Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 19:23

General

  • Target

    1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    1553f67a0859a3057cde01f77db9dbc0

  • SHA1

    2cfe40d1fea16093e16c96a35f3240b98da9a5e1

  • SHA256

    a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

  • SHA512

    4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

  • SSDEEP

    49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 24 IoCs
  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 16 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2424
    • C:\Users\All Users\Start Menu\dwm.exe
      "C:\Users\All Users\Start Menu\dwm.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4684
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab7e06f9-2cc8-4039-a499-49e52af85ad2.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Users\All Users\Start Menu\dwm.exe
          "C:\Users\All Users\Start Menu\dwm.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3264
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81c5646d-102c-46e0-92fd-129b90595df8.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4148
            • C:\Users\All Users\Start Menu\dwm.exe
              "C:\Users\All Users\Start Menu\dwm.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3416
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6fc0a39-883a-46ff-a6d3-d13ba2e70843.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3424
                • C:\Users\All Users\Start Menu\dwm.exe
                  "C:\Users\All Users\Start Menu\dwm.exe"
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:5056
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b745de3f-71bb-43d1-b5ee-dbf9a731a082.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2076
                    • C:\Users\All Users\Start Menu\dwm.exe
                      "C:\Users\All Users\Start Menu\dwm.exe"
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:1512
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\963ae9cf-215a-4c39-9f8a-a4cbef438161.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2956
                        • C:\Users\All Users\Start Menu\dwm.exe
                          "C:\Users\All Users\Start Menu\dwm.exe"
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:744
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b32fa960-2f85-4070-ba3e-49aa4a739b40.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:5004
                            • C:\Users\All Users\Start Menu\dwm.exe
                              "C:\Users\All Users\Start Menu\dwm.exe"
                              14⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:3712
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91ca450c-7cd1-4794-aa05-82bfcf12046a.vbs"
                                15⤵
                                  PID:4768
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcdffa1d-bcbd-4b73-8a64-cced2c4b1fe6.vbs"
                                  15⤵
                                    PID:4004
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\811ad167-1cf8-4192-bfe4-82bbbbc5e7d3.vbs"
                                13⤵
                                  PID:4848
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6740a6cb-9ad3-4f11-9b0c-c00dfa9ff0d3.vbs"
                              11⤵
                                PID:1212
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fd181d3-d663-466c-8a85-35734ecdd0bb.vbs"
                            9⤵
                              PID:2196
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d351468d-da31-44c7-b7e8-b5ac0aa20c65.vbs"
                          7⤵
                            PID:3124
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35541dda-7271-4b45-900f-b19f5a04cf83.vbs"
                        5⤵
                          PID:2140
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eda212e0-b707-4135-b3ca-d394da60635d.vbs"
                      3⤵
                        PID:4424
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1116
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:2816
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:440
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1800
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4848
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:2216
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3112
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1580
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4408
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1068
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:968
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1220
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:744
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1100
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4688
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4380
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3916
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:2276
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\lsass.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:708
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\lsass.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4948
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\lsass.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1124
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1212
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:2508
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4856
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1744
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3372
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3288
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:2832
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3684
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4692
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\smss.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3100
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\dotnet\smss.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4360
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\smss.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1552
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1288
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1064
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3744
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3780
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1816
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4804
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:244
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3612
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:116
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4988
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4352
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1912
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3104
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3656
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:4708
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3712
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:5000
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:2348
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:1312
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3640
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3080

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Windows Photo Viewer\wininit.exe

                    Filesize

                    3.2MB

                    MD5

                    a3a56880e371bb4b5ff3f4e28791b5a5

                    SHA1

                    ccfe35536a1b3c8c5f73bd14dce0c44b19ba34ce

                    SHA256

                    2591daab5ada3d5417b33d7ba183edd7b29ee6b71bcb8617427d9d45f317357c

                    SHA512

                    4b4527e62a9ae19fc12fc5307ad5767bb1bb5216dc9dff07e56a801d3a0ae7c3235f68e6d60d7055698d07dc3a9c6496d6ad1bb9ff7a09dfbb2682211be17c70

