Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 18:49

General

  • Target

    00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    00195dc23ea8cc5cb728c411f684ff40

  • SHA1

    604a8ca144781805d4ea73de01caee8ba98c176d

  • SHA256

    5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1

  • SHA512

    218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd

  • SSDEEP

    98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1444
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WemxlMlzgx.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1744
        • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
          "C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:292
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11bd8d8e-5f79-49ad-9a25-3074162a2abf.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
              C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1652
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfda475f-2f34-4728-a1d6-2d92b6bc2c2b.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2132
                • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                  C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1296
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0418a95-c32e-46f8-97bf-798fdf835b7d.vbs"
                    8⤵
                      PID:624
                      • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                        C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2516
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df84f95f-ec81-487a-b75b-d4aca1324777.vbs"
                          10⤵
                            PID:2148
                            • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                              C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:832
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59d5f118-5d7b-43e3-a13b-6ac94899590a.vbs"
                                12⤵
                                  PID:1892
                                  • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                    C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2412
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a64e887-0dd6-46b0-b021-25d984d2b0e3.vbs"
                                      14⤵
                                        PID:1080
                                        • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                          C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2100
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52909b4a-e230-4366-8221-a79f0145ee77.vbs"
                                            16⤵
                                              PID:1700
                                              • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2060
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a1c5c7-9e11-4be1-9136-ac42a59bfc5e.vbs"
                                                  18⤵
                                                    PID:624
                                                    • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                      C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2688
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eae11ce-2f49-4c9a-9e5f-e6e0b98509c4.vbs"
                                                        20⤵
                                                          PID:548
                                                          • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                            C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2488
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c8fe3fa-cc26-47f2-9912-795cb7d005e0.vbs"
                                                              22⤵
                                                                PID:1548
                                                                • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                                  C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:764
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\636ddb08-054b-43cc-825e-c4c27dc20f4c.vbs"
                                                                    24⤵
                                                                      PID:1840
                                                                      • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                                        C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
                                                                        25⤵
                                                                        • UAC bypass
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:1936
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f44a2b8-d14b-4570-a8d1-94be2589060a.vbs"
                                                                          26⤵
                                                                            PID:328
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72c32c4d-a8ce-4c04-8ce9-e2500e150198.vbs"
                                                                            26⤵
                                                                              PID:2424
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d661e586-38cc-4004-8e1a-50317f4d462e.vbs"
                                                                          24⤵
                                                                            PID:1824
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f71d630-4cf3-4b42-a801-d995437f1824.vbs"
                                                                        22⤵
                                                                          PID:2380
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a4e855f-3ca1-40c1-b612-5afdd744f45c.vbs"
                                                                      20⤵
                                                                        PID:2672
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14e8519e-9755-47f7-934f-438909566f85.vbs"
                                                                    18⤵
                                                                      PID:536
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f55d8b27-1e83-4965-afae-959964428edb.vbs"
                                                                  16⤵
                                                                    PID:1888
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8185cbae-530e-4313-9dac-c2dd5cb84acc.vbs"
                                                                14⤵
                                                                  PID:1784
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac2c65eb-b9d2-4050-b202-06475ddd8edb.vbs"
                                                              12⤵
                                                                PID:2640
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f2bfd6-feb7-498d-8f91-14befed056b4.vbs"
                                                            10⤵
                                                              PID:1932
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aa0e89d-56e1-4b72-a662-04199387ea97.vbs"
                                                          8⤵
                                                            PID:2736
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b37a851-7dff-4ee2-b97a-2c9cecaae4d6.vbs"
                                                        6⤵
                                                          PID:2976
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ecb2cc2-cb81-47ef-83bf-c14eecd62923.vbs"
                                                      4⤵
                                                        PID:1576
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2756
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2664
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2492
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2732
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2580
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2460
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2544
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2960
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1668
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1444
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2268
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2164
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1616
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2144
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1588
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2176
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1492
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2112
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2536
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2452
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1160
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2804
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2556
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2828
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1848
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3068
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2856
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:688
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:872
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1420
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1772
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:812
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1092
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\services.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2896
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2340
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2432

