Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 01:29

General

  • Target

    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe

  • Size

    3.2MB

  • MD5

    1994f3ef2118aeecbb74e6c8976fd47b

  • SHA1

    8f157fc5c2af51db24b66085f29d3c1240be36b2

  • SHA256

    5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

  • SHA512

    48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

  • SSDEEP

    49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
    "C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2340
    • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
      "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:892
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3599326a-1a0e-4ad7-810e-3bcd8da406a6.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
          "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1744
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff4f7e3-b8ee-4441-b99d-5c374ca374c7.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
              "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2920
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cf90a72-e69c-4d82-8cbe-4c6aa7d2eaae.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:324
                • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                  "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1680
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91050917-5450-4104-9851-fb0444b75dd3.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1264
                    • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                      "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                      10⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2516
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1188a621-1c37-415f-9b96-46a5e1158491.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2816
                        • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                          "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                          12⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:1468
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2291065-7bfd-472a-bdb1-b4d09df2dc13.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1968
                            • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                              "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                              14⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2028
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed21885-4349-48cd-bed1-31f6a117e8b4.vbs"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2132
                                • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                                  "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                                  16⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:2172
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40e772a-27fe-49f0-bfd7-0765d08d25a4.vbs"
                                    17⤵
                                      PID:1588
                                      • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                                        "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                                        18⤵
                                        • UAC bypass
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:3040
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72bc2190-991d-4af2-9504-771f8f98330e.vbs"
                                          19⤵
                                            PID:2516
                                            • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                                              "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                                              20⤵
                                              • UAC bypass
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:2024
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\994c7646-6dab-4c30-82f5-c12318bb2061.vbs"
                                                21⤵
                                                  PID:1448
                                                  • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                                                    "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                                                    22⤵
                                                    • UAC bypass
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:1028
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec9f3e96-16f8-462e-9b78-c6fd8138ac96.vbs"
                                                      23⤵
                                                        PID:2340
                                                        • C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
                                                          "C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"
                                                          24⤵
                                                          • UAC bypass
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:1444
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3bb2515-afd2-4046-9fc9-54a692cb84e3.vbs"
                                                            25⤵
                                                              PID:2260
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c838fc6-6233-41ed-841c-5efd4575ae42.vbs"
                                                              25⤵
                                                                PID:1956
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a6ed68-6735-40af-8d34-99402f6b840f.vbs"
                                                            23⤵
                                                              PID:876
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529bb12d-1139-4070-a213-6d9ad6b33bc0.vbs"
                                                          21⤵
                                                            PID:692
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f613f50-abd1-4cfe-81d0-faa66d0e2e28.vbs"
                                                        19⤵
                                                          PID:1612
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\261925f6-6af8-45c4-9189-d5062fafb6af.vbs"
                                                      17⤵
                                                        PID:2128
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c895f7-7ddd-4f72-88aa-26c99bc11852.vbs"
                                                    15⤵
                                                      PID:2980
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9532bd60-98be-479a-9cca-4ee604e71775.vbs"
                                                  13⤵
                                                    PID:1004
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13de8598-1970-4cdb-bf8b-a0cf07f172fb.vbs"
                                                11⤵
                                                  PID:2456
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1bba51-4598-4346-867e-bc27b931b052.vbs"
                                              9⤵
                                                PID:376
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13235e3b-5853-440b-8e2d-fe7be00effc0.vbs"
                                            7⤵
                                              PID:1584
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1748ffc4-589c-40d8-8023-a1fc8fdf5eed.vbs"
                                          5⤵
                                            PID:1724
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8d12bde-4c92-40be-a1f3-f444f1bc42ce.vbs"
                                        3⤵
                                          PID:2812
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2468
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1984
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2456
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2184
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2136
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1564
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1576
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2688
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2696
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1688
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1804
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1948
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\Idle.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2308
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2284
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1752
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1580
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2204
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2920
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1484
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1284
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2148
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:3048
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1332
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1996
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2132
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1144
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:600
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:708
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:584
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1328
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1796
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1800
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1508
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2084
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1124
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2924
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:328
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:844
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1236
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1448
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1808
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:404
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:916
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:944
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2212
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2656
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2720
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2264
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2252
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2980
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1444

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Temp\1188a621-1c37-415f-9b96-46a5e1158491.vbs