                  • C:\Program Files\dotnet\RCX716D.tmp

                    Filesize

                    3.2MB

                    MD5

                    3d1fc8efc678bfb40a5f49845c25a3cb

                    SHA1

                    256a956945e7e21ae94980e02a68a367c27d6134

                    SHA256

                    1e17e7d23ffbbe052329b2938d5dace678d66ee4e1c2c2677534806bc728b056

                    SHA512

                    fc2e8df616e30c2c118b8932c6f4df7986ea808bfe7d913171aacf1f3a63f3e27ae859dda061e78b83102be866ce48ad8f473ede10d4e3714be7fd05badfaa7c

                  • C:\ProgramData\Microsoft\Windows\Start Menu\dwm.exe

                    Filesize

                    3.2MB

                    MD5

                    b0c249b693a72c5ff1a062672062d7e3

                    SHA1

                    e33a8e952d7f4c47248f3e14f7f21f7b9f404d9b

                    SHA256

                    6d4eb0464a83df85cc2658a6ddf86dde7ee67b59b07040d30b826b9ab93fde8d

                    SHA512

                    e3ec6b3a1380dfada3e6ccaaa2f94ba1206a048d6be7efcba5504e8625826e0ed607e02f13a29668ae1d6615cddd9a7ba2c7ad2392cc871a414843db3dabafeb

                  • C:\Recovery\WindowsRE\RuntimeBroker.exe

                    Filesize

                    3.2MB

                    MD5

                    be05449cab989bfd4746a79de768ea0a

                    SHA1

                    b9a6621f50cf0bd585018234cbd88dfd08b6a4da

                    SHA256

                    bf6e2194e5eb468002440144ea8ad581afae778463d67cc6867172e292fc1747

                    SHA512

                    1016d56e8df32853b0de263b09bce6320e1819cf107404d3c7aecee6f811647685bc075b2a3b5881f5454b7e39d2e57bda1056ad4c2b235c3d5d72bfa2b9a1ce

                  • C:\Recovery\WindowsRE\explorer.exe

                    Filesize

                    3.2MB

                    MD5

                    084a5938ce77b9383a43d5379c773a31

                    SHA1

                    34b37f96202f81e8a34421020421290f0d1d61ff

                    SHA256

                    e493068c68472f3fbaf14f1d126c4861805f5e1cbf1356279ca283ca72177b9d

                    SHA512

                    f52ea959e51b7a7df7f7be23578c1b201ea1e4e7b9fdd9227a3883c03e9aa0ff7e2b4d2ae160255f794c840e116d93a1fcfd7c12b37b013f837d087ee9151bae

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

                    Filesize

                    1KB

                    MD5

                    49b64127208271d8f797256057d0b006

                    SHA1

                    b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                    SHA256

                    2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                    SHA512

                    f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    59d97011e091004eaffb9816aa0b9abd

                    SHA1

                    1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                    SHA256

                    18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                    SHA512

                    d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    6d3e9c29fe44e90aae6ed30ccf799ca8

                    SHA1

                    c7974ef72264bbdf13a2793ccf1aed11bc565dce

                    SHA256

                    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                    SHA512

                    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    3a6bad9528f8e23fb5c77fbd81fa28e8

                    SHA1

                    f127317c3bc6407f536c0f0600dcbcf1aabfba36

                    SHA256

                    986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                    SHA512

                    846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                  • C:\Users\Admin\AppData\Local\Temp\81c5646d-102c-46e0-92fd-129b90595df8.vbs

