Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 16:22

General

  • Target

    682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

  • Size

    1.3MB

  • MD5

    f946ceb3dfbc4802323f045e77b9fc63

  • SHA1

    04beac37360d30c5ad933f82f80bfd41ae294cc4

  • SHA256

    682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a

  • SHA512

    7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

  • SSDEEP

    24576:qwwpL4DsvfsODQY2mq7yTK32HbzpEOlM7RJFolBjvmPln0Ep9GKc6NC1t:qw8LnsvQKMzpEOlM7RJqlhgq8rC1

Malware Config

Signatures

  • DcRat 38 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
    "C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vfELjyVScz.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2772
        • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
          "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca00480-b941-467e-814a-54e522f61011.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
              "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2aeeca3-8f8c-4e6a-aeb7-915932e6733c.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2060
                • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                  "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3056
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a84003e-e153-42eb-917a-b1698cdd279e.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2212
                    • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                      "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2200
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d8087c-804b-42c6-822c-032b2c045633.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2524
                        • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                          "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                          11⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2992
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8612983c-c1d0-4543-a0f8-9ee2ffdb0cf3.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2956
                            • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                              "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                              13⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1832
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73c027d4-95f0-4263-bd90-d9667b145154.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2628
                                • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                                  "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                                  15⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:1856
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060c69e3-8922-45be-87e9-5f60534bf0fc.vbs"
                                    16⤵
                                      PID:2584
                                      • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                                        "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                                        17⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1556
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41176c31-eceb-404f-9920-3ce32e70f66c.vbs"
                                          18⤵
                                            PID:1752
                                            • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                                              "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                                              19⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2324
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\010c95fe-4b29-480e-b68a-70f9e1cd6505.vbs"
                                                20⤵
                                                  PID:2304
                                                  • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                                                    "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                                                    21⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2176
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd8512e7-288f-4163-9b4c-17cfb37453ea.vbs"
                                                      22⤵
                                                        PID:2072
                                                        • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                                                          "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                                                          23⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2068
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b57db4fc-1272-4c1d-acff-efc70e4c0865.vbs"
                                                            24⤵
                                                              PID:2204
                                                              • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                                                                "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                                                                25⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1940
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d46d2ee3-0901-4a6a-bfe1-857dec79b0ce.vbs"
                                                                  26⤵
                                                                    PID:2652
                                                                    • C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
                                                                      "C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"
                                                                      27⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2948
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f377bc9c-4af4-4484-8c91-0c3bb510600d.vbs"
                                                                        28⤵
                                                                          PID:2244
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca71227-1d98-42f2-9124-b99e23a89185.vbs"
                                                                          28⤵
                                                                            PID:876
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f53e243-be3c-44fa-967b-a3fa1860f2e9.vbs"
                                                                        26⤵
                                                                          PID:1848
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55270971-521a-406d-bcbb-5adae37b2bc8.vbs"
                                                                      24⤵
                                                                        PID:1336
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868ba458-c979-44de-8de7-e263d8d060bc.vbs"
                                                                    22⤵
                                                                      PID:3028
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d93a4c2c-d8bf-4594-a934-a8ab63102ec8.vbs"
                                                                  20⤵
                                                                    PID:1544
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bebe0fd3-b5fd-4c01-9e26-14bb44701e32.vbs"
                                                                18⤵
                                                                  PID:1632
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ceb8a9-9199-4256-8ff7-6afbe07971b6.vbs"
                                                              16⤵
                                                                PID:2044
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc7791cc-2ebf-4afc-944d-31c3a9fd7c21.vbs"
                                                            14⤵
                                                              PID:2144
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\944f4eeb-8be4-4ad3-a5f7-7043880dc520.vbs"
                                                          12⤵
                                                            PID:1012
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71150a3b-acf1-4c52-a97f-411fc764092e.vbs"
                                                        10⤵
                                                          PID:2384
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30d93118-9910-4ce8-95f5-9e15357e4c33.vbs"
                                                      8⤵
                                                        PID:2540
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c332152-d620-47f3-8682-65dd035cb045.vbs"
                                                    6⤵
                                                      PID:1652
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf9158c1-ec3f-472f-ad32-5d22e44c125c.vbs"
                                                  4⤵
                                                    PID:2348
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\System.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2152
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2708
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2804
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2608
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2716
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2764
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2644
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2028
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2192
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2312
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1616
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:768
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1492
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:772
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1948
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1132
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\dllhost.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3056
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2132
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2696
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2412
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2268
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1312
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1556
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:408

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              f946ceb3dfbc4802323f045e77b9fc63

                                              SHA1

                                              04beac37360d30c5ad933f82f80bfd41ae294cc4

                                              SHA256

                                              682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a

                                              SHA512

                                              7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

                                            • C:\Program Files\DVD Maker\WmiPrvSE.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              59be1a3db10fdffe0258170ab44303e4

