Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 02:11

General

  • Target

    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe

  • Size

    3.2MB

  • MD5

    1994f3ef2118aeecbb74e6c8976fd47b

  • SHA1

    8f157fc5c2af51db24b66085f29d3c1240be36b2

  • SHA256

    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

  • SHA512

    48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

  • SSDEEP

    49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 33 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Checks whether UAC is enabled 1 TTPs 22 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
    "C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4840
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RntjMyf9uZ.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:768
        • C:\Recovery\WindowsRE\explorer.exe
          "C:\Recovery\WindowsRE\explorer.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4384
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da10925-1a32-4095-9c8f-715259bffb39.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3548
            • C:\Recovery\WindowsRE\explorer.exe
              C:\Recovery\WindowsRE\explorer.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2200
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7749a4f1-df73-40f7-9b89-cccdb664941c.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3664
                • C:\Recovery\WindowsRE\explorer.exe
                  C:\Recovery\WindowsRE\explorer.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3624
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75cd2b4b-47ee-49e7-b1ab-3b74c6c79d0e.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:908
                    • C:\Recovery\WindowsRE\explorer.exe
                      C:\Recovery\WindowsRE\explorer.exe
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:1008
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0645b1ab-1e89-46ef-bb22-22286c12f5f8.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4984
                        • C:\Recovery\WindowsRE\explorer.exe
                          C:\Recovery\WindowsRE\explorer.exe
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:3188
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0dda8b6-2be4-489b-9cc6-59c47cd28b8d.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2748
                            • C:\Recovery\WindowsRE\explorer.exe
                              C:\Recovery\WindowsRE\explorer.exe
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:4012
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648769ee-16ba-4f95-a8c6-43d3e6afbcc2.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:392
                                • C:\Recovery\WindowsRE\explorer.exe
                                  C:\Recovery\WindowsRE\explorer.exe
                                  15⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:3652
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37bbd2bc-ba1e-49b6-a70a-9ace85d126b7.vbs"
                                    16⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3804
                                    • C:\Recovery\WindowsRE\explorer.exe
                                      C:\Recovery\WindowsRE\explorer.exe
                                      17⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:2492
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57000d27-45c4-42cd-a82d-ee922975253e.vbs"
                                        18⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3524
                                        • C:\Recovery\WindowsRE\explorer.exe
                                          C:\Recovery\WindowsRE\explorer.exe
                                          19⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          • System policy modification
                                          PID:3152
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229df18c-f654-4c79-ba84-08376a8ce56b.vbs"
                                            20⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2224
                                            • C:\Recovery\WindowsRE\explorer.exe
                                              C:\Recovery\WindowsRE\explorer.exe
                                              21⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              • System policy modification
                                              PID:3940
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2487cd07-39a2-4f35-9b3a-15141891ce55.vbs"
                                                22⤵
                                                  PID:3168
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3954ee1a-cee5-4161-bff2-45a4cc9e533a.vbs"
                                                  22⤵
                                                    PID:2116
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5314319f-845c-4a3d-8cd8-4e6c9f28dd68.vbs"
                                                20⤵
                                                  PID:3976
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb7b653-8b7c-4e1f-93f2-d846ebcf79f0.vbs"
                                              18⤵
                                                PID:3980
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad606097-b984-4806-aaa4-51f0c950294f.vbs"
                                            16⤵
                                              PID:3472
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\276ffccd-57ed-49c3-8f74-db64bb5ec581.vbs"
                                          14⤵
                                            PID:116
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ef4c74b-8e9f-4c66-891e-431b7b93225c.vbs"
                                        12⤵
                                          PID:4292
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ab9556-fba8-44cf-8225-db84e6232aca.vbs"
                                      10⤵
                                        PID:2632
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\819246bb-a0eb-47a9-9561-dc97e35ce37c.vbs"
                                    8⤵
                                      PID:2668
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aeadb36-66a9-4262-a0e4-ac8ab4079000.vbs"
                                  6⤵
                                    PID:4788
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\388adb51-ebd0-4eab-ba58-d822365ca0fc.vbs"
                                4⤵
                                  PID:3868
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3136
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2492
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1372
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3204
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1480
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2368
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2324
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4076
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1160
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1224
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3904
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3916
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2628
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:472
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:5028
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3416
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4316
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1080
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4980
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3460
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4292
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4988
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:8
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:5036
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4964
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:444
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2116
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2568
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:5020
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4516
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3844
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4632
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1820
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3324
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2216
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3064
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4260
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3580
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4368
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\dllhost.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1620
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3016
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2800
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3432
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4572
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4752
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\sihost.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1200
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Help\Help\sihost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4340
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Help\sihost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4792
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2200
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2848
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:5072
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1256
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:5060
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:640
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:4448
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:1536
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:3188