                    Filesize

                    713B

                    MD5

                    58ff086d9185ed49d907dfa2329c7e53

                    SHA1

                    cb96a0f2b0e64f809ee2280693bfae97951eb9da

                    SHA256

                    27a499a98412e23bd5af60a23f811345624f1792260cea6d52396c3fbde5e445

                    SHA512

                    557e64d84945932a8bcf66b987a85860dea266530a3f4ea47fa1138a63398d28ed4b2c93c6fc5242ce6aa6d7c8419d24f64de7a9186b6e231b33dbf7f609829b

                  • C:\Users\Admin\AppData\Local\Temp\91ca450c-7cd1-4794-aa05-82bfcf12046a.vbs

                    Filesize

                    713B

                    MD5

                    91eea95cbd4125a4ea37ca783dfaba38

                    SHA1

                    1187f86cde141001c90ef65e8825f3b1290ba2c2

                    SHA256

                    f3d30d622c637e2985867991769586f04ed3ad5fa654787c472386e0ee0d9aff

                    SHA512

                    ffd55a8489efbe2e421b5aac6effa8e0c0657651cdf836a1a76f5f7dd158588c23adb7de14abbe56938a9cbc9f6763e75362236faf7288b4d1147efb4be6ce1d

                  • C:\Users\Admin\AppData\Local\Temp\963ae9cf-215a-4c39-9f8a-a4cbef438161.vbs

                    Filesize

                    713B

                    MD5

                    c3ef35037db52b01840dc65f1f38b852

                    SHA1

                    dc1a6e69aa1f86bb382be023f87cfbbf59a77f6f

                    SHA256

                    fd24fba1f2bc5cd470366e2bdd82aee1fe142c06f58a00ed225ecaa2a61a60e0

                    SHA512

                    d319440cd8f96b6e2b34a2472bcb931da38190ceeadbeb4f67d7f1a128e3035bc72db4ae9e4483d247d6974b6b9beb20f5c416e469c74845ba4899344f177098

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2blqgxt4.u1e.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Admin\AppData\Local\Temp\ab7e06f9-2cc8-4039-a499-49e52af85ad2.vbs

                    Filesize

                    713B

                    MD5

                    0ed4f3a9a6b10c4f85784d37a2bc67a7

                    SHA1

                    3ec384dc0bcb02992cc08cf1e954e8368e5c310a

                    SHA256

                    2c60ca22b4a11a9cc66974e26c118db4f4d3f1b0ff6cbe105d18f37ece1fdc03

                    SHA512

                    24d073ab3a6aa04849576132893d1edf3993f859016e7a2f2799182c3886c3307b2fb027079b5356f97b21e60ad8de0cd99044fcec2b0c85bd3188daf6366558

                  • C:\Users\Admin\AppData\Local\Temp\b32fa960-2f85-4070-ba3e-49aa4a739b40.vbs

                    Filesize

                    712B

                    MD5

                    da22ef041ddd10f6a1eb192fe043f6d6

                    SHA1

                    e2a545963ddacd4110aca18baf8ee7809e11a5c2

                    SHA256

                    1e1e760b96b1ae647201282d6da5acc90d86e178608fb5f50b4f3120bc390d5f

                    SHA512

                    ca34ec316621c7ef93b763e47590f017ba006c488d32a34b61b6d547c3bf723a6352bca4eb81f040461528e74e55e960e04aebe96291a1b36c8be64303298d54

                  • C:\Users\Admin\AppData\Local\Temp\b745de3f-71bb-43d1-b5ee-dbf9a731a082.vbs

                    Filesize

                    713B

                    MD5

                    9aef344306ee1207ba6a76cf00c8118d

                    SHA1

                    0f49cbe52a8c6b04f70b50d0d9916069cc9f04e1

                    SHA256

                    638758f4c84b3b1a273f7a90ca0d783d4a6c342ba7bbcf48e910b845757dd4ab

                    SHA512

                    fff981c1dd7b50ca52726971a8fe507b50acec7979f74ff6ccef18905d0fdb4bd4cd464c1c0691770c536d2fcbea230476fe96fd56be00c60bf4cea987d7deee