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  a78375666ec40adbc66c67d9c35b2e45

                                                  SHA1

                                                  0663cf4acc5a1fe3e47749b82aa4b5ce9d73a143

                                                  SHA256

                                                  c31d86e19a9d250e11bd588a7151ecf3cdf48deeacb71d443903046534c85d44

                                                  SHA512

                                                  c30a7558a0bae0ff7f125f274dd4febd48fddbac54efa32e891c70fff9c9d3b99715fb11e379e5e2e3c6f6d589bc3296f52cdc6588d13e107ccd2f59867b1e58

                                                • C:\Program Files\Internet Explorer\winlogon.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  bd0088e3beae02e5de4fd944bbe608fc

                                                  SHA1

                                                  c64b3c35bf65af6f1560f27664956fe3d5a60e3b

                                                  SHA256

                                                  c17ca9ea18dc949bab1d312c05646c3492ebf5d662a1d19f94dd715735ae60bb

                                                  SHA512

                                                  17f368c88f126321fbbcc26c587093b2cd86f5f23711fb907ba99f5e53fec46e630226ab1cfba4c84ed639265dd03a880dd1c6726ace93c68cc0a89679624e81

                                                • C:\Program Files\Windows Defender\it-IT\spoolsv.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  00195dc23ea8cc5cb728c411f684ff40

                                                  SHA1

                                                  604a8ca144781805d4ea73de01caee8ba98c176d

                                                  SHA256

                                                  5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1

                                                  SHA512

                                                  218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd

                                                • C:\Program Files\Windows Media Player\Network Sharing\lsm.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  b0076192bcb41d8a6117c48d4e982b3f

                                                  SHA1

                                                  6fb1a64f3b12bffd6c2d789d2685a2c0d46e49e1

                                                  SHA256

                                                  e1d7189ccc2ef3a8f33ddcfb089dc6f48e5b4a0cab12f948fc223969f836ff57

                                                  SHA512

                                                  c172b3d0c21ff3b043d8a7fad074be4af6e21a39a2de72769a0d321b751b6d164fbd29776d6dd1611c40436b6a1d57b536c4a65c08bf24d4fb10b9969b056ec0

                                                • C:\Users\Admin\AppData\Local\Temp\11bd8d8e-5f79-49ad-9a25-3074162a2abf.vbs

                                                  Filesize

                                                  735B

                                                  MD5

                                                  eece65c143574b47c3eaa073f2ad9577

                                                  SHA1

                                                  35f32fbc2e0bb8912f9e90c41a8b76b4dd63eeb0

                                                  SHA256

                                                  d267d59025c79ecd45ed4680972b106f82ecfa28085445b82ce7773a14bffd03

                                                  SHA512

                                                  170318f8db866ead02dd8c147ff2b341beffd6ddd6aef8b755ffd7b28c9b8c5c074042bae9280f462aa6bd0ef54498a25ce180f7410e92e23382688f8905704a

                                                • C:\Users\Admin\AppData\Local\Temp\4a64e887-0dd6-46b0-b021-25d984d2b0e3.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  3e4fdc5725796ba0ca79507fb0d1caac

                                                  SHA1

                                                  187b6e95d4ed41e5237e4490cf9f9ab6c4a4d65b

                                                  SHA256

                                                  1d7e86f347f5110918a6cd33a378bd008cd64fda2a0fd185fa2a032dc02b507b

                                                  SHA512

                                                  407b75a720492c061c8694c2379bedf7bcbcb46b77f9643ebcb88d8008f9e9b233d0dafea77e0c26b276d2f54dab3c58428618fd5ea9ae7d8c1813701d2f1ce1

                                                • C:\Users\Admin\AppData\Local\Temp\52909b4a-e230-4366-8221-a79f0145ee77.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  f042ad399d11e8bf55fa331ae78b1d31