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe

                                  Filesize

                                  3.2MB

                                  MD5

                                  1994f3ef2118aeecbb74e6c8976fd47b

                                  SHA1

                                  8f157fc5c2af51db24b66085f29d3c1240be36b2

                                  SHA256

                                  5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

                                  SHA512

                                  48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

                                • C:\Recovery\WindowsRE\explorer.exe

                                  Filesize

                                  2.6MB

                                  MD5

                                  98c52308d2a6eba5e88bfe8ddeb6b0bc

                                  SHA1

                                  7aa710108f2f3ab799df4ee4bf789bccc97a3086

                                  SHA256

                                  29844501b9a24006bbd72a2701e0a84e761cb697f901bb5ae986ebcd23d28116

                                  SHA512

                                  f45ada1c49c5a384f57495785ec45fce8600a3368dabf3be9d03f38b66790d9e14213296c29077e6d7eab21104533067db7f0a2f0a52e98df00ccbca49587e7b

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                  Filesize

                                  1KB

                                  MD5

                                  caa9da90d9bfc2c0fbadbf7eb57d1aae

                                  SHA1

                                  b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7

                                  SHA256

                                  b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd

                                  SHA512

                                  da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8

                                • C:\Users\Admin\AppData\Local\Temp\0645b1ab-1e89-46ef-bb22-22286c12f5f8.vbs

                                  Filesize

                                  710B

                                  MD5

                                  39036b0b31b61363462933d0e47fdfcb

                                  SHA1

                                  b3d73ec383b0b74030019220b92eeb961fbed45e

                                  SHA256

                                  d5d2b7b447dca3f68ff3422edd0eccdf23f1d4a817e0ecb0d9e6d2240c1f4b8d

                                  SHA512

                                  f1760dd9c1ebe59c0a5d30175dfcaffe070f7a85b5a68d46a08c2dc37e49fbb501d5968c556df7055c1854d74e0041760546248c58d5043c0449c9adb4023a2c

                                • C:\Users\Admin\AppData\Local\Temp\229df18c-f654-4c79-ba84-08376a8ce56b.vbs

                                  Filesize

                                  710B

                                  MD5

                                  a849b652b22cf2beb8fdf29ba1634f95

                                  SHA1

                                  70f51869f45a3cc88b0e38e25a67dc801b2bbc3c

                                  SHA256

                                  55878a660bdb987664319363eacd0dbd74808a7377069b5a5dc4015c4e95a5ce

                                  SHA512

                                  462af8b2dd4cb36bb107bf8b082e22abc4fc428ff4a79b21736824f2a6319dedf851c7a175ba667b75c4ab4f7bd131b9d6ac4a71e0a8ae7d66e56ff410a82b0d

                                • C:\Users\Admin\AppData\Local\Temp\2487cd07-39a2-4f35-9b3a-15141891ce55.vbs

                                  Filesize

                                  710B

                                  MD5

                                  1c8ea01eaa9e6c4c41634cd5e0c9321d

                                  SHA1

                                  6c4a0c2f97ac69e2b4b82b70c0a38246ae0ac769

                                  SHA256

                                  bbc7fa0078aab82df753160af31da8308ab4a68c73774aa2664011c8bd279b24

                                  SHA512

                                  e1902401dffe635e167e6e51e3a9a534fdaf729005068b0a4318beed9ab15a2346edc65031dd2369dc2f881ac0fd6672c4688da458b6ef7054afd4a984594b86

                                • C:\Users\Admin\AppData\Local\Temp\37bbd2bc-ba1e-49b6-a70a-9ace85d126b7.vbs

                                  Filesize

                                  710B

                                  MD5

                                  cb41d8bce2ba65ae99eca1b86cf8cfd6

                                  SHA1

                                  ba827f2acc3d39d31441e085e5957cefa7842df7

                                  SHA256

                                  80333efa52321dc4ebd04d14ab56efba5e69c0e755d658d2f979db2ff1c699cf

                                  SHA512

                                  24b7b7408daac0d0a8f2546b2c4e50d1502dbbc64da3e78754668f58a228f04139321b5fffb0cd5adedbc4e96c23cd074d20c81d4d37807f53cf31c14a7a1c05

                                • C:\Users\Admin\AppData\Local\Temp\388adb51-ebd0-4eab-ba58-d822365ca0fc.vbs

                                  Filesize

                                  486B

                                  MD5

                                  2e5cfca88dfe83a724518eb03d6bb1d4

                                  SHA1

                                  a54b252bd92ba4a2a88977aedacf1bac42200eb0

                                  SHA256

                                  57c8a44cf0b34dc807cd8c827e7ad704e22db704b8a9b62488f2af4facfd6596

                                  SHA512

                                  b2b47904784b976c52669363023b012c13a5f147057b5e532f3db489f240f078ad41bc113f2c21f95fd2aae635ca2c6fa43a8db387f252cb18b7e376ff8a29f6