                  • C:\Users\Admin\AppData\Local\Temp\e6fc0a39-883a-46ff-a6d3-d13ba2e70843.vbs

                    Filesize

                    713B

                    MD5

                    c2b953e70b591e02c4a3c23152d20549

                    SHA1

                    34cc29faccb0afd53aeebe09a04505c25a93848a

                    SHA256

                    0b641dbc5cad5a9a30f32184468c76cfd245091fbe40007eed29d5813083cdd6

                    SHA512

                    84364453dc77f2f333491f59fb424b12bdb73603c5cf05c9e772ea1128dad3f72c6baf8a441208652be66f7419538c0c1ea678d81ee8557bed9aea04ed006e33

                  • C:\Users\Admin\AppData\Local\Temp\eda212e0-b707-4135-b3ca-d394da60635d.vbs

                    Filesize

                    489B

                    MD5

                    fca860c1322f605db549053e7f9f8eb2

                    SHA1

                    ca1f6b73c44bffb2e1850011f6e17b1ea79365d1

                    SHA256

                    cc5005df06a46cb34012e5e3f100e9019ca6006007b1939e5b969a75413a5107

                    SHA512

                    3184e3eb2ffcc8a5acdc7bff847c8ec041bbd1be69753ccdb55ec7a292371625d97ef29b6f6e969f452239e59088cd421e994482090b2818b3c179b1ac683106

                  • C:\Users\Admin\Music\TextInputHost.exe

                    Filesize

                    3.2MB

                    MD5

                    630af483ee3b5912b48f536e87e36bbe

                    SHA1

                    9c41f8263dfa41bc59bcfdc94c4b8a9fe9b501f5

                    SHA256

                    c9d2dfbe883bc0e8e928b007ffbcbad20be8184f864cbf042dfd654b5531be18

                    SHA512

                    7ecb991bc5e12136aea5fc5502b9b5f46cfc4828d45fb435f95c63abb2e3a77c9a86c34a3007bc3b90a7749a58dca8813ae49b74ccb2bd5a2797bd00e6c6b6a0

                  • C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe

                    Filesize

                    3.2MB

                    MD5

                    89f6cd1f773d3a1ead6be3afb295c88d

                    SHA1

                    ba44492cc4ca4a7b9299929f51ced2c1a8e63dc9

                    SHA256

                    ac2240e7b5af0107e910c06c8d1335cc3b81473f038e99e813f9adb63349d7c1

                    SHA512

                    7fe1399398abfa5cb58caf07001957951ac7f5db8fe2129d8e0d617066955b5608f962569604607ae9279f145a71deca4de72dd617b4ad79b2223c58c139169b

                  • C:\Windows\es-ES\fontdrvhost.exe

                    Filesize

                    3.2MB

                    MD5

                    1553f67a0859a3057cde01f77db9dbc0

                    SHA1

                    2cfe40d1fea16093e16c96a35f3240b98da9a5e1

                    SHA256

                    a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

                    SHA512

                    4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

                  • C:\Windows\es-ES\fontdrvhost.exe

                    Filesize

                    3.2MB

                    MD5

                    b1377edb5c7395d31186330b4fd7d765

                    SHA1

                    b62990a719b9d21207199b75289bdf33b538698e

                    SHA256

                    9298f57897b97818653f7924436abb4830f7d44845eb0206dd4cc09878940752

                    SHA512

                    ec727ed321f020368a39e036eb244a247b4e6ae0ecaead1f40b9d514da72db7c7ef6db09c3b455c1234eff0adb6d5232e1af7e0eb3a76823319455d2420efcc3