                                            Filesize

                                            733B

                                            MD5

                                            86dc03ea428a3c414e9946d3be17003d

                                            SHA1

                                            93d52afd980dfa93d70e2791671a157da95ebcaf

                                            SHA256

                                            82853db077457b2c6f334493ca8565f45ba3395d21df10dcc10291484e094e97

                                            SHA512

                                            391fe033d377501a3493e0644b9ba007ee727c62844f9c78df59202d012ffd33f97f924a38befa8ba7f729c3b1818a1c95f3ba2620d0dcddc75ff921a922f100

                                          • C:\Users\Admin\AppData\Local\Temp\1cf90a72-e69c-4d82-8cbe-4c6aa7d2eaae.vbs

                                            Filesize

                                            733B

                                            MD5

                                            9ec986e49aea3018e96cca75f9770e69

                                            SHA1

                                            f6dc52e382fa38d6bd8ad44106f2437c1a654ec4

                                            SHA256

                                            6278ad7f246182d87dc21c61e662be5a89dcfd406fe80098f2cd03a54a78d8f6

                                            SHA512

                                            1abd82d4e84ce2376146dd325fc45386a6f971163af6a86e306e1b1e0eb5c44de2775d6428f6cd026a3b393dd4bcdebcdab92c0025d6c6a4285ef069aa38b982

                                          • C:\Users\Admin\AppData\Local\Temp\1ff4f7e3-b8ee-4441-b99d-5c374ca374c7.vbs

                                            Filesize

                                            733B

                                            MD5

                                            b40bb74a90bc1eee7b65e38a06f7f3c8

                                            SHA1

                                            dec3f65cce73d2ac1843147c2c977b0b36a4e0ba

                                            SHA256

                                            b291d0bd748abc38e22baa546455854c03c5dbe10261912d3efd4af021027506

                                            SHA512

                                            bd6db907819393d8222ce10d1cda42dfc46e94d958d11663923edbcb7e15a316e94c4a43613788247ce414d5651c4481017be887d5ab032fcfade32d82fdb501

                                          • C:\Users\Admin\AppData\Local\Temp\3599326a-1a0e-4ad7-810e-3bcd8da406a6.vbs

                                            Filesize

                                            732B

                                            MD5

                                            65379504f2a1e85cccc49de90e8b77ac

                                            SHA1

                                            5827ee13fd0b13e11232246f3fc22a960fa7d735

                                            SHA256

                                            50d8dd5f6244075156802a78bf000ee1e238f28f865d9093a48d6cc8c24f236b

                                            SHA512

                                            418705441490ac127f2d789d62d4b13fa77cc86cde8c5331aea347f1d95099be76e28633e7d168bab0f0a70249c8b79df989b49f6e7216ff32e9196b473c4822

                                          • C:\Users\Admin\AppData\Local\Temp\72bc2190-991d-4af2-9504-771f8f98330e.vbs

                                            Filesize

                                            733B

                                            MD5

                                            dcc446baf8d0ce373a347fb7a0b77e8b

                                            SHA1

                                            e5bd2d5100c505033661cc56b4e3c5ae4b21dc6d

                                            SHA256

                                            1b7af1edeca8498f8fe06b60c9d23eabdd46cb25b16595a442d83d821b8ee47d

                                            SHA512

                                            f92b88065abce1aa68f43e5ff1e462fcb3ce00f55a6071f42e24dbb0cc3439dc7bacb3970e406ce1d70a68cae9361179a2ad1c9f081b4dc48aec2acd00b044da

                                          • C:\Users\Admin\AppData\Local\Temp\7ed21885-4349-48cd-bed1-31f6a117e8b4.vbs

                                            Filesize

                                            733B

                                            MD5

                                            95e88680748a0f4b498ea4b5610ee018

                                            SHA1

                                            a0f802c2974905ac9473c19bbe5048604795932e

                                            SHA256

                                            147264aa43a9b4354a73ba2f6cb311815e6f98713f44136a679d5d7dc5eb88b1

                                            SHA512

                                            b5355df0c0acdefbac8df11a3b05244da810ddc0d06597fbfc1f8a799c808d3cb912e8506ab337d814fef20fcb35565a83f79c47a2e71170d57c2df96c0552c5

                                          • C:\Users\Admin\AppData\Local\Temp\91050917-5450-4104-9851-fb0444b75dd3.vbs

                                            Filesize

                                            733B

                                            MD5

                                            f6c83e9bf394e243913ce12dfae9a45d

                                            SHA1

                                            6b88358c38b31a83a8c10a3ec5afdf81bd5fffff

                                            SHA256

                                            85b437eacecf13853d59ae88c5973ceaf806b50356f4edcb5bb62bf867c2d938

                                            SHA512

                                            268f138e9c19885e2372d4362502aeba73b0bd983143acd4a27d6098849b2bb82016cc1bb667ec57ce55b881ec55a798c6a37286ce673b934dc634558f7c649b

