C10000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2676-6-0x0000000000630000-0x0000000000638000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-78-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2676-21-0x000000001AB00000-0x000000001AB0C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-20-0x000000001AAD0000-0x000000001AAE2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2676-5-0x0000000000620000-0x0000000000628000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-19-0x000000001AAC0000-0x000000001AAC8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2676-18-0x0000000001380000-0x000000000138C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2676-4-0x0000000000490000-0x000000000049E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2732-207-0x000000001B330000-0x000000001B3B0000-memory.dmp

                                    Filesize

                                    512KB

                                  • memory/2732-206-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2732-218-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2732-205-0x00000000003D0000-0x0000000000700000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/2936-147-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2936-136-0x0000000000650000-0x0000000000662000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2936-135-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

                                    Filesize

                                    9.9MB