Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 23:06

General

  • Target

    7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe

  • Size

    3.2MB

  • MD5

    5e11b7a6246841f5c8dc76aa757e0613

  • SHA1

    44125a86ecdd8fe8cb0261b4ce79b1fc4b61d639

  • SHA256

    7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf

  • SHA512

    2d8f81567cf50ec22fb577e01cdf123e2da0a13380691133a3f5e01fb989db37d3ff25fff12e5a3d8cd133d13e96c2bad14ae488ce2689e6fdb050fbb9252cf0

  • SSDEEP

    49152:/C0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:/C0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 24 IoCs
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 16 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe
    "C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2188
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nv7qRJ8Umn.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2932
        • C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe
          "C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4260
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2264
          • C:\Recovery\WindowsRE\WmiPrvSE.exe
            "C:\Recovery\WindowsRE\WmiPrvSE.exe"
            4⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4996
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb341735-5d96-4d33-ab8c-b6d223bd93cb.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3504
              • C:\Recovery\WindowsRE\WmiPrvSE.exe
                C:\Recovery\WindowsRE\WmiPrvSE.exe
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3284
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a5bd386-a884-4ebb-b4d8-df69af331891.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4444
                  • C:\Recovery\WindowsRE\WmiPrvSE.exe
                    C:\Recovery\WindowsRE\WmiPrvSE.exe
                    8⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:3384
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369aa7c6-d159-4a5c-8ec3-bebb4e8f5ad5.vbs"
                      9⤵
                        PID:4420
                        • C:\Recovery\WindowsRE\WmiPrvSE.exe
                          C:\Recovery\WindowsRE\WmiPrvSE.exe
                          10⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:4380
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4eb19f-47ee-44e7-a069-3e810a6b1ed7.vbs"
                            11⤵
                              PID:2556
                              • C:\Recovery\WindowsRE\WmiPrvSE.exe
                                C:\Recovery\WindowsRE\WmiPrvSE.exe
                                12⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:4616
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8206dc9e-1ffd-45dc-9f06-025e1abb8a80.vbs"
                                  13⤵
                                    PID:1484
                                    • C:\Recovery\WindowsRE\WmiPrvSE.exe
                                      C:\Recovery\WindowsRE\WmiPrvSE.exe
                                      14⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:4884
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d30e4198-ba8a-4d3d-a7f6-146746088d34.vbs"
                                        15⤵
                                          PID:3288
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1531b260-323f-493d-8b6e-eeca1202d024.vbs"
                                          15⤵
                                            PID:4956
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dfc49b9-65ab-4af0-9156-8f3f64566363.vbs"
                                        13⤵
                                          PID:336
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c87b482-e98b-41f3-b9e8-dc20fef1b46f.vbs"
                                      11⤵
                                        PID:208
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ba33123-3150-4cac-be7b-54c0a19d2d7c.vbs"
                                    9⤵
                                      PID:2508
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a32cbac8-972a-4df0-b639-b1890d7fc4c6.vbs"
                                  7⤵
                                    PID:3208
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cf99b23-3a8d-4f62-acb9-bd7ea0235e47.vbs"
                                5⤵
                                  PID:4672
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3576
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:556
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:780
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4820
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2016
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:516
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:5076
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:1192
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3672
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3988
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:1748
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4896
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1080
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          PID:4804
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1752
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4604
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1840
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4028
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4636
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4768
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:2888
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          PID:3400
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          PID:1568
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:464
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1412
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:1416
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:4672
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          PID:3572
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3192
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1204
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4996
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2432
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          PID:2312
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:3748
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:544
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4252
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          PID:4508
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:3984
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4468
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\smss.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4940
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:5044
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          PID:2952
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:680
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:2928
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3840
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4104
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4992
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1896
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:3972
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4060
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:640
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:836
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4000
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:3992
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\System.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3572
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          PID:3192
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:3880
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1948
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          PID:3644
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3892
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2052
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1528
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4248
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
                          1⤵
                          • DcRat
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4468
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Creates scheduled task(s)
                          PID:4940
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • DcRat
                          • Creates scheduled task(s)
                          PID:3052
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\upfc.exe'" /f
                          1⤵
                          • Creates scheduled task(s)
                          PID:4820
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\CbsTemp\upfc.exe'" /rl HIGHEST /f
                          1⤵
                            PID:3576
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\upfc.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Creates scheduled task(s)
                            PID:3316
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
                            1⤵
                            • DcRat
                            • Creates scheduled task(s)
                            PID:4584
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            PID:1688
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                            1⤵
                            • Creates scheduled task(s)
                            PID:2892
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /f
                            1⤵
                            • Creates scheduled task(s)
                            PID:2560
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Creates scheduled task(s)
                            PID:4812
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            PID:4960
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /f
                            1⤵
                            • DcRat
                            • Creates scheduled task(s)
                            PID:1908
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Creates scheduled task(s)
                            PID:4896
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /rl HIGHEST /f
                            1⤵
                              PID:1932
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /f
                              1⤵
                                PID:564
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f
                                1⤵
                                • DcRat
                                • Creates scheduled task(s)
                                PID:1896
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f
                                1⤵
                                • DcRat
                                • Creates scheduled task(s)
                                PID:4452
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /f
                                1⤵
                                • DcRat
                                • Creates scheduled task(s)
                                PID:1640
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f
                                1⤵
                                • Creates scheduled task(s)
                                PID:1840
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f
                                1⤵
                                • DcRat
                                • Creates scheduled task(s)
                                PID:1176
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                1⤵
                                  PID:220
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Creates scheduled task(s)
                                  PID:3472
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Creates scheduled task(s)
                                  PID:4060
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /f
                                  1⤵
                                    PID:3912
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /rl HIGHEST /f
                                    1⤵
                                      PID:1376
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      PID:3688
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /f
                                      1⤵
                                        PID:5088
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        PID:624
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Creates scheduled task(s)
                                        PID:3416
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
                                        1⤵
                                        • DcRat
                                        PID:1604
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Creates scheduled task(s)
                                        PID:1256
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Creates scheduled task(s)
                                        PID:4576
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
                                        1⤵
                                        • DcRat
                                        • Creates scheduled task(s)
                                        PID:2788
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        PID:4116
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • DcRat
                                        • Creates scheduled task(s)
                                        PID:3340

