Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 05:55

General

  • Target

    2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe

  • Size

    4.9MB

  • MD5

    fa51bf709923fc828149634c38cd60e0

  • SHA1

    c6ff8deac79ee442ec3fd2bd034264f07f9964a1

  • SHA256

    2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8

  • SHA512

    e46cc7817882abacb5096fa0192d9fbc0fa778bfd4128da6a59e522645321558f15e7765d6aba73707bbf4647008d395ffeb76723f6043bd06b56eec06f07dbd

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

  • Colibri family
  • DcRat 63 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 60 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 39 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 11 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
    "C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3504
    • C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:4832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4052
    • C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
      "C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4108
      • C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp.exe"
          4⤵
          • Executes dropped EXE
          PID:4012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1084
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2244
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Pz8Ynvt3a.bat"
        3⤵
          PID:1664
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            4⤵
              PID:3852
            • C:\Program Files\Windows Portable Devices\services.exe
              "C:\Program Files\Windows Portable Devices\services.exe"
              4⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:4980
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50892823-17cd-433c-823b-f4495ab15f83.vbs"
                5⤵
                  PID:5048
                  • C:\Program Files\Windows Portable Devices\services.exe
                    "C:\Program Files\Windows Portable Devices\services.exe"
                    6⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:4648
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d4f9d47-b665-44be-9ff4-c7e1a53a3e66.vbs"
                      7⤵
                        PID:2384
                        • C:\Program Files\Windows Portable Devices\services.exe
                          "C:\Program Files\Windows Portable Devices\services.exe"
                          8⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2784
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37887128-9004-4969-b8e1-cb3c4caab28b.vbs"
                            9⤵
                              PID:4840
                              • C:\Program Files\Windows Portable Devices\services.exe
                                "C:\Program Files\Windows Portable Devices\services.exe"
                                10⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:4224
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3076b75-73cc-4e7e-80ec-18db6d795930.vbs"
                                  11⤵
                                    PID:4396
                                    • C:\Program Files\Windows Portable Devices\services.exe
                                      "C:\Program Files\Windows Portable Devices\services.exe"
                                      12⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:4416
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51c6e380-2b2e-46aa-9b66-b9ac69616eb9.vbs"
                                        13⤵
                                          PID:968
                                          • C:\Program Files\Windows Portable Devices\services.exe
                                            "C:\Program Files\Windows Portable Devices\services.exe"
                                            14⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:4456
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eefb4c54-01ec-44a2-a03e-810060deeff5.vbs"
                                              15⤵
                                                PID:4188
                                                • C:\Program Files\Windows Portable Devices\services.exe
                                                  "C:\Program Files\Windows Portable Devices\services.exe"
                                                  16⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:4792
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dde63b9-6159-4cb8-9d11-507b1669fc6f.vbs"
                                                    17⤵
                                                      PID:2104
                                                      • C:\Program Files\Windows Portable Devices\services.exe
                                                        "C:\Program Files\Windows Portable Devices\services.exe"
                                                        18⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:3696
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfc5f3b0-a542-439a-8e1e-4366032bd071.vbs"
                                                          19⤵
                                                            PID:1752
                                                            • C:\Program Files\Windows Portable Devices\services.exe
                                                              "C:\Program Files\Windows Portable Devices\services.exe"
                                                              20⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:2516
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d001f2d0-ddb2-4edc-910c-7b4b06980ab1.vbs"
                                                                21⤵
                                                                  PID:1052
                                                                  • C:\Program Files\Windows Portable Devices\services.exe
                                                                    "C:\Program Files\Windows Portable Devices\services.exe"
                                                                    22⤵
                                                                    • UAC bypass
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:892
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b83a6f-0cc6-4003-9a01-9d2f19d27903.vbs"
                                                                  21⤵
                                                                    PID:4356
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp453D.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp453D.tmp.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4852
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp453D.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp453D.tmp.exe"
                                                                      22⤵
                                                                      • Executes dropped EXE
                                                                      PID:3256
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6dd203d-5ade-40fc-8495-3b34ffcb7fd1.vbs"
                                                                19⤵
                                                                  PID:4108
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3004
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2384
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      PID:2776
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5b46131-d61b-4093-bfa8-218e1c530f94.vbs"
                                                              17⤵
                                                                PID:3532
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpF96E.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpF96E.tmp.exe"
                                                                17⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1440
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpF96E.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpF96E.tmp.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  PID:2404
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d371f8d-c770-4dbd-b50d-e2684a07c1ab.vbs"
                                                            15⤵
                                                              PID:2732
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"
                                                              15⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3344
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"
                                                                16⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4444
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"
                                                                  17⤵
                                                                  • Executes dropped EXE
                                                                  PID:2040
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ec6c27e-3cfb-43f6-af2f-ba9effc0a8f8.vbs"
                                                          13⤵
                                                            PID:2092
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpAD91.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpAD91.tmp.exe"
                                                            13⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1372
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpAD91.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpAD91.tmp.exe"
                                                              14⤵
                                                              • Executes dropped EXE
                                                              PID:1912
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2789fbf3-fa06-415e-9725-3785a8db44a9.vbs"
                                                        11⤵
                                                          PID:4892
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp9016.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp9016.tmp.exe"
                                                          11⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3532
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp9016.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp9016.tmp.exe"
                                                            12⤵
                                                            • Executes dropped EXE
                                                            PID:2624
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34beb3eb-3379-4885-9abf-cad954c3f90e.vbs"
                                                      9⤵
                                                        PID:3788
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"
                                                        9⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3004
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"
                                                          10⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3792
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1552
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"
                                                              12⤵
                                                              • Executes dropped EXE
                                                              PID:1944
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e08dffcf-b32c-4f33-9290-0312b8982c03.vbs"
                                                    7⤵
                                                      PID:2444
                                                    • C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"
                                                      7⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:5016
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"
                                                        8⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3516
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"
                                                          9⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2056
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"
                                                            10⤵
                                                            • Executes dropped EXE
                                                            PID:2032
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\916b4a8f-6970-4620-b88e-9e1887bc7626.vbs"
                                                  5⤵
                                                    PID:2800
                                                  • C:\Users\Admin\AppData\Local\Temp\tmpFB67.tmp.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\tmpFB67.tmp.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2944
                                                    • C:\Users\Admin\AppData\Local\Temp\tmpFB67.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmpFB67.tmp.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:2260
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Recent\MusNotification.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:216
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Admin\Recent\MusNotification.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4100
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\MusNotification.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1496
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4416
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3632
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1732
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1172
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2440
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4892
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4436
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1924
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4924
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3260
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4836
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1840
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1660
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2684
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:456
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3516
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4216
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3220
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1368
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2520
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2480
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2140
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4676
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3852
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\include\backgroundTaskHost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4532
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\backgroundTaskHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:848
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk-1.8\include\backgroundTaskHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2236
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2064
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4544
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2984
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4388
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\explorer.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4964
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1916
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4304
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3588
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1456
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1628
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4920
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4396
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\WaaSMedicAgent.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:920
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\RemotePackages\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2732
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\WaaSMedicAgent.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4152
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3680
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4740
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\SearchApp.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\SearchApp.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3724
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\SearchApp.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3812

