Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:26

General

  • Target

    c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

  • Size

    4.9MB

  • MD5

    6980bcd5d7d665f70f434120a1d20549

  • SHA1

    8104f0c2f92ecb1ab9c6700f14d56059a93a9465

  • SHA256

    c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16

  • SHA512

    2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 33 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Checks whether UAC is enabled 1 TTPs 22 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
    "C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:528
    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:668
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d015806-a357-46e9-9d1b-16d3edf85489.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
          "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:300
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e41770-5c20-4680-8ff0-71ce6e21c519.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
              "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1796
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17981d84-f810-4536-85d0-eb56b47e4f35.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2664
                • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
                  "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:1920
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6686a49-e032-409a-b57a-b6e61def7fb6.vbs"
                    9⤵
                      PID:316
                      • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
                        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2560
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\490eef33-e19c-4b6c-aaa1-2b454d8988c9.vbs"
                          11⤵
                            PID:2172
                            • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
                              "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1908
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dae1d1f8-f02d-4e1f-85a8-54a7966966f2.vbs"
                                13⤵
                                  PID:2760
                                  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
                                    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1468
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8a1d704-0eb4-4818-a1fd-6e9aa8193e1e.vbs"
                                      15⤵
                                        PID:1048
                                        • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
                                          "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                          16⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2648
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23295970-298a-4652-b9cd-fbe1b6993b84.vbs"
                                            17⤵
                                              PID:1480
                                              • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
                                                "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                                18⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2284
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bbba736-84ec-469c-9497-b95e724624ba.vbs"
                                                  19⤵
                                                    PID:316
                                                    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe
                                                      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"
                                                      20⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2524
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed3d9d57-4e4b-43d9-b649-a7db4b94461c.vbs"
                                                        21⤵
                                                          PID:1736
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01e90a16-9586-462c-955c-b906aa2e6342.vbs"
                                                          21⤵
                                                            PID:2620
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d50a2d7-d0f3-4d84-a14b-35fc3be5eb83.vbs"
                                                        19⤵
                                                          PID:3040
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3700dc96-d3fb-4d1b-b5c0-4ec8553663e1.vbs"
                                                      17⤵
                                                        PID:1840
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1e48d94-b213-4bab-90cd-27a852085ed0.vbs"
                                                    15⤵
                                                      PID:2468
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18770b3b-c631-4969-bc34-783a1b7da434.vbs"
                                                  13⤵
                                                    PID:1808
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4e3d29-ac56-4b55-862b-148e0710945c.vbs"
                                                11⤵
                                                  PID:668
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\210f373b-d67b-4778-b3f8-2fabcc98e34a.vbs"
                                              9⤵
                                                PID:468
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22c0b2a5-cfa8-4e21-875c-b552d8c490ff.vbs"
                                            7⤵
                                              PID:1844
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15267901-d11d-4df9-8e90-7e27654c7037.vbs"
                                          5⤵
                                            PID:1688
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5bfbfab-660b-4418-a64f-d73fb2673cd0.vbs"
                                        3⤵
                                          PID:3068
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\services.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2616
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2660
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3064
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:264
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:528
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1020
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1288
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2624
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2204
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1928
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1444
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:836
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\wininit.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2940
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1512
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2804
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1824
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2128
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1956
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\audiodg.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2936
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2056
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1752
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1144
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1796
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2200
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\lsm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3004
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2208
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2328
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2252
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2268
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1496
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\system\Idle.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:468
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1996
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1784
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\Idle.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1808
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2376
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2004
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\System.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1284
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2468
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1848
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1836
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2040
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2380
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:844
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2104
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:560

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Temp\13e41770-5c20-4680-8ff0-71ce6e21c519.vbs