                                          • C:\Users\Admin\AppData\Local\Temp\994c7646-6dab-4c30-82f5-c12318bb2061.vbs

                                            Filesize

                                            733B

                                            MD5

                                            699c46cc3c5161cce0a63f9fe8d595e1

                                            SHA1

                                            9fd8e8881d7eea76e94b1740a8e02dcf35e29dc1

                                            SHA256

                                            23a4f48fe52da678dd64ecfbff7ede5869d58793df003bd68b18b4ac6d7d7842

                                            SHA512

                                            af8cae014418c9a9df6e18dfa3557d760c374bd339614d27aeb360bb43b8d5c67a3c2f6d652956e448e993127dea19fb033f35b1dfe01ce81d31bac80ac5ddbd

                                          • C:\Users\Admin\AppData\Local\Temp\a2291065-7bfd-472a-bdb1-b4d09df2dc13.vbs

                                            Filesize

                                            733B

                                            MD5

                                            2184cc07ca900c76dff794bebf0429cd

                                            SHA1

                                            3981f7754e1459ebcef1bf1864e0b62151b1bf98

                                            SHA256

                                            5331d34fd5f9bd63c07e5687b3a0ed2623f11db28c9a5fe6d670cc2c8f02abc8

                                            SHA512

                                            68a6608c7588817673197f5f290cc9e22d43ac17cb97878e5c3548a062799487956be5dbb4a1f7fa12d3acdd0cbfca45b517f06869edd8651588cae9aec6c77a

                                          • C:\Users\Admin\AppData\Local\Temp\a3bb2515-afd2-4046-9fc9-54a692cb84e3.vbs

                                            Filesize

                                            733B

                                            MD5

                                            27d5425f7f061796c74a9e9e8236f9e9

                                            SHA1

                                            7ae01e62a7c0b68faa11f322a7f3984bac6342ac

                                            SHA256

                                            2cac09c29e3cc15c43f10f9cf4d7d681aa227c530b2d44aabfb655e28e0934bb

                                            SHA512

                                            61899517c33aba93627f744fe6aa5ad1ff6c82d805602c6511aba16c8990542cb7e5bf8c85c882f871ba11afb138fd71c5f23fec231380f4d8c5caa1ecdb7cbc

                                          • C:\Users\Admin\AppData\Local\Temp\ec9f3e96-16f8-462e-9b78-c6fd8138ac96.vbs

                                            Filesize

                                            733B

                                            MD5

                                            cbe9cd18a665602a7ca5ab506a60617e

                                            SHA1

                                            68281ba8c716509c063e427b4c41061adc7505b3

                                            SHA256

                                            f632f1f3bbbd82a6f75e27652bfdc26b65aabf605dc381f4e030f0c401a70ac0

                                            SHA512

                                            ce3bc34d6be32a940657307936d98e63fb65ffbd506e017df4fd9ab5fbab7b8fd497a16b5eed4c3e7309dbafeb05cb2b1226be13f765da57bd6a7785e88fb1d4

                                          • C:\Users\Admin\AppData\Local\Temp\f40e772a-27fe-49f0-bfd7-0765d08d25a4.vbs

                                            Filesize

                                            733B

                                            MD5

                                            41986473a67df88c2d29bd0b6b1e2c32

                                            SHA1

                                            5936bdeb7c6599f6c2f3aac8fba7a38caebd43ea

                                            SHA256

                                            30428115af15f42cfa4347aa56fcfcd43967555050c2a86545b217389e7fd47f

                                            SHA512

                                            0c31ec7db2dea8b12d2165635e73aec4c42e15e55ab5bbee830d30ae576f8e3f8d1294f7f464d373c8868a53d96141c10883afaa73cc12708c8716c7f1f24062

                                          • C:\Users\Admin\AppData\Local\Temp\f8d12bde-4c92-40be-a1f3-f444f1bc42ce.vbs

                                            Filesize

                                            509B

                                            MD5

                                            8917f1897d2073746f52d2434c6c924b

                                            SHA1

                                            cc18b5bd92cd4cb7fd8b8cd339f1a6ab11c817b2

                                            SHA256

                                            641f9534592404fd3869de22d315a3b4d435404323a45bfa8483fd1978dd8ce7

                                            SHA512

                                            7fb42f4a76c038c12b345611421a3818ee92691542ddec0c1b2af3e9db5cea5de495e76b56e001534f7f05dd6af6fdf4353534a270a058e4fcf728b86c6dd005