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            bbb951a34b516b66451218a3ec3b0ae1

                                            SHA1

                                            7393835a2476ae655916e0a9687eeaba3ee876e9

                                            SHA256

                                            eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                                            SHA512

                                            63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            4a667f150a4d1d02f53a9f24d89d53d1

                                            SHA1

                                            306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                            SHA256

                                            414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                            SHA512

                                            4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            6d3e9c29fe44e90aae6ed30ccf799ca8

                                            SHA1

                                            c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                            SHA256

                                            2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                            SHA512

                                            60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            a8e8360d573a4ff072dcc6f09d992c88

                                            SHA1

                                            3446774433ceaf0b400073914facab11b98b6807

                                            SHA256

                                            bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                            SHA512

                                            4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            aaaac7c68d2b7997ed502c26fd9f65c2

                                            SHA1

                                            7c5a3731300d672bf53c43e2f9e951c745f7fbdf

                                            SHA256

                                            8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

                                            SHA512

                                            c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            457770e1c3411b3079598f94b3be7ab5

                                            SHA1

                                            4067100e8bb26ca1d34599e3a50e2f18d5d350c4

                                            SHA256

                                            b5ce065648d8c810cde1a8472424bb7b6fec867b14d72cec9c2e58cf6d8aca50

                                            SHA512

                                            54bdc0a2261fcbb2ebb8f29b102e5fc7b2af4d33bb82016c4187a01bfe92c522cbc38faa46614b24cdbce3f6eba4b44587ff007fca6961f95e0a34f0cc35d104

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            b4b6d4cc52b5a3a71149b1f33d94d5de

                                            SHA1

                                            97d3dbdd24919eab70e3b14c68797cefc07e90dd

                                            SHA256

                                            da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

                                            SHA512

                                            fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            7d9ecfe610b58440e18d2bffe5167d71