                  • memory/228-15-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

                    Filesize

                    48KB

                  • memory/228-18-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

                    Filesize

                    32KB

                  • memory/228-25-0x000000001BE80000-0x000000001BE88000-memory.dmp

                    Filesize

                    32KB

                  • memory/228-30-0x000000001BE50000-0x000000001BE5C000-memory.dmp

                    Filesize

                    48KB

                  • memory/228-29-0x000000001BE40000-0x000000001BE4E000-memory.dmp

                    Filesize

                    56KB

                  • memory/228-28-0x000000001B180000-0x000000001B188000-memory.dmp

                    Filesize

                    32KB

                  • memory/228-27-0x000000001B170000-0x000000001B17E000-memory.dmp

                    Filesize

                    56KB

                  • memory/228-26-0x000000001B160000-0x000000001B16A000-memory.dmp

                    Filesize

                    40KB

                  • memory/228-31-0x000000001BE60000-0x000000001BE68000-memory.dmp

                    Filesize

                    32KB

                  • memory/228-32-0x000000001BE70000-0x000000001BE7A000-memory.dmp

                    Filesize

                    40KB

                  • memory/228-34-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/228-33-0x000000001BED0000-0x000000001BEDC000-memory.dmp

                    Filesize

                    48KB

                  • memory/228-37-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/228-38-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/228-23-0x000000001BC30000-0x000000001BC3C000-memory.dmp

                    Filesize

                    48KB

                  • memory/228-21-0x000000001BC10000-0x000000001BC1C000-memory.dmp

                    Filesize

                    48KB

                  • memory/228-22-0x000000001BC20000-0x000000001BC2C000-memory.dmp

                    Filesize

                    48KB

                  • memory/228-20-0x000000001C140000-0x000000001C668000-memory.dmp

                    Filesize

                    5.2MB

                  • memory/228-19-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

                    Filesize

                    72KB

                  • memory/228-24-0x000000001B150000-0x000000001B15C000-memory.dmp

                    Filesize

                    48KB

                  • memory/228-17-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

                    Filesize

                    48KB

                  • memory/228-16-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

                    Filesize

                    32KB

                  • memory/228-0-0x00007FFAE60C3000-0x00007FFAE60C5000-memory.dmp

                    Filesize

                    8KB

                  • memory/228-1-0x0000000000380000-0x00000000006BC000-memory.dmp

                    Filesize

                    3.2MB

                  • memory/228-14-0x000000001BB50000-0x000000001BBA6000-memory.dmp

                    Filesize

                    344KB

                  • memory/228-2-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/228-448-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/228-13-0x000000001BB40000-0x000000001BB4A000-memory.dmp

                    Filesize

                    40KB

                  • memory/228-11-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

                    Filesize

                    32KB

                  • memory/228-12-0x000000001BB30000-0x000000001BB40000-memory.dmp

                    Filesize

                    64KB

                  • memory/228-10-0x000000001BAB0000-0x000000001BAC6000-memory.dmp

                    Filesize

                    88KB

                  • memory/228-7-0x000000001BAE0000-0x000000001BB30000-memory.dmp

                    Filesize

                    320KB

                  • memory/228-9-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

                    Filesize

                    64KB

                  • memory/228-8-0x000000001BA90000-0x000000001BA98000-memory.dmp

                    Filesize

                    32KB

                  • memory/228-6-0x000000001BA70000-0x000000001BA8C000-memory.dmp

                    Filesize

                    112KB

                  • memory/228-5-0x000000001BA60000-0x000000001BA68000-memory.dmp

                    Filesize

                    32KB

                  • memory/228-4-0x0000000002860000-0x000000000286E000-memory.dmp

                    Filesize

                    56KB

                  • memory/228-3-0x0000000000F90000-0x0000000000F9E000-memory.dmp

                    Filesize

                    56KB

                  • memory/3372-336-0x00000288C7A80000-0x00000288C7AA2000-memory.dmp

                    Filesize

                    136KB

                  • memory/4684-447-0x0000000000F60000-0x000000000129C000-memory.dmp

                    Filesize

                    3.2MB