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Program Files (x86)\Microsoft\Temp\wininit.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        ea589dd962c0fdfc5673cbd692b651a9

                                        SHA1

                                        10486fc4ba15a2f19885460b59637ef414d24268

                                        SHA256

                                        ccac0a4093173688e2edc42b3e595f6efff2c3ef90997d83a075ef997122d06b

                                        SHA512

                                        d55d202a69d5ca5d180e03ba3ac7f05fae2c33dea4c63651bfd38450383fa97c561ff45409b043f33353cfd76f4369a381629e84cc430ee221e194255a4c6e28

                                      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        a49e54ff4969e187c9f7df3273ef5133

                                        SHA1

                                        c9bca88e336755f4798dd89dd7a3d065ef809db2

                                        SHA256

                                        2f81451b388925850509e151438a7731a7b43697829c3b98546d8b848a9bf5df

                                        SHA512

                                        ba332dd609ed1b4d83a2b393834738ffe7caad92b6caf62bee9d445d3b8d4b58c98c2c8c516fd273dccc6eb83a35e566b752f2fa3018f9218f1313e052403b32

                                      • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        8f834de5a0bd2a92772a793196fe5b7b

                                        SHA1

                                        bbd3c585b570230bf63b76dca4055f4d39d3b8f6

                                        SHA256

                                        140b35144993dfe6e3c5f3680b1e73b8ed08e04b88d5a4635f8151ac51e4b33f

                                        SHA512

                                        ac70020ea6796ecbc4e0fae5274c6a6a51652f4d84f6184183fb7592f00a31d1072f570db6b144b4d1e6fd649f321ca4d6c95f93151d3d3ba258947eceb44730

                                      • C:\Program Files\Microsoft Office\root\vfs\services.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        5e11b7a6246841f5c8dc76aa757e0613

                                        SHA1

                                        44125a86ecdd8fe8cb0261b4ce79b1fc4b61d639

                                        SHA256

                                        7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf

                                        SHA512

                                        2d8f81567cf50ec22fb577e01cdf123e2da0a13380691133a3f5e01fb989db37d3ff25fff12e5a3d8cd133d13e96c2bad14ae488ce2689e6fdb050fbb9252cf0

                                      • C:\Program Files\Windows Portable Devices\fontdrvhost.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        7de4e29fa1f4e942cee665a0c96b2b8d

                                        SHA1

                                        736546a2709bb364d0993270f2d15e034fa2f918

                                        SHA256

                                        b0688114a8d3176c1cf49a296be40168d4ab052cadc78837c6f690272d61df78

                                        SHA512

                                        4c71491b23e9570efb8edb2463fbf2b07c59f3a80414c8a14d7bc7dd9815a88091ea8a010d16d909361916d687b1a3f55055046075f674cb1964a1ca48e58920