                                              SHA1

                                              1ff68ff01323f611eb96037d1709c7deaf1f1e15

                                              SHA256

                                              4bd3e24484aa90e5e54b83edce70c96e88c7c93522a799e41548b48d144bf27a

                                              SHA512

                                              8cf4d868b186b271b6b5f6f4a0d5b8c19a545feb5b8de9b1974647f736bb7c12e9cbec4188529f8cf35a5d8c0cecc9a56d5fb55e876dbc46ca00ccaea896d8ab

                                            • C:\Program Files\Windows Journal\ja-JP\spoolsv.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              079019233687f775602f6083854c0a3c

                                              SHA1

                                              8d96468e21fae8501972041545be493fb7bf520d

                                              SHA256

                                              a38dd6a3968bdbd7a9b811bd950a131434f16aedc405c1f7eef46f3a86274bab

                                              SHA512

                                              5fa31ef176ba33eb823dc326c53168e91d4bd63bbd2e55c770dac0cf1234c49425d6bbb424d5f9945c2dabddcaa5b052aff1e4a26b4043b1ba42ae5be8794527

                                            • C:\Users\Admin\AppData\Local\Temp\010c95fe-4b29-480e-b68a-70f9e1cd6505.vbs

                                              Filesize

                                              792B

                                              MD5

                                              0c863e163c5b6f33820d84e82202414e

                                              SHA1

                                              402c06891c7b75707caff2c5a989fe72dc4c8365

                                              SHA256

                                              4aa7d3af491d23944c42479f7db5656a5d1527d7cbf6cf1a4bd41966c9990a6b

                                              SHA512

                                              dfa6cbc3b0692d41e437565641685642fad20263834356f8c675b30aaa9d571e9509794c1998ead3d24b0f4cc2b1cebf50b5b8f46dae26e2df42c0ecab4f9466

                                            • C:\Users\Admin\AppData\Local\Temp\060c69e3-8922-45be-87e9-5f60534bf0fc.vbs

                                              Filesize

                                              792B

                                              MD5

                                              e851b27efc0aa5e611a0f8f21b44d7af

                                              SHA1

                                              0208d843f2dcefd95358a21b3b22b0fc54ac5026

                                              SHA256

                                              c0f63a2ddc318d800f7ce08af1647d80a109779736954d0a1acd6671a2e1b2b4

                                              SHA512

                                              d8f34e181bbb7236d46a6eab8f0deee35f9bbbd125f8911ad85c0f103a6e0e5ff4ea446cf5ec2ab7b86fb8a881b6cb256a70b6317868652ba63cde9354f12f98

                                            • C:\Users\Admin\AppData\Local\Temp\2a84003e-e153-42eb-917a-b1698cdd279e.vbs

                                              Filesize

                                              792B

                                              MD5

                                              c0a872d40a6c233bb222b18852f51708

                                              SHA1

                                              23b5f64a5c3602b898ec4b542f5be263c27bb65e

                                              SHA256

                                              180771a30dc34f455e8b8b08f1f20fda684fbe9ddd2325ceea80c0d76b7df847

                                              SHA512

                                              b851ef7f084c0b84bcf0e86fc3a56b9093a7b57ee7c44041dc7e5a6528365ebe261157a4ea1a726ab36e52f00e885d5fabc5de33015afc152f8c85ad243b388a

                                            • C:\Users\Admin\AppData\Local\Temp\41176c31-eceb-404f-9920-3ce32e70f66c.vbs

                                              Filesize

                                              792B

                                              MD5

                                              c0546b1ea78ce440544d2bf3c3fc8aa0

                                              SHA1

                                              bf24480341eb91a5d7abb043671de0e5cb8960da

                                              SHA256

                                              c78cd485de51f8addf174c6fc2a10ee283d30fcceab57c90afd91fe4715d2516

                                              SHA512

                                              d27445b23f28ab6b805522c398c10901fe03e0e98c0c74dbc0d6330f4baaa7c4480d1c509fffb5969503e2ee0407d501b843dab7473b03773b316e6dfb0922e8

                                            • C:\Users\Admin\AppData\Local\Temp\6ca00480-b941-467e-814a-54e522f61011.vbs

                                              Filesize

                                              792B

                                              MD5

                                              51ec3b379d0bb64983be5137d8ac5a56

                                              SHA1

                                              93d41cf25849471cd1db686305dc6c7f9d69755b

                                              SHA256

                                              b05f8af7f24ed683d192af012a0b4a258ca2aadde5ad43fd79947ba9184d5753

                                              SHA512

                                              bfdd95b9522ef4d58be7afdaf08ec5a673e34a069196c813a784676cf266efc33a0061160beb3ff057c5f220e09082312969eadd527dc89fa31c9385f68a0435