                                • C:\Users\Admin\AppData\Local\Temp\3da10925-1a32-4095-9c8f-715259bffb39.vbs

                                  Filesize

                                  710B

                                  MD5

                                  346a086c30cf07c5f89b87af6b886740

                                  SHA1

                                  0619c185b7bbb93537ef1976d2e1e0d14bb10f82

                                  SHA256

                                  7f974008d3ef0d6dce3f36d82b13346913d1fc0aeffa759b9fa9e39080c24727

                                  SHA512

                                  1f93e63ce8fed65379381e02497f3c68b0fd8bf4efcff22cc0270eff2454cd6dd06e8783ddec0ed73a003d39a3da4a0f0dbcc24803c19e8bd05fbce75867b132

                                • C:\Users\Admin\AppData\Local\Temp\57000d27-45c4-42cd-a82d-ee922975253e.vbs

                                  Filesize

                                  710B

                                  MD5

                                  3b0d14a1ff5af3c56244a823626a43d1

                                  SHA1

                                  b21b09bd119ce79a7de044180113de722ec4467f

                                  SHA256

                                  3ecf18eed4a5c5266ce3d1331a71979afaee6fd311dab748e6055589c15ec0f8

                                  SHA512

                                  8c28934c39fd2b162da7e1e15269b0752f4128c091bf32e1bde2c5dc6900d745faded3e20a6e1cedcb303e59efdffacfa82eedef74cd33b738c023ba0993da0c

                                • C:\Users\Admin\AppData\Local\Temp\648769ee-16ba-4f95-a8c6-43d3e6afbcc2.vbs

                                  Filesize

                                  710B

                                  MD5

                                  c4dada0bfc15419fa6a379011e4f757a

                                  SHA1

                                  734acf8472c9d590e9f12eaff968c50131c647fe

                                  SHA256

                                  b1bba83a0ed9a24cfb4747a9ae5b2781cec12a77291d6cc6455a7ad65dcce131

                                  SHA512

                                  1437e0dc3cefe53f354fbb5bf93fba47dbc2e1c709cec101568926b2a62fce67d53f1965a0e4503e8c1a90e069473ef4c1467f8c24ac6244991f4434ca5260c1

                                • C:\Users\Admin\AppData\Local\Temp\75cd2b4b-47ee-49e7-b1ab-3b74c6c79d0e.vbs

                                  Filesize

                                  710B

                                  MD5

                                  6dfc36f4f7eda0c2d917ad761877b763

                                  SHA1

                                  84d9f9952100c6594bb0275a2c93f89f491a69aa

                                  SHA256

                                  58b1fbc956f81d31fcb901baf31cd5120a5903ebb1df8fff6c990582d0267234

                                  SHA512

                                  dc1e24feb4feaa11e8a60e7462c00b7fc59f649826bf1b46583f8e9b60dcfc7e6f7725e08deacc4cc1b40379b8ab32934f7e713bcfe77b63a1c7ea7cfe991b75

                                • C:\Users\Admin\AppData\Local\Temp\7749a4f1-df73-40f7-9b89-cccdb664941c.vbs

                                  Filesize

                                  710B

                                  MD5

                                  40b6c0042bb61622f0dbe459a88ac3f9

                                  SHA1

                                  6c7ae11c7a3a81374f32f7e9c0ac0f394554d92f

                                  SHA256

                                  a1b4af28b590621b5382c3563153783886511189fc7de9c3a4a3daf8fa52deea

                                  SHA512

                                  edfea0777868ec24a10790dbdb00283f94f896e8f2f7a2645acfd9df3e126b76fb20e8f28ecf2fbf8f2319723e2f39264e03d658862fc7cd0586429c35019167

                                • C:\Users\Admin\AppData\Local\Temp\RntjMyf9uZ.bat

                                  Filesize

                                  199B

                                  MD5

                                  6cf068a242a005763dbcc3239356b0dd

                                  SHA1

                                  22fe93f2b34a0e9eff75f03e822eb15140dbde74

                                  SHA256

                                  922b0453684b48d51fa03f1c1e15a4352ebb8a7b242df0a1a75e994691a53d15

                                  SHA512

                                  84aea3d16fc3812b5fde2295231035ed76ffe474b73aec99edc32bcb2a9199ad7c60ac76918a40c6a9753443830d4e10f42383fbdac655f4781b28928cbaf3ce