                                      • C:\Recovery\WindowsRE\RCX71DC.tmp

                                        Filesize

                                        3.2MB

                                        MD5

                                        58accecfb6a25549f0b0627bc341c725

                                        SHA1

                                        6fe2f6dd7c1b51be04c9f28ef4ba3907a387c52f

                                        SHA256

                                        4fe757caa0631d0e77a6ed32414aee4816064dc0d6ab7c151f2305611e56d359

                                        SHA512

                                        88c691d0455d3a945bcb1184a6842413564ce919b32b3c8bcf8a9a269193ecd13dddab05aaecd2d038df5d1efe2090022450be1a5d99ff8797c67b3edcd5f21a

                                      • C:\Recovery\WindowsRE\eddb19405b7ce1

                                        Filesize

                                        871B

                                        MD5

                                        6e219a3081fc2cc16ccdcf3679030ead

                                        SHA1

                                        e4c9d1a4be420b7f50deb20bacf2c8fe377afb15

                                        SHA256

                                        a34c231bc0045018eb8aea8540ae59b796a2ba85754e33b3ad4bf314b10d3345

                                        SHA512

                                        a1f7c85de1d241f2d5a311f4e506eb43e4ac12a476b207a3c4e92b2ec4b21063cd1a8efe0c411a2fb3b2d00b0b0bd1bc33c5eef112a1399ee08c806c2926895c

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe.log

                                        Filesize

                                        1KB

                                        MD5

                                        655010c15ea0ca05a6e5ddcd84986b98

                                        SHA1

                                        120bf7e516aeed462c07625fbfcdab5124ad05d3

                                        SHA256

                                        2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

                                        SHA512

                                        e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

                                        Filesize

                                        1KB

                                        MD5

                                        49b64127208271d8f797256057d0b006

                                        SHA1

                                        b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                                        SHA256

                                        2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                                        SHA512

                                        f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                        Filesize

                                        2KB

                                        MD5

                                        d85ba6ff808d9e5444a4b369f5bc2730

                                        SHA1

                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                        SHA256

                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                        SHA512

                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        d28a889fd956d5cb3accfbaf1143eb6f

                                        SHA1

                                        157ba54b365341f8ff06707d996b3635da8446f7

                                        SHA256

                                        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                        SHA512

                                        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        855B

                                        MD5

                                        1a33f0958be3b70e2e0d5697fcbb02ec

                                        SHA1

                                        e385747e50578f9af695e61a29ed17ee6b3669cc

                                        SHA256

                                        10b105180c5434a302a2b0ece421343304adb161fbc112f3bd58106ce0079786

                                        SHA512

                                        21def95e7c36a3ad7eb73864a6ff8c431713c6ba4f8a6acd450e1f33a12511293c571eb8a8f7bcac41a0af4550b8e49c9dd51d1c6df0516290011d6636e51733

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        2e907f77659a6601fcc408274894da2e

                                        SHA1

                                        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                        SHA256

                                        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                        SHA512

                                        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        bd5940f08d0be56e65e5f2aaf47c538e

                                        SHA1

                                        d7e31b87866e5e383ab5499da64aba50f03e8443

                                        SHA256

                                        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                        SHA512

                                        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        caae66b2d6030f85188e48e4ea3a9fa6

                                        SHA1

                                        108425bd97144fa0f92ff7b2109fec293d14a461

                                        SHA256

                                        a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

                                        SHA512

                                        189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        c65338524586fc00cf00e679a7d4a1f4

                                        SHA1

                                        62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae

                                        SHA256

                                        faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6

                                        SHA512

                                        c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        118d5649311b514db219f613211e13a9

                                        SHA1

                                        485cc05e7072d26bf8226062ba1c578d7b30e1c4

                                        SHA256

                                        4fff6897c69cc3e8b9ae3da4d3c221ecbf329a4112d85cb346a4d413b70581dd

                                        SHA512

                                        b458d6703bde28f5d870542c852ad5990592a7a186eb7b4da83b475a94e2d2cdb1105b27d86414708dc613aad902937601d76cedad8304832c4d59ac1c088db4

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        0f6a77860cd9c5289dd6e45bbc36a982

                                        SHA1

                                        750d55b0d394bc5716fc3e3204975b029d3dc43b

                                        SHA256

                                        a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

                                        SHA512

                                        e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        47b7b79f57b7b1e83eeac152887ff212

                                        SHA1

                                        2bff47a7face28f57a8db2fa25079a469ff6e0ce

                                        SHA256

                                        cc70fa88d22f3c6b2d548a66e0a46fca5dfefea966cb22ebb0866cb0c5b09104

                                        SHA512

                                        ba4d5b90cfcf75f3abbb3e629d17f3c6b73f175743d7040f29289aca1086ad066c96e20ad97d5153b02b59cdf075e60250cf3002df0a09bb4e9d96e735f82aec