                                                  SHA1

                                                  413566335910af436f9505472fe91bb63e27e75a

                                                  SHA256

                                                  9ac577544f577234fe08457fc928d2f84592be1439b296746235053324bb7ace

                                                  SHA512

                                                  355d0e7029ccc45a7b3699df6d09039090a293faccca9324108b93e7e43fd7a03751c12bf0782d12e9f3bab12961c454180cb057b497246e08519888534c1965

                                                • C:\Users\Admin\AppData\Local\Temp\59d5f118-5d7b-43e3-a13b-6ac94899590a.vbs

                                                  Filesize

                                                  735B

                                                  MD5

                                                  9480d92c1afb035726d91e72388757eb

                                                  SHA1

                                                  03be624de37f9fcbddccac198afdfa10cbf66e8e

                                                  SHA256

                                                  3edb3c9a165e694953d3e18bdeb5fb351fd38040b207bf88e0b8258e77604ee1

                                                  SHA512

                                                  47fd79e4377068ec626e63107cc91bca212efdba41a0fd69d81105eb3025745e17ca8e4d5053fe91f17f79da21d306023661fac5a98442e35664bf16da65c884

                                                • C:\Users\Admin\AppData\Local\Temp\5eae11ce-2f49-4c9a-9e5f-e6e0b98509c4.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  73871616b62dec970c57d3494d67b703

                                                  SHA1

                                                  89c9637cd2f89ac6beab8ee82782abf78a5404df

                                                  SHA256

                                                  547e00e643730c92c4576d43834447d1ecc54acdea02035a9f0fc6d22fe5db4c

                                                  SHA512

                                                  a4db5a8b98da9a07bf0dc532e0d543e50032cea124553511f9e47134ff686bc891ef361a8de0ef851478e1510446d7eebbdceddd2ee0c4a823c86e95261c57cc

                                                • C:\Users\Admin\AppData\Local\Temp\5ecb2cc2-cb81-47ef-83bf-c14eecd62923.vbs

                                                  Filesize

                                                  512B

                                                  MD5

                                                  484a201a237c064e81412e90ad9a06b2

                                                  SHA1

                                                  9434ca0fc12641a863b4bdd4d173406b036ea10a

                                                  SHA256

                                                  f97e6d738556d7039104d4359d8d9460d5bfb0975cb82e26132ff01794f217cf

                                                  SHA512

                                                  b96358f09400645a97294424b2de6932ea9c9a0cf4bae0dcdca646ea8ae23b9bfced0add122c98f05131ed9b1fd5fe79c0abc42371593110dcbdb691db56a453

                                                • C:\Users\Admin\AppData\Local\Temp\636ddb08-054b-43cc-825e-c4c27dc20f4c.vbs

                                                  Filesize

                                                  735B

                                                  MD5

                                                  eab03728adcbd26b7fe7598ebdbfc4e5

                                                  SHA1

                                                  0e6485d957fdec273fc08336a24f682f07341c56

                                                  SHA256

                                                  013e0c23108867841ed17c5935d6fe66042482fc8323c4cfc932500f71de26e9

                                                  SHA512

                                                  cdc7b6ef945acc9ca556b470a70979aa3f25477d5623f6aa17dc145cdb9fefe7da1454653a4124b70026fdd450fc3495682d82381c593f1fa2d29ff024a74b79

                                                • C:\Users\Admin\AppData\Local\Temp\6c8fe3fa-cc26-47f2-9912-795cb7d005e0.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  c1e649ceef4d602b7a8b55739564cb28

                                                  SHA1

                                                  cff65256d15070b5bec5c5b2b9ef5bb336d5e094

                                                  SHA256

                                                  41726808d2c1fd34e49bd48b75f6fdc4a044451894ef04c9ad2c952edd4d89bf

                                                  SHA512

                                                  a18a44f24dbf0113b0266f882247f31ee3f59c818c8d693792ca7a7355ee79009f52e9fc7af68cc01e653402111e5f0491ceca76c775f472f0e6ae0bd8980c46