                                            SHA1

                                            7afeed064042ef5e614228f678a0c595699c3d84

                                            SHA256

                                            2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

                                            SHA512

                                            017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            3b444d3f0ddea49d84cc7b3972abe0e6

                                            SHA1

                                            0a896b3808e68d5d72c2655621f43b0b2c65ae02

                                            SHA256

                                            ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

                                            SHA512

                                            eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            06fd7257306cba6d58a43b20391a7308

                                            SHA1

                                            18c7b5aea005c71e490a6d41b3879531b3983a6d

                                            SHA256

                                            9e0012e95506b8d02ea9edc2060211f423b331aedeb312e13a349d5f11d9df21

                                            SHA512

                                            173d45f70a9bf048b35083787fa6108bd175a26601b3a9eb895c85956040a4d9a36ff50ff9f1e6eb8c731fe1d303485b6a5611669549f8be9fede77cd0789317

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            a9a7f35c006bbf5da72f9cb250ffbddb

                                            SHA1

                                            458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

                                            SHA256

                                            a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

                                            SHA512

                                            d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            a672fcf7facce635c83caf7b195d0bf8

                                            SHA1

                                            fec2f6c2456efe713ba08fa692a4a356f2f37ba8

                                            SHA256

                                            71945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c

                                            SHA512

                                            12713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            8320aeea03d40a74715d8b9613f9d0cc

                                            SHA1

                                            09fcf3cf06de496b434aaf3181f5aed78731425e

                                            SHA256

                                            54d89ac6af0379f2fa8afc5137450f796cd22f70da2b6b68a299b23c521eb205

                                            SHA512

                                            7d6fd85c54a4c8a63069fa02cd8b892f448be8b11b97190653864a076bfe5f2d4061b354ce2e3ad8b49a0e482ee90992493bb823f5e6f664dc7ac3937a547dba

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            b740f7616c3c3d006afd7e1586758eeb

                                            SHA1

                                            c465af4c07ecb9e3de239c410d3b2ed5de93cdde

                                            SHA256

                                            c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

                                            SHA512

                                            d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

                                          • C:\Users\Admin\AppData\Local\Temp\37887128-9004-4969-b8e1-cb3c4caab28b.vbs

                                            Filesize

                                            730B

                                            MD5

                                            279099b7e7f27f077253fcdab5f3d8aa

                                            SHA1

                                            837bbc9640bc3e1ed74936a8139e09eab5e12df7

                                            SHA256

                                            6135e100baa0ad46e59de998085a289b1ceebc9617dfed0f344008bacd4adce4

                                            SHA512

                                            57ed79d04c1d124b2ce50e7af53df23b594c5ce59501ff576c586f926882280f21ca927e62f29adc9d976527af3049e93ff791a32e4df94a0b22f35a88170ea1

                                          • C:\Users\Admin\AppData\Local\Temp\3d4f9d47-b665-44be-9ff4-c7e1a53a3e66.vbs

                                            Filesize

                                            730B

                                            MD5

                                            655b2434e4d88ba145963fcc62e43b04

                                            SHA1

                                            d1bbcf6d58eb22a3e6c13c4744001a08e4056811

                                            SHA256

                                            8a5b7111f8442514588ca22c2fa89b2875968fdeb5dcce8720a8ddb9c0b6086a

                                            SHA512

                                            f93992a6672c93d8ff5222df11b46343791d76b9720ad3680de47c6aec3d4e69db55b19cd05d77762dd2b8f3a763a5f1958ae27f2b98bdaf6906b2ec62477d49

                                          • C:\Users\Admin\AppData\Local\Temp\4Pz8Ynvt3a.bat

                                            Filesize

                                            219B

                                            MD5

                                            1ebb073a90b6aa1213b5ada2ce7afa88

                                            SHA1

                                            5cea88eab3fad84a252d03721df020fcaa2c82dd

                                            SHA256

                                            f8ca87fe7371ed5be04b65862002842dcb8905c13ef0967370c7b0ea178e456d

                                            SHA512

                                            20f7ae01b3e2308682686249d23c1dd848da12a22085c92c265ae168ee2a793a5a7cb7290848bc00ba1ad7edbcc2960973393dac23db3e2c8391eb606c277c74