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        f034c2130e582c647bfb45a3a835cbdd

                                        SHA1

                                        30b4ddd9ba0ac86a237688b6e5750744ed7e2526

                                        SHA256

                                        c20cda0a4034398dfcbf1bbfea3a2ede33ed18ab57906c4f08e02a40382e1081

                                        SHA512

                                        3a20ea802ae8261f15497173050f76693a15270340c76e27daf3e4959816ecd37aa8cedb2d47141d5f0d17a2cc6c59722d06d156b2e715cfbaa1c6e51fb30269

                                      • C:\Users\Admin\AppData\Local\Temp\369aa7c6-d159-4a5c-8ec3-bebb4e8f5ad5.vbs

                                        Filesize

                                        710B

                                        MD5

                                        c30b5addb034f6ab8697b4d2f56902b3

                                        SHA1

                                        b5d5b0953de9633bbe0e11e90e89a472078a0bd8

                                        SHA256

                                        bdee47b68156f38f245bd39b714eb041028af6ee41e7e7a0fb374b9ce9cf4c60

                                        SHA512

                                        cd065a6675b5560a8a4678699d59a784360bd88c94687045807d648392717cba81a96949c78cb579b07d34de2441763d3d3750d3593ae4476d896eb3346a29ac

                                      • C:\Users\Admin\AppData\Local\Temp\4cf99b23-3a8d-4f62-acb9-bd7ea0235e47.vbs

                                        Filesize

                                        486B

                                        MD5

                                        a82b8c617fcbba6f352d66e062b6baee

                                        SHA1

                                        fef8d514c144e273e6e34290b17fbae2df4df59a

                                        SHA256

                                        215ef6c17ce61bf8a5feb3c2af183bec8e2625d9410a77d75d6fe177cb7ce07d

                                        SHA512

                                        522bd0dfac25e2955e57dcac425904c7b32b8645152c796ec7b9250bd17a1f86f47a45397b3bff0dac86ace8e7b176a3249730217bb2ac553a92fd9a62b138a3

                                      • C:\Users\Admin\AppData\Local\Temp\5a5bd386-a884-4ebb-b4d8-df69af331891.vbs

                                        Filesize

                                        710B

                                        MD5

                                        716784af61d845eb8ad50be99c5b20b9

                                        SHA1

                                        c9e97c8ca1aa413d28d34f3547b2fc23ceb8414b

                                        SHA256

                                        78ef101b956586c963821e5720860d2c4635fdf9e8fe927a3061f8e03265030c

                                        SHA512

                                        f6d038ec2515cf8a8087385a9537012bd121c70aaff1cbb4d29934b1db8da11b3611e68199f29809f6287ec79e7a260ea90a7a14a7304a1fe71036d99d07ce86

                                      • C:\Users\Admin\AppData\Local\Temp\8206dc9e-1ffd-45dc-9f06-025e1abb8a80.vbs

                                        Filesize

                                        710B

                                        MD5

                                        70d5231586208ad7ca40ef3eb3515a54

                                        SHA1

                                        e1a000b2c09cf0bc43f74d88a0112582b43942ee

                                        SHA256

                                        2ff26a7c6fc194f1b6464b2681b5ce44fea5a4601914db0a7fb6d07948d4ba6c

                                        SHA512

                                        c83bf87cced0a32862076780e9fde92345fb58ee1fb1b54c73b71d34264710eb3cbaf0fa358115e3a47987d368ee730c826de9af03dfbf2f9e3aeed4e8a42c08

                                      • C:\Users\Admin\AppData\Local\Temp\Nv7qRJ8Umn.bat

                                        Filesize

                                        267B

                                        MD5

                                        dcac32fb7b217e552c9431972d164cd2

                                        SHA1

                                        611c94e116b689008e59dff72782938ec479f125

                                        SHA256

                                        6acf85bd3bd2513cd56a2a38c1d6c89952c2c0c5d0134f4f9dc044e2bcc686f1

                                        SHA512

                                        27e32ec29cc1bc0e021064731c5c43f2fa4cab412e690861846259f98fa326f083ff8602d97a5d1fe8f2790d72f8b1e984a61bc19fc0e3d3fdc62c6cefdcd89d

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q544qyv5.4dx.ps1

                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      • C:\Users\Admin\AppData\Local\Temp\bb341735-5d96-4d33-ab8c-b6d223bd93cb.vbs