                                • C:\Users\Admin\AppData\Local\Temp\c0dda8b6-2be4-489b-9cc6-59c47cd28b8d.vbs

                                  Filesize

                                  710B

                                  MD5

                                  6679daaf57c32408fa24d71ec2a09279

                                  SHA1

                                  b5eecf46034afb50fbd1d9d52517c0b2570d786f

                                  SHA256

                                  4abc2f8330adbef7361c31519f0c6f4396bc7bd7b53792b5f4cc5261c21287ed

                                  SHA512

                                  742f9a21318f4264c89ca9259425c4809886eb8af3fa1a55a5a77349d0d6606729d731e6b55bd6067e087f58ed7ad3abe1acbd10fbcb8b4ad8a7e7a5d9aa33de

                                • memory/1008-142-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/1008-131-0x0000000001240000-0x0000000001252000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/1008-130-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/1008-129-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/2200-102-0x0000000003050000-0x00000000030A6000-memory.dmp

                                  Filesize

                                  344KB

                                • memory/2200-100-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/2200-101-0x0000000001620000-0x0000000001630000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2200-113-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/2492-198-0x000000001C760000-0x000000001C862000-memory.dmp

                                  Filesize

                                  1.0MB

                                • memory/2492-199-0x000000001C760000-0x000000001C862000-memory.dmp

                                  Filesize

                                  1.0MB

                                • memory/2492-186-0x00007FF905280000-0x00007FF905D41000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/2492-200-0x00007FF905280000-0x00007FF905D41000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/2492-187-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/3152-202-0x00007FF905280000-0x00007FF905D41000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/3152-214-0x000000001D130000-0x000000001D232000-memory.dmp

                                  Filesize

                                  1.0MB

                                • memory/3188-156-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/3188-145-0x00000000033A0000-0x00000000033B2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/3188-144-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/3624-116-0x000000001BD90000-0x000000001BDA0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/3624-115-0x00007FF904C00000-0x00007FF9056C1000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/3624-127-0x00007FF904C00000-0x00007FF9056C1000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/3652-184-0x00007FF905280000-0x00007FF905D41000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/3652-183-0x000000001D0A0000-0x000000001D1A2000-memory.dmp

                                  Filesize

                                  1.0MB

                                • memory/3652-172-0x0000000001AA0000-0x0000000001AB0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/3652-171-0x00007FF905280000-0x00007FF905D41000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/4012-158-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/4012-169-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/4384-86-0x000000001B4F0000-0x000000001B546000-memory.dmp

                                  Filesize

                                  344KB

                                • memory/4384-85-0x000000001B540000-0x000000001B550000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/4384-97-0x00007FF905330000-0x00007FF905DF1000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/4384-84-0x00007FF905330000-0x00007FF905DF1000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/4840-27-0x000000001C040000-0x000000001C048000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-30-0x000000001BEF0000-0x000000001BEF8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-23-0x0000000002B30000-0x0000000002B3C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-22-0x0000000002B20000-0x0000000002B2C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-25-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-26-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-21-0x000000001C2D0000-0x000000001C7F8000-memory.dmp

                                  Filesize

                                  5.2MB

                                • memory/4840-32-0x000000001C010000-0x000000001C01C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-20-0x000000001BD90000-0x000000001BDA2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/4840-19-0x000000001B720000-0x000000001B728000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-18-0x000000001B710000-0x000000001B71C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-17-0x000000001B700000-0x000000001B708000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-16-0x000000001B6F0000-0x000000001B6FC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-28-0x000000001BED0000-0x000000001BEDA000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/4840-29-0x000000001BEE0000-0x000000001BEEE000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/4840-15-0x000000001BD40000-0x000000001BD96000-memory.dmp

                                  Filesize

                                  344KB

                                • memory/4840-0-0x00000000005F0000-0x0000000000920000-memory.dmp

                                  Filesize

                                  3.2MB

                                • memory/4840-80-0x00007FF905750000-0x00007FF906211000-memory.dmp

                                  Filesize

                                  10.8MB

                                • memory/4840-14-0x000000001B6E0000-0x000000001B6EA000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/4840-24-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-13-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/4840-31-0x000000001C000000-0x000000001C00E000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/4840-35-0x000000001C050000-0x000000001C05C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-12-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-34-0x000000001C030000-0x000000001C03A000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/4840-33-0x000000001C020000-0x000000001C028000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-11-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/4840-10-0x000000001B6A0000-0x000000001B6B2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/4840-9-0x000000001B690000-0x000000001B698000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-8-0x000000001B560000-0x000000001B576000-memory.dmp

                                  Filesize

                                  88KB

                                • memory/4840-7-0x000000001B550000-0x000000001B560000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/4840-6-0x000000001B540000-0x000000001B548000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-5-0x0000000002B50000-0x0000000002B58000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/4840-4-0x0000000002B40000-0x0000000002B4E000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/4840-3-0x00000000011E0000-0x00000000011EE000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/4840-2-0x000000001B730000-0x000000001B740000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/4840-1-0x00007FF905750000-0x00007FF906211000-memory.dmp

                                  Filesize

                                  10.8MB