                                      Filesize

                                      750B

                                      MD5

                                      d6b1930553caadbf4ad4ec30682f48ea

                                      SHA1

                                      ffc7caa53b981f9a6f336a9ff667be5b3523f202

                                      SHA256

                                      81fe3459ef47fcf9a0192e2962f7831ff16e1d379dff4c6369730d7401f57726

                                      SHA512

                                      23df6db49e16cde0dbe3e27871b21decd9763252d809cf36d58d91f0ccf4b1e4425064d99ca81256cb298b26b29b502c2ad136fa7c7afcdf643777aeaadd3b3f

                                    • C:\Users\Admin\AppData\Local\Temp\17981d84-f810-4536-85d0-eb56b47e4f35.vbs

                                      Filesize

                                      751B

                                      MD5

                                      829be590a9f02dd076799e1efdbf8c4d

                                      SHA1

                                      d6aabdc4b5a54fb29dcecb2000860f2e2091ea14

                                      SHA256

                                      4804a88760dbf728cc1441e66b23712e944db607f12b7d73812fcebe2a7832ae

                                      SHA512

                                      21ec6a91bbbb2c5b68a5afff39a5cef0cc9f75002cc6fed70ecb8630bc08934f327d210d923fe2aca09418990ffb481388a077c8ec3272a33ddcb3281a8db689

                                    • C:\Users\Admin\AppData\Local\Temp\23295970-298a-4652-b9cd-fbe1b6993b84.vbs

                                      Filesize

                                      751B

                                      MD5

                                      93095064ad33ec101bd1f0f1e03e1765

                                      SHA1

                                      9ecd76f254c5cc0ac3e7447da8123e3249bfd2c6

                                      SHA256

                                      e06ae8f03ad2f19215b67e16ce223d08e5265b4631c846c302e9bc2ff04efc3a

                                      SHA512

                                      71a461aa42e27a2333a339d86bf0d7d4ecad98475ccb1fc7f873317f61df628eeb3ac5d7f8ce241c2db4138b5cf36b298679dde51b4b582e9748df0d42837efc

                                    • C:\Users\Admin\AppData\Local\Temp\2bbba736-84ec-469c-9497-b95e724624ba.vbs

                                      Filesize

                                      751B

                                      MD5

                                      9d4b3d32fe9c0c3d439a7e32eef79613

                                      SHA1

                                      09451dad06e5c1611028d4abb761500e76b5950e

                                      SHA256

                                      b4eeac0639e751ac1b3e7c602538400b5ccb9a8ee655e56c90c7fd257b9f92ff

                                      SHA512

                                      f076ffb749da67376f404ed57ddfeaf944a0e1d3fd7d0d5ec87907ead8eef1ae7b00245c239f5e73683b813f4361eeee05c3549f8ae2976ed4a4bce1dc4eacc9

                                    • C:\Users\Admin\AppData\Local\Temp\490eef33-e19c-4b6c-aaa1-2b454d8988c9.vbs

                                      Filesize

                                      751B

                                      MD5

                                      39ec88b941b774cf580a96847bfb61c4

                                      SHA1

                                      d6e511fcfe4f13612c789af968dc72dbfa6aead6

                                      SHA256

                                      cc0538762e259811c2a01e0c4b5fcaf5cdff29593c416b0dfbb2d5e6955bc6d2

                                      SHA512

                                      e6ff022901bacd24f905a118a1f14a7c89cb18b54587990d2046248a97f7a1ddf695db20fd0ffa22c8a32563c388624eaa2efeac26a0e6ed9945c1eb8661fe13

                                    • C:\Users\Admin\AppData\Local\Temp\9d015806-a357-46e9-9d1b-16d3edf85489.vbs

                                      Filesize

                                      750B

                                      MD5

                                      c9fd9a5e2c26b66700586bc13f58f848

                                      SHA1

                                      acee7d8f1eadb3fa0b4bcb1cccb50c058c8f9f90

                                      SHA256

                                      863049cdb928b1f3a40d132bace579ff08beb0e91cc6621f4ea2c315880af661

                                      SHA512

                                      3120606f0a4796f7cafd4f9ea2dfc0c929ebec3fff76ae3b858a89c5ff313ad4d628b838c49706de8e2abdf9b0738303d659bd34dc20ac728e8bf8f079c8c382