                                        Filesize

                                        710B

                                        MD5

                                        dbe925ab3cf35eebddb88019bf095e45

                                        SHA1

                                        3673ebf05271ca8e4cbaeb9855e8c34c7771a877

                                        SHA256

                                        3a5ca6ac13730848d10940a4cf46c43c114b616c1996cea2497325957c7d6259

                                        SHA512

                                        829da44c222775018975145941a0c15f1bf5b4d446a6d52f3982740c1cd412fce5558aeb0052bbba24956c59f6704ba9f7cdc87c4c55e113a4cb116f16df4c1b

                                      • C:\Users\Admin\AppData\Local\Temp\cc4eb19f-47ee-44e7-a069-3e810a6b1ed7.vbs

                                        Filesize

                                        710B

                                        MD5

                                        6a2c4d72156b66e78de598fb588c20f4

                                        SHA1

                                        68191e0b35e7c9c9c4dfbe59272737be1b4adeaf

                                        SHA256

                                        3abe41e784fe3c6393fc21a59b332cd18007a81f6f68e5d3f29fad683ad0ab72

                                        SHA512

                                        4d627fb0d9ac4f28b5c53b6e4ecc51ba2c5e4ebc9807381968862ac86c141f9cf5da9bb29f1ba57030f3ddb9ef65a62b2970a9abce0b8225e3a5c9c6149e3c00

                                      • C:\Users\Admin\AppData\Local\Temp\d30e4198-ba8a-4d3d-a7f6-146746088d34.vbs

                                        Filesize

                                        710B

                                        MD5

                                        13e5e085bc50296776015071b35b95a8

                                        SHA1

                                        907eaf173b2c191b9eacc56bc3db19846640f4b8

                                        SHA256

                                        5ab0cfe587fa0956165874f4812d38f0365a07a92fc2d2219142c903b4f2857c

                                        SHA512

                                        9bd65a34fd6055c7c1bd1104bc9a457196cac1c6d266f9731e82993fbdf8dba8a2c3b96c4bb70e3fef824528a5bb4fd651db2643f88385f49698898a0f43648b

                                      • memory/2972-17-0x000000001BE50000-0x000000001BE5C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2972-19-0x000000001BE70000-0x000000001BE82000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2972-33-0x000000001C140000-0x000000001C14C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2972-32-0x000000001C130000-0x000000001C13A000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2972-30-0x000000001C110000-0x000000001C11C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2972-36-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/2972-37-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/2972-25-0x000000001C150000-0x000000001C158000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2972-26-0x000000001C0E0000-0x000000001C0EA000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2972-27-0x000000001C0F0000-0x000000001C0FE000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2972-28-0x000000001C100000-0x000000001C108000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2972-29-0x000000001C160000-0x000000001C16E000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2972-24-0x000000001BED0000-0x000000001BEDC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2972-292-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/2972-1-0x0000000000780000-0x0000000000ABC000-memory.dmp

                                        Filesize

                                        3.2MB

                                      • memory/2972-23-0x000000001BEC0000-0x000000001BECC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2972-21-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2972-22-0x000000001BEB0000-0x000000001BEBC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2972-20-0x000000001C3D0000-0x000000001C8F8000-memory.dmp

                                        Filesize

                                        5.2MB

                                      • memory/2972-31-0x000000001C120000-0x000000001C128000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2972-18-0x000000001BE60000-0x000000001BE68000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2972-0-0x00007FFE98213000-0x00007FFE98215000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2972-16-0x000000001BE40000-0x000000001BE48000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2972-15-0x000000001BE30000-0x000000001BE3C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2972-14-0x000000001BDE0000-0x000000001BE36000-memory.dmp

                                        Filesize

                                        344KB

                                      • memory/2972-13-0x000000001BDD0000-0x000000001BDDA000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2972-8-0x000000001BD20000-0x000000001BD28000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2972-9-0x000000001BD30000-0x000000001BD40000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/2972-10-0x000000001BD40000-0x000000001BD56000-memory.dmp

                                        Filesize

                                        88KB

                                      • memory/2972-12-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/2972-11-0x000000001BD60000-0x000000001BD68000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2972-7-0x000000001BD70000-0x000000001BDC0000-memory.dmp

                                        Filesize

                                        320KB

                                      • memory/2972-6-0x000000001BD00000-0x000000001BD1C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2972-5-0x000000001B6E0000-0x000000001B6E8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2972-4-0x000000001B6D0000-0x000000001B6DE000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2972-3-0x000000001B6C0000-0x000000001B6CE000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2972-2-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/4616-699-0x000000001BB40000-0x000000001BB52000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4860-298-0x00000217F0B60000-0x00000217F0B82000-memory.dmp

                                        Filesize

                                        136KB