                                                • C:\Users\Admin\AppData\Local\Temp\6f44a2b8-d14b-4570-a8d1-94be2589060a.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  808f3ccd561c0e40ad20323363759a44

                                                  SHA1

                                                  3ed766465a6d4272e485e901d1055463f9e2c335

                                                  SHA256

                                                  13afdbb99982c3d72cf2b1dd03b385a6490fbeb5c321d41b5f1294371ef51dbd

                                                  SHA512

                                                  03a7bc910d9165450924ad1e366588ff4f717673e51c706678a511b43a3e02e1213570b4bc15186dd3d0d754baeb815d4ef92176fe8d5ed393c5c6a38cbf0cc5

                                                • C:\Users\Admin\AppData\Local\Temp\WemxlMlzgx.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  5e39bb4f80e55ed72157f36eef423dca

                                                  SHA1

                                                  452c3fa3defc6b64f9d71aa25c8bac63615f2486

                                                  SHA256

                                                  124259e94e948f91a0c7edf1f22b0376d2f5037ac27f93e0622131419827638a

                                                  SHA512

                                                  0bf37b543f16ea28aaff86d805f16ea4e1d0ced5293003ea97202b7727bab5b3d9fb699da68cbf5b47907c1f05a6c5f66c91a90397c23917a141066a8878b897

                                                • C:\Users\Admin\AppData\Local\Temp\bfda475f-2f34-4728-a1d6-2d92b6bc2c2b.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  b7697ef6a3698cd2d26050e0bcd4c783

                                                  SHA1

                                                  57f05388c1f0659c54c2c823b5224f6e7d3f3ae3

                                                  SHA256

                                                  fd24419e478a282242d820e483520baa53e198285f9a5830647a2cff9c7657f3

                                                  SHA512

                                                  c10ee3914cc27364999bc0cfb713c6e77bd1e9570e8ea6abc4e8f85022d3cafcf67e0ed50c112cc0930c3dacddf1dad8876f5dbbc12f66ba0416e170e669b30b

                                                • C:\Users\Admin\AppData\Local\Temp\d0418a95-c32e-46f8-97bf-798fdf835b7d.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  e16751969adceb1ca615ac4a9ebb556b

                                                  SHA1

                                                  f567386f0a7c48c0cdbf75adcc89d177654336da

                                                  SHA256

                                                  7176367ff522d5ee4484669647b71e6398465f8144102dda4e2bd8e168df31f6

                                                  SHA512

                                                  bd5fc196a82067625cc3d3f8569af9e5c7a3a0bfae5456a7e133ba593b1425a8f4ac5e001baf8db68d074860da0bb684f5d90199883f05388019523eb01201b9

                                                • C:\Users\Admin\AppData\Local\Temp\d3a1c5c7-9e11-4be1-9136-ac42a59bfc5e.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  58774ef42c8e761d4b8b4b1a69f35a3e

                                                  SHA1

                                                  72a51ea2c61e4616be4f98da31f938f2bd01876a

                                                  SHA256

                                                  e39d1b70881c964d7843d05e9961a4073e95637f024fb2b6e6c17ed5575d3166

                                                  SHA512

                                                  9c024167e9a3368ce375d39744f48424cfe3014e89718104d2c82cd6048f496f3f356d794bb5e7a98189991dc56876c74a57ccfe474f870946148b74461e847a

                                                • C:\Users\Admin\AppData\Local\Temp\df84f95f-ec81-487a-b75b-d4aca1324777.vbs

                                                  Filesize

                                                  736B

                                                  MD5

                                                  5751c4a742e68539ace8dfb5f4469494

                                                  SHA1

                                                  84584ec4ad06a8f098740fdfc9074bd6f261aa52

                                                  SHA256

                                                  291a342c1f10173ee2d8e3509b79252a74c253cda81ada1cd8c985b4f9380e4a

                                                  SHA512

                                                  513ae981cc6dfb60fdd493a45974931a9080078ef8943841d82fd9830e39cab124d835d579c27a4af63d8731fdf183a145466d23c64fcee1335a81ecbcf86660