                                    • C:\Users\Admin\AppData\Local\Temp\b6686a49-e032-409a-b57a-b6e61def7fb6.vbs

                                      Filesize

                                      751B

                                      MD5

                                      4c4ce0c55102fe7766190e840dd3f28f

                                      SHA1

                                      f29ec3efc7727e5e1ff16d39c8932d47345c8369

                                      SHA256

                                      715cdd396d333cbe2f3732cddbdbade60f42a1055d5ee4e96962701b74e40052

                                      SHA512

                                      0aea6c30f2dd8022eb3e4868cf1dcdcc171f9a1de11e6a9e7bd9d21bd3202f183f853fb5917782b43349c761fc82d2673dc87341d897169b9caa39a93960b38e

                                    • C:\Users\Admin\AppData\Local\Temp\c8a1d704-0eb4-4818-a1fd-6e9aa8193e1e.vbs

                                      Filesize

                                      751B

                                      MD5

                                      fbe493f3aef976ee908ca10241235544

                                      SHA1

                                      f2f054a13ff3ad881971a1a24571f25a6848a32a

                                      SHA256

                                      20896c3ef736d509a489f746976d51d1c7602821510950810f75b61cbb617d27

                                      SHA512

                                      8b518e9ba0aac2595924b9ace192b1565051dcc4be6b85218e46e1a315adc33b8e4c46bdc87747c1245811ab8af523fb89b3ef7c53f9d54ec1754f4234258011

                                    • C:\Users\Admin\AppData\Local\Temp\dae1d1f8-f02d-4e1f-85a8-54a7966966f2.vbs

                                      Filesize

                                      751B

                                      MD5

                                      2139f93c5ed738f886729d9d0d810d27

                                      SHA1

                                      ccdaade2c28c279007339b815478c76a972f0750

                                      SHA256

                                      05797b4efc3a11e69077f0dd49f9e4f7554895884afa6dae016849394a1ad726

                                      SHA512

                                      d9d1439016d2a11d920bd8ee6e34b2a516311de1923f3c942f1e15e91f2461490b07f506c459ccf68cff0b0e1ae92ae5d9f2e5cc3880e076f987412917586f29

                                    • C:\Users\Admin\AppData\Local\Temp\e5bfbfab-660b-4418-a64f-d73fb2673cd0.vbs

                                      Filesize

                                      527B

                                      MD5

                                      58a6d1d5c81bdd5f2188560ef1003e79

                                      SHA1

                                      f623b4d7f096eefb44607b74f91637538c9e7031

                                      SHA256

                                      477e51a539911a8a64c34cb4cc37efe21c115c9c18bc108c8c87f5cebf57fa87

                                      SHA512

                                      47c03a4352a236743e10f581b66f2c2f0dfdbff88de2f31b1120a7eb9e7a5a7f92eb26fe3972b62ed7aa2c8d8b136a0e9a906134306bc5db7ea2514324fee0b7

                                    • C:\Users\Admin\AppData\Local\Temp\ed3d9d57-4e4b-43d9-b649-a7db4b94461c.vbs

                                      Filesize

                                      751B

                                      MD5

                                      1b3a0693fb105d56a87ae9b3096e3f6d

                                      SHA1

                                      938d0fbc9a383ad0cf3d282784ad4edeba23cb69

                                      SHA256

                                      cbe28645a9d76cc00b2195b8f83ed1522c99cb83cfa3551072d007e6a364c8fc

                                      SHA512

                                      9a6dbc78f69979a654fe643cfde8bb20b7a905cc178404be52a60ca1fe2162b9042b1f9eced273470ea3c28de97345d55dbaafb6ca01c7fcf3bc39be3748f139

                                    • C:\Users\Admin\AppData\Local\Temp\tmpA87F.tmp.exe

                                      Filesize

                                      75KB

                                      MD5

                                      e0a68b98992c1699876f818a22b5b907

                                      SHA1

                                      d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                      SHA256

                                      2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                      SHA512