                                          • C:\Windows\ShellNew\Idle.exe

                                            Filesize

                                            3.2MB

                                            MD5

                                            1994f3ef2118aeecbb74e6c8976fd47b

                                            SHA1

                                            8f157fc5c2af51db24b66085f29d3c1240be36b2

                                            SHA256

                                            5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

                                            SHA512

                                            48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

                                          • memory/892-88-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/892-77-0x000000001B150000-0x000000001B1D0000-memory.dmp

                                            Filesize

                                            512KB

                                          • memory/892-76-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/892-75-0x0000000000F80000-0x00000000012B0000-memory.dmp

                                            Filesize

                                            3.2MB

                                          • memory/1468-159-0x00000000011F0000-0x0000000001520000-memory.dmp

                                            Filesize

                                            3.2MB

                                          • memory/1468-160-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/1468-172-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/1468-161-0x000000001B4F0000-0x000000001B570000-memory.dmp

                                            Filesize

                                            512KB

                                          • memory/1680-133-0x000000001AF60000-0x000000001AFE0000-memory.dmp

                                            Filesize

                                            512KB

                                          • memory/1680-132-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/1680-144-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/1744-91-0x0000000000A90000-0x0000000000AA2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1744-102-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/1744-90-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2028-174-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2028-175-0x000000001B360000-0x000000001B3E0000-memory.dmp

                                            Filesize

                                            512KB

                                          • memory/2028-186-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2172-188-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2172-189-0x00000000003B0000-0x0000000000430000-memory.dmp

                                            Filesize

                                            512KB

                                          • memory/2172-200-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2340-34-0x000000001B040000-0x000000001B04C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-8-0x00000000004D0000-0x00000000004E6000-memory.dmp

                                            Filesize

                                            88KB

                                          • memory/2340-17-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-78-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2340-16-0x0000000000920000-0x000000000092C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-15-0x00000000008D0000-0x0000000000926000-memory.dmp

                                            Filesize

                                            344KB

                                          • memory/2340-14-0x0000000000840000-0x000000000084A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/2340-13-0x00000000007B0000-0x00000000007C0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/2340-19-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-20-0x0000000002420000-0x0000000002432000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2340-12-0x0000000000510000-0x0000000000518000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-33-0x000000001B030000-0x000000001B03A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/2340-1-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2340-11-0x0000000000500000-0x000000000050C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-2-0x000000001B0B0000-0x000000001B130000-memory.dmp

                                            Filesize

                                            512KB

                                          • memory/2340-32-0x000000001B020000-0x000000001B028000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-31-0x000000001B010000-0x000000001B01C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-10-0x00000000007A0000-0x00000000007B2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2340-9-0x00000000004F0000-0x00000000004F8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-30-0x000000001B000000-0x000000001B00E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/2340-3-0x0000000000470000-0x000000000047E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/2340-18-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-4-0x0000000000480000-0x000000000048E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/2340-0-0x00000000000F0000-0x0000000000420000-memory.dmp

                                            Filesize

                                            3.2MB

                                          • memory/2340-29-0x000000001AEE0000-0x000000001AEE8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-28-0x000000001AED0000-0x000000001AEDE000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/2340-7-0x00000000004B0000-0x00000000004C0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/2340-27-0x000000001AEC0000-0x000000001AECA000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/2340-26-0x000000001AFF0000-0x000000001AFF8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-25-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-6-0x00000000004A0000-0x00000000004A8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-24-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-23-0x000000001A9E0000-0x000000001A9E8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-22-0x000000001A950000-0x000000001A95C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-5-0x0000000000490000-0x0000000000498000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-21-0x000000001A940000-0x000000001A94C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2516-157-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2516-146-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2920-115-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/2920-104-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/3040-203-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

                                            Filesize

                                            9.9MB

                                          • memory/3040-202-0x00000000001D0000-0x0000000000500000-memory.dmp

                                            Filesize

                                            3.2MB

                                          • memory/3040-204-0x000000001B200000-0x000000001B280000-memory.dmp

                                            Filesize

                                            512KB

                                          • memory/3040-205-0x0000000000B10000-0x0000000000B22000-memory.dmp

                                            Filesize

                                            72KB