                                            • C:\Users\Admin\AppData\Local\Temp\73c027d4-95f0-4263-bd90-d9667b145154.vbs

                                              Filesize

                                              792B

                                              MD5

                                              f031e96e54d404fea0da0c8d745e4aa6

                                              SHA1

                                              057034288bed1c37d0f23b7b2b52ec292fa1c103

                                              SHA256

                                              8e895faa91fb0d020348e30869e275542299d580e995ae66b921be02cd1d2807

                                              SHA512

                                              49bf5be3f6ceabb0c47327c036e24bc49b3ccab63cc14a6d819740ec52c3ad8430de87bd0e2f44e5445608659a504c0010cc5d4556a1dd38dcf2dcb4b5dd3396

                                            • C:\Users\Admin\AppData\Local\Temp\75d8087c-804b-42c6-822c-032b2c045633.vbs

                                              Filesize

                                              792B

                                              MD5

                                              bcfd3d7836fa644f3db03f0a60f0fbc8

                                              SHA1

                                              98d3f8a1f3e0d4ef6204db98e972b3f404985912

                                              SHA256

                                              fa2fdd7a7222bf408763e6718eb51003dbe1f544bc32dd9f5b0021c8e05eff3f

                                              SHA512

                                              a22f695171fbc86f65bf89260ec55d7d10a4bde5ffc973e0221afe5549bce7a319e7853625e130575e9f2944e43da66eabb175bf6b31c953dfea4fd92befa5bb

                                            • C:\Users\Admin\AppData\Local\Temp\8612983c-c1d0-4543-a0f8-9ee2ffdb0cf3.vbs

                                              Filesize

                                              792B

                                              MD5

                                              567b148c7c10cbe152f0e02fb09a9325

                                              SHA1

                                              c40a7ec75d0575ff748ae83d569202ba7d24224e

                                              SHA256

                                              2ce04bb1f02b2e6840ba5112c31bc2a94ed5538e127648d7a22a604ff1b5c248

                                              SHA512

                                              0b2a2a630637e47b2b1c25f54e967e5cb31118740738e8e182f596e4955f1cbade060533674e94e2cf391d491748e2695fba87ce76ef439f319ef8cf51fe95a1

                                            • C:\Users\Admin\AppData\Local\Temp\b57db4fc-1272-4c1d-acff-efc70e4c0865.vbs

                                              Filesize

                                              792B

                                              MD5

                                              a1aa39cf641f9af58d2b3a7395ae56f2

                                              SHA1

                                              90bb662327d55b635692430a41bd72a8ba267b78

                                              SHA256

                                              3e3ba720fb9c9f626065bf5fd5e4b36ded3b8ba25251f0c7cf8150b9405a2bf6

                                              SHA512

                                              889685ea04711b0ce471b5b7d2c6003fa9f1c6dcdc448e86c3e0976cd1b96275a76a791bce77b064586b622e283032b350579926ff4752a00762cfcecc28515f

                                            • C:\Users\Admin\AppData\Local\Temp\bf9158c1-ec3f-472f-ad32-5d22e44c125c.vbs

                                              Filesize

                                              568B

                                              MD5

                                              0a7ce9f2aa9aa4e47176d1a70f727f11

                                              SHA1

                                              ce326caeaaccf558e80c81a70faab1de1ebfdafd

                                              SHA256

                                              15a93dc4aa5eea51bc49f6b080ef18ff07471b89f1500dddee86e63cf6b6d8a6

                                              SHA512

                                              25c61aec86021203c9af860b6cc370959b8c43e39a015810631e4c18bf096761d09f9ac69235ca6b0752fc5c3d3422952031877884af742b80bd3a2126062244

                                            • C:\Users\Admin\AppData\Local\Temp\c2aeeca3-8f8c-4e6a-aeb7-915932e6733c.vbs

                                              Filesize

                                              792B

                                              MD5

                                              a3d0a5648a7d7af69913c3aa633ce605

                                              SHA1

                                              1d0f474d8d48687f4aa4a16f5e56885ed2f3c7e1

                                              SHA256

                                              8533d5ed50b731db7aec4b4c94e4833a3077ab8fc5d57f2569827c517672e462

                                              SHA512

                                              0041c9a4550cd0135c0468d84861d843a5118343872a041e5386f90b4a6634151d931d505a462b960ea54301a5895369aa1c5b49cd1761fa2d1c57a5c29b22f2