                                      856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      b9a5c2c0012fc51f67c53da8fa128e38

                                      SHA1

                                      ff3ebc84d779fabedeb2534878706bb211d31456

                                      SHA256

                                      841223e56b4400680484f011d9a52a42c28bdbcaeee403d243f2586f70ad951a

                                      SHA512

                                      5bf848beb5735f9027b66da8e7b558b35c8a4ec23681688170fe1a93f9ee6aa38a2fbd0090cb129c0d83c4099ec63335856dbabaa22be0173c19987d8ae01ef4

                                    • C:\Users\Admin\Favorites\wininit.exe

                                      Filesize

                                      4.9MB

                                      MD5

                                      6980bcd5d7d665f70f434120a1d20549

                                      SHA1

                                      8104f0c2f92ecb1ab9c6700f14d56059a93a9465

                                      SHA256

                                      c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16

                                      SHA512

                                      2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3

                                    • C:\Windows\system\Idle.exe

                                      Filesize

                                      4.9MB

                                      MD5

                                      1833db530ce6d386c2ea880ca1de5a41

                                      SHA1

                                      cb7445a257398f83b9b27b61005b80004cab230b

                                      SHA256

                                      e867bb19a7d3519ea7a5eb3ad5163d6744e6ddb9e222fb24bda6431f8f4d14d8

                                      SHA512

                                      3cc731f86d8b285ac0f4bc13d870429aafbf3d388efa2c2908faba4a545c5de6c1836f664d19702c55dff8f0c78c8d5d0bccf1e6d111f3739bed025b68164558

                                    • memory/300-240-0x0000000000B40000-0x0000000000B52000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/300-239-0x0000000000EF0000-0x00000000013E4000-memory.dmp

                                      Filesize

                                      5.0MB

                                    • memory/668-173-0x00000000002F0000-0x00000000007E4000-memory.dmp

                                      Filesize

                                      5.0MB

                                    • memory/1796-255-0x00000000013E0000-0x00000000018D4000-memory.dmp

                                      Filesize

                                      5.0MB

                                    • memory/1908-301-0x0000000000A50000-0x0000000000A62000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1920-270-0x00000000000C0000-0x00000000005B4000-memory.dmp

                                      Filesize

                                      5.0MB

                                    • memory/2524-358-0x00000000013B0000-0x00000000018A4000-memory.dmp

                                      Filesize

                                      5.0MB

                                    • memory/2556-184-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2556-167-0x000000001B580000-0x000000001B862000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2560-286-0x0000000000510000-0x0000000000522000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2560-285-0x00000000011E0000-0x00000000016D4000-memory.dmp

                                      Filesize

                                      5.0MB

                                    • memory/2904-16-0x00000000026B0000-0x00000000026BC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2904-7-0x0000000002490000-0x00000000024A6000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/2904-12-0x00000000025F0000-0x00000000025FE000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/2904-11-0x00000000025E0000-0x00000000025EA000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/2904-10-0x00000000025D0000-0x00000000025E2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2904-9-0x00000000024C0000-0x00000000024CA000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/2904-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2904-8-0x00000000024B0000-0x00000000024C0000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/2904-14-0x0000000002610000-0x0000000002618000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2904-13-0x0000000002600000-0x000000000260E000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/2904-156-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

                                      Filesize

                                      9.9MB

                                    • memory/2904-164-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

                                      Filesize

                                      9.9MB

                                    • memory/2904-6-0x0000000000B80000-0x0000000000B90000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/2904-15-0x0000000002620000-0x0000000002628000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2904-5-0x0000000000550000-0x0000000000558000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2904-4-0x0000000000530000-0x000000000054C000-memory.dmp

                                      Filesize

                                      112KB

                                    • memory/2904-3-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

                                      Filesize

                                      9.9MB

                                    • memory/2904-2-0x000000001B890000-0x000000001B9BE000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/2904-141-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2904-1-0x0000000000B90000-0x0000000001084000-memory.dmp

                                      Filesize

                                      5.0MB