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  28c5be1c4d9e189e1f54cf9d53daa053

                                                  SHA1

                                                  342793848d4e46cbb4127b3e14933b29bbbd4a98

                                                  SHA256

                                                  1fb6e08145b04972f76c3e1f3705e836df8a59125ee60be722018b50abedab9c

                                                  SHA512

                                                  135287653d9dd962f63a77a5aef111a6e5b728f3d78386438a24a1ace920685bbaf751d1ec0750bdd6ade9e430383536daafe4be3ae31b626efaf9d78f789613

                                                • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\services.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  d618d1f6ed1e1b283005b5c51c2568eb

                                                  SHA1

                                                  8198c993bc5f28bc9121eef5324d3fe3e1f91c5c

                                                  SHA256

                                                  388f6b5d5569066dd299b9c997191fffe4665ccfeb1ac1f92ee58b224fa940a4

                                                  SHA512

                                                  9adba9ee8e34f5666a613ac334146a283205fe99c0db445b4909554b1e71f5e43ebd9b4894d6110612e96dd4c060275cfd4bc6eca38c09d51e64fb8f29d8c650

                                                • memory/292-270-0x0000000000300000-0x000000000063C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/764-387-0x0000000000B40000-0x0000000000E7C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/1296-293-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1652-281-0x0000000000ED0000-0x000000000120C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/1712-229-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/1712-230-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1936-399-0x0000000001040000-0x000000000137C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2060-351-0x0000000000140000-0x000000000047C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2100-339-0x0000000000E10000-0x000000000114C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2412-327-0x00000000001D0000-0x000000000050C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2424-16-0x0000000000C60000-0x0000000000C6C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2424-17-0x0000000000C70000-0x0000000000C78000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2424-31-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2424-30-0x000000001A9F0000-0x000000001A9FA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/2424-29-0x000000001A9E0000-0x000000001A9E8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2424-28-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2424-27-0x000000001A9C0000-0x000000001A9CE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/2424-26-0x000000001A9B0000-0x000000001A9B8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2424-25-0x000000001A9A0000-0x000000001A9AE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/2424-24-0x000000001A980000-0x000000001A98A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/2424-231-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

                                                  Filesize

                                                  9.9MB

                                                • memory/2424-23-0x000000001A990000-0x000000001A998000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2424-22-0x0000000002570000-0x000000000257C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2424-21-0x0000000002560000-0x000000000256C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2424-20-0x0000000002550000-0x000000000255C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2424-19-0x0000000002540000-0x000000000254C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2424-18-0x0000000002510000-0x0000000002522000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2424-32-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

                                                  Filesize

                                                  9.9MB

                                                • memory/2424-0-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2424-15-0x0000000000C50000-0x0000000000C58000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2424-14-0x0000000000C40000-0x0000000000C4C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2424-13-0x00000000023C0000-0x0000000002416000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/2424-12-0x0000000000A90000-0x0000000000A9A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/2424-11-0x0000000000C30000-0x0000000000C40000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2424-10-0x0000000000A80000-0x0000000000A88000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2424-9-0x0000000000A60000-0x0000000000A76000-memory.dmp

                                                  Filesize

                                                  88KB

                                                • memory/2424-8-0x00000000004B0000-0x00000000004C0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2424-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2424-1-0x0000000000C80000-0x0000000000FBC000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2424-6-0x0000000000300000-0x000000000031C000-memory.dmp

                                                  Filesize

                                                  112KB

                                                • memory/2424-2-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

                                                  Filesize

                                                  9.9MB

                                                • memory/2424-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2424-4-0x00000000002E0000-0x00000000002EE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/2424-3-0x00000000002D0000-0x00000000002DE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/2488-375-0x000000001B0B0000-0x000000001B106000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/2688-363-0x0000000000AE0000-0x0000000000E1C000-memory.dmp

                                                  Filesize

                                                  3.2MB