                                          • C:\Users\Admin\AppData\Local\Temp\50892823-17cd-433c-823b-f4495ab15f83.vbs

                                            Filesize

                                            730B

                                            MD5

                                            21682ce4eedc90f91574b0eff470cffa

                                            SHA1

                                            89548af874c455fdd5a7f91d94b066bb22288a6b

                                            SHA256

                                            c13a56d796f5a27a705560e674967c86febe30acaa6dda6e64a062f0121c6bfc

                                            SHA512

                                            affaa285b9cc600d2faebb684ed6a736262af7dc3fd2795681f83837ef01179df2f7c6d6258f497685ccba784a1df1fda30b29072c50dea50c30c234968bf2e9

                                          • C:\Users\Admin\AppData\Local\Temp\916b4a8f-6970-4620-b88e-9e1887bc7626.vbs

                                            Filesize

                                            506B

                                            MD5

                                            74f0f8b0f9121ccaca68f3866685c465

                                            SHA1

                                            fd36b2a2277374ef2e59419bebc9894d60b75265

                                            SHA256

                                            4238bac8427aef82bfcd4583ef93bff8cf18ef696df0ba74cd445851a3aaf37b

                                            SHA512

                                            3bb2ffb953536f3ab5c602ccaa9986b9d8f2edfd5dd3bf892eddd1241efdce158e2c8d75133db69d004348340c757c90242d797bc178447c2ed14908b232c2a3

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_czgsorko.duw.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Local\Temp\c3076b75-73cc-4e7e-80ec-18db6d795930.vbs

                                            Filesize

                                            730B

                                            MD5

                                            d8d22e9143480a75f11deecd067a6b46

                                            SHA1

                                            851ea76cf60e087893e35766ff35b9516b33f580

                                            SHA256

                                            98c16237c8483f60fa43507487965ca65af6299fa3a898a8ed6cbbf5fe657f0f

                                            SHA512

                                            61359f279e6464b7981e2161c710ed9015ce67f91b17078b947b2f255c07734adc61dd717867a415a3fa594a8011220ea087e8652ff59316979716dc41d9b494

                                          • C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe

                                            Filesize

                                            75KB

                                            MD5

                                            e0a68b98992c1699876f818a22b5b907

                                            SHA1

                                            d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                            SHA256

                                            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                            SHA512

                                            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MusNotification.exe

                                            Filesize

                                            4.9MB

                                            MD5

                                            fa51bf709923fc828149634c38cd60e0

                                            SHA1

                                            c6ff8deac79ee442ec3fd2bd034264f07f9964a1

                                            SHA256

                                            2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8

                                            SHA512

                                            e46cc7817882abacb5096fa0192d9fbc0fa778bfd4128da6a59e522645321558f15e7765d6aba73707bbf4647008d395ffeb76723f6043bd06b56eec06f07dbd

                                          • memory/2684-74-0x000002347DE40000-0x000002347DE62000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/3504-15-0x000000001B470000-0x000000001B47E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/3504-10-0x000000001B430000-0x000000001B43A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/3504-18-0x000000001B4A0000-0x000000001B4AC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3504-17-0x000000001B490000-0x000000001B498000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/3504-0-0x00007FF97C103000-0x00007FF97C105000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/3504-16-0x000000001B480000-0x000000001B488000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/3504-13-0x000000001B450000-0x000000001B45A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/3504-14-0x000000001B460000-0x000000001B46E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/3504-1-0x0000000000140000-0x0000000000634000-memory.dmp

                                            Filesize

                                            5.0MB

                                          • memory/3504-12-0x000000001C170000-0x000000001C698000-memory.dmp

                                            Filesize

                                            5.2MB

                                          • memory/3504-11-0x000000001B440000-0x000000001B452000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3504-162-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3504-8-0x00000000028C0000-0x00000000028D6000-memory.dmp

                                            Filesize

                                            88KB

                                          • memory/3504-9-0x00000000028E0000-0x00000000028F0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/3504-5-0x000000001B3D0000-0x000000001B420000-memory.dmp

                                            Filesize

                                            320KB

                                          • memory/3504-6-0x00000000028A0000-0x00000000028A8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/3504-7-0x00000000028B0000-0x00000000028C0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/3504-4-0x0000000000FD0000-0x0000000000FEC000-memory.dmp

                                            Filesize

                                            112KB

                                          • memory/3504-3-0x000000001B510000-0x000000001B63E000-memory.dmp

                                            Filesize

                                            1.2MB

                                          • memory/3504-2-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4108-182-0x000000001BAC0000-0x000000001BAD2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4832-57-0x0000000000400000-0x0000000000407000-memory.dmp

                                            Filesize

                                            28KB