                                            • C:\Users\Admin\AppData\Local\Temp\d46d2ee3-0901-4a6a-bfe1-857dec79b0ce.vbs

                                              Filesize

                                              792B

                                              MD5

                                              2c708257b5bfa3fbaffffef9e0955ab0

                                              SHA1

                                              8ec65281aefc2ca06eda99ee3049258c3807f3d3

                                              SHA256

                                              b18422ccd6364dfefa6733ee495e85386efb178f316ef9bc9c4b3badf9d26a9d

                                              SHA512

                                              4e5cda32c1cf8c5ccc7400f7de8a88af739933311df90a3a5803a85066ca620cdf9a4df8512d198edc0d1e5f9d8b5a49cd7bfa6f7d440f68863964233d0baae8

                                            • C:\Users\Admin\AppData\Local\Temp\f377bc9c-4af4-4484-8c91-0c3bb510600d.vbs

                                              Filesize

                                              792B

                                              MD5

                                              0cc061bc9860e95157ada05d084ee66c

                                              SHA1

                                              37560e556e64255edcd19f473afba97b5101c5e4

                                              SHA256

                                              0d64a16ccb2f1793f6e55bfd126bf7535e4d36b5ff7571c914f088fc276146ee

                                              SHA512

                                              95ae51447a0a4a7b4954e829ee877d7f15a3fedad64231a12dad7bccebd87620b386ddc5357b9aa9470138da046374b6e9383cb55db0e0a98b682ef5d8831a1a

                                            • C:\Users\Admin\AppData\Local\Temp\fd8512e7-288f-4163-9b4c-17cfb37453ea.vbs

                                              Filesize

                                              792B

                                              MD5

                                              ec4d47b82903fa1394e5b55c4733c720

                                              SHA1

                                              9f2b9dbe86e965bf2974dbbf6e0c62e3c37a6e4f

                                              SHA256

                                              b15fe37e112264143b3d5b51f07f1ddcfddb829f3e8ad3762ef50d0546db36ea

                                              SHA512

                                              e121aee8fc2a2f937a364887c1de3b57efaee3c0ef878d0f52e3251b8e2e6f6bff088d4425a92bcdf341f8c8d9e759d263252f9a6fb49b12039346085762370f

                                            • C:\Users\Admin\AppData\Local\Temp\vfELjyVScz.bat

                                              Filesize

                                              281B

                                              MD5

                                              6f2973cfb0fd159ba1e4a88e2662a4d5

                                              SHA1

                                              0e8ecd120b68034b513a8c635b829712d420e521

                                              SHA256

                                              b4a2217467884635f0b705d177f421db3b1dd0f3987d31244bd85487317fa513

                                              SHA512

                                              e3992dcae1a99c1c842dc6803eb9775e3219fa3522d5700f868871291048bf9e00cce56d7fa8491d55995a6f8117352d37c50a0d549a4ff251409bf6163ed3f1

                                            • C:\Users\Default\System.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              6903e9a4b5e2768a6846ef8f45e1041f

                                              SHA1

                                              742b54fae1ffb097b6b0929a6b81de922720d6a6

                                              SHA256

                                              0def9b3c985e30721af2c5f44f047623d60511c4019cf3b7864862fa04151e1b

                                              SHA512

                                              b99b1a7e90edbad4531fc960244c174e6add38e542911ca29e6f226fc7a896f5c71653221fff66e92211e147b05344490f12bf34a154f9bfb677b139eb3b27c8

                                            • C:\Windows\it-IT\System.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              25e3aae206a932b279a0cfab02592866

                                              SHA1

                                              42eb90e607c83d3e5f5e706ce446206cce2bc5e2

                                              SHA256

                                              d3c8e24d8fe6447c55175a8b2fa3534b00423ca3c9480f992c0b21741ed3c9db

                                              SHA512

                                              2344a8fe6afb1859b8f036d0eda973be2b1e5ad575449c5f4818e894c2922e4f2fbaf970b223267e6976baff6b38cd17f928351662db3d144a238adc4ca86c7b

                                            • memory/1316-3-0x0000000000250000-0x000000000026C000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/1316-7-0x0000000000420000-0x000000000042A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/1316-9-0x0000000000410000-0x0000000000418000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1316-6-0x0000000000400000-0x0000000000408000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1316-8-0x0000000000430000-0x000000000043E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/1316-5-0x0000000000280000-0x0000000000296000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/1316-181-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/1316-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1316-4-0x0000000000270000-0x0000000000280000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/1316-1-0x00000000002A0000-0x00000000003FA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/1316-2-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/1556-266-0x0000000001290000-0x00000000013EA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2200-220-0x0000000000230000-0x000000000038A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2240-185-0x0000000000C30000-0x0000000000D8A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2964-196-0x00000000001A0000-0x00000000002FA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2992-232-0x0000000000FF0000-0x000000000114A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3056-208-0x0000000001250000-0x00000000013AA000-memory.dmp

                                              Filesize

                